afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #13 from wazuh/fixes

Browse Source 
Fixes
This commit is contained in:
Jose Luis 2017-09-12 09:44:46 -04:00 committed by GitHub
commit c3a22b6551
28 changed files with 1331 additions and 194 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ansible-role-elasticsearch/defaults/main.yml
View File

@ -3,5 +3,7 @@ elasticsearch_cluster_name: wazuh
elasticsearch_node_name: node-1
elasticsearch_http_port: 9200
elasticsearch_network_host: 127.0.0.1
elasticsearch_jvm_xms: 2000
elastic_stack_version: 5.5.0
elasticsearch_jvm_xms: null
elastic_stack_version: 5.5.2
elasticsearch_shards: 5
elasticsearch_replicas: 1

33
ansible-role-elasticsearch/tasks/main.yml
View File

@ -31,6 +31,39 @@
enabled: yes
state: started
- name: Make sure Elasticsearch is running before proceeding
wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=300
tags:
- configure
- init
- name: Check for Wazuh template
uri:
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh"
method: GET
status_code: 200, 404
register: wazuh_template_exits
tags: init
- name: Installing Wazuh template
uri:
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh"
method: PUT
status_code: 200
body_format: json
body: "{{ lookup('template','wazuh-elastic5-template.json.j2') }}"
when: wazuh_template_exits.status != 200
tags: init
- name: Injecting sample alert
uri:
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/wazuh-alerts-{{ ansible_date_time.date | regex_replace('-', '.') }}/wazuh/sample"
method: PUT
status_code: 200, 201
body_format: json
body: "{{ lookup('template','alert_sample.json.j2') }}"
tags: init
- include: "RMRedHat.yml"
when: ansible_os_family == "RedHat"

72
ansible-role-elasticsearch/templates/alert_sample.json.j2 Normal file
View File

@ -0,0 +1,72 @@
{
"@timestamp": "2015-03-18T15:55:55.000Z",
"AlertsFile": "sample",
"title": "sample",
"full_log": "sample",
"id": "sample",
"srcuser": "sample",
"srcip": "sample",
"location": "sample",
"GeoLocation": {
"country_name": "sample",
"location": [0.0,0.0]
},
"agent": {
"name": "sample"
},
"audit": {
"command": "sample",
"type": "sample",
"egid": "sample",
"euid": "sample",
"exe": "sample",
"gid": "sample",
"uid": "sample",
"directory": {
"name": "sample"
},
"file": {
"mode": "sample",
"name": "sample"
}
},
"oscap": {
"check": {
"result": "sample",
"severity": "sample",
"title": "sample"
},
"scan": {
"id": "sample",
"content": "sample",
"score": 1.55,
"profile": {
"title": "sample"
}
}
},
"rule": {
"cis": ["sample"],
"description": "sample",
"groups": ["sample"],
"id": "sample",
"level": 0,
"pci_dss": ["sample"]
},
"syscheck": {
"gname_after": "sample",
"gname_before": "sample",
"guid_after": "sample",
"guid_before": "sample",
"md5_after": "sample",
"md5_before": "sample",
"path": "sample",
"perm_after": "sample",
"perm_before": "sample",
"uid_after": "sample",
"uid_before": "sample",
"uname_after": "sample",
"uname_before": "sample",
"event": "sample"
}
}

2
ansible-role-elasticsearch/templates/jvm.options.j2
View File

@ -20,7 +20,7 @@
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
{% if elasticsearch_jvm_xms is defined %}
{% if elasticsearch_jvm_xms is not none %}
{% if elasticsearch_jvm_xms < 32000 %}
-Xms{{ elasticsearch_jvm_xms }}m
-Xmx{{ elasticsearch_jvm_xms }}m

622
ansible-role-elasticsearch/templates/wazuh-elastic5-template.json.j2 Normal file
View File

@ -0,0 +1,622 @@
{
"order": 0,
"template": "wazuh*",
"settings": {
"index.refresh_interval": "5s",
"number_of_shards": {{ elasticsearch_shards }},
"number_of_replicas": {{ elasticsearch_replicas }}
},
"mappings": {
"wazuh": {
"dynamic_templates": [
{
"string_as_keyword": {
"match_mapping_type": "string",
"mapping": {
"type": "keyword",
"doc_values": "true"
}
}
}
],
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"@version": {
"type": "text"
},
"agent": {
"properties": {
"ip": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"name": {
"type": "keyword",
"doc_values": "true"
}
}
},
"manager": {
"properties": {
"name": {
"type": "keyword",
"doc_values": "true"
}
}
},
"dstuser": {
"type": "keyword",
"doc_values": "true"
},
"AlertsFile": {
"type": "keyword",
"doc_values": "true"
},
"full_log": {
"type": "text"
},
"previous_log": {
"type": "text"
},
"GeoLocation": {
"properties": {
"area_code": {
"type": "long"
},
"city_name": {
"type": "keyword",
"doc_values": "true"
},
"continent_code": {
"type": "text"
},
"coordinates": {
"type": "double"
},
"country_code2": {
"type": "text"
},
"country_code3": {
"type": "text"
},
"country_name": {
"type": "keyword",
"doc_values": "true"
},
"dma_code": {
"type": "long"
},
"ip": {
"type": "keyword",
"doc_values": "true"
},
"latitude": {
"type": "double"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "double"
},
"postal_code": {
"type": "keyword"
},
"real_region_name": {
"type": "keyword",
"doc_values": "true"
},
"region_name": {
"type": "keyword",
"doc_values": "true"
},
"timezone": {
"type": "text"
}
}
},
"host": {
"type": "keyword",
"doc_values": "true"
},
"syscheck": {
"properties": {
"path": {
"type": "keyword",
"doc_values": "true"
},
"sha1_before": {
"type": "keyword",
"doc_values": "true"
},
"sha1_after": {
"type": "keyword",
"doc_values": "true"
},
"uid_before": {
"type": "keyword",
"doc_values": "true"
},
"uid_after": {
"type": "keyword",
"doc_values": "true"
},
"gid_before": {
"type": "keyword",
"doc_values": "true"
},
"gid_after": {
"type": "keyword",
"doc_values": "true"
},
"perm_before": {
"type": "keyword",
"doc_values": "true"
},
"perm_after": {
"type": "keyword",
"doc_values": "true"
},
"md5_after": {
"type": "keyword",
"doc_values": "true"
},
"md5_before": {
"type": "keyword",
"doc_values": "true"
},
"gname_after": {
"type": "keyword",
"doc_values": "true"
},
"gname_before": {
"type": "keyword",
"doc_values": "true"
},
"inode_after": {
"type": "keyword",
"doc_values": "true"
},
"inode_before": {
"type": "keyword",
"doc_values": "true"
},
"mtime_after": {
"type": "date",
"format": "dateOptionalTime",
"doc_values": "true"
},
"mtime_before": {
"type": "date",
"format": "dateOptionalTime",
"doc_values": "true"
},
"uname_after": {
"type": "keyword",
"doc_values": "true"
},
"uname_before": {
"type": "keyword",
"doc_values": "true"
},
"size_before": {
"type": "long",
"doc_values": "true"
},
"size_after": {
"type": "long",
"doc_values": "true"
},
"diff": {
"type": "keyword",
"doc_values": "true"
},
"event": {
"type": "keyword",
"doc_values": "true"
}
}
},
"location": {
"type": "keyword",
"doc_values": "true"
},
"message": {
"type": "text"
},
"offset": {
"type": "keyword"
},
"rule": {
"properties": {
"description": {
"type": "keyword",
"doc_values": "true"
},
"groups": {
"type": "keyword",
"doc_values": "true"
},
"level": {
"type": "long",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"cve": {
"type": "keyword",
"doc_values": "true"
},
"info": {
"type": "keyword",
"doc_values": "true"
},
"frequency": {
"type": "long",
"doc_values": "true"
},
"firedtimes": {
"type": "long",
"doc_values": "true"
},
"cis": {
"type": "keyword",
"doc_values": "true"
},
"pci_dss": {
"type": "keyword",
"doc_values": "true"
}
}
},
"decoder": {
"properties": {
"parent": {
"type": "keyword",
"doc_values": "true"
},
"name": {
"type": "keyword",
"doc_values": "true"
},
"ftscomment": {
"type": "keyword",
"doc_values": "true"
},
"fts": {
"type": "long",
"doc_values": "true"
},
"accumulate": {
"type": "long",
"doc_values": "true"
}
}
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"protocol": {
"type": "keyword",
"doc_values": "true"
},
"action": {
"type": "keyword",
"doc_values": "true"
},
"dstip": {
"type": "keyword",
"doc_values": "true"
},
"dstport": {
"type": "keyword",
"doc_values": "true"
},
"srcuser": {
"type": "keyword",
"doc_values": "true"
},
"program_name": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"status": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"url": {
"type": "keyword",
"doc_values": "true"
},
"data": {
"type": "keyword",
"doc_values": "true"
},
"system_name": {
"type": "keyword",
"doc_values": "true"
},
"type": {
"type": "text"
},
"title": {
"type": "keyword",
"doc_values": "true"
},
"oscap": {
"properties": {
"check.title": {
"type": "keyword",
"doc_values": "true"
},
"check.id": {
"type": "keyword",
"doc_values": "true"
},
"check.result": {
"type": "keyword",
"doc_values": "true"
},
"check.severity": {
"type": "keyword",
"doc_values": "true"
},
"check.description": {
"type": "text"
},
"check.rationale": {
"type": "text"
},
"check.references": {
"type": "text"
},
"check.identifiers": {
"type": "text"
},
"check.oval.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.content": {
"type": "keyword",
"doc_values": "true"
},
"scan.benchmark.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.title": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.score": {
"type": "double",
"doc_values": "true"
},
"scan.return_code": {
"type": "long",
"doc_values": "true"
}
}
},
"audit": {
"properties": {
"type": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"syscall": {
"type": "keyword",
"doc_values": "true"
},
"exit": {
"type": "keyword",
"doc_values": "true"
},
"ppid": {
"type": "keyword",
"doc_values": "true"
},
"pid": {
"type": "keyword",
"doc_values": "true"
},
"auid": {
"type": "keyword",
"doc_values": "true"
},
"uid": {
"type": "keyword",
"doc_values": "true"
},
"gid": {
"type": "keyword",
"doc_values": "true"
},
"euid": {
"type": "keyword",
"doc_values": "true"
},
"suid": {
"type": "keyword",
"doc_values": "true"
},
"fsuid": {
"type": "keyword",
"doc_values": "true"
},
"egid": {
"type": "keyword",
"doc_values": "true"
},
"sgid": {
"type": "keyword",
"doc_values": "true"
},
"fsgid": {
"type": "keyword",
"doc_values": "true"
},
"tty": {
"type": "keyword",
"doc_values": "true"
},
"session": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"exe": {
"type": "keyword",
"doc_values": "true"
},
"key": {
"type": "keyword",
"doc_values": "true"
},
"cwd": {
"type": "keyword",
"doc_values": "true"
},
"directory.name": {
"type": "keyword",
"doc_values": "true"
},
"directory.inode": {
"type": "keyword",
"doc_values": "true"
},
"directory.mode": {
"type": "keyword",
"doc_values": "true"
},
"file.name": {
"type": "keyword",
"doc_values": "true"
},
"file.inode": {
"type": "keyword",
"doc_values": "true"
},
"file.mode": {
"type": "keyword",
"doc_values": "true"
},
"acct": {
"type": "keyword",
"doc_values": "true"
},
"dev": {
"type": "keyword",
"doc_values": "true"
},
"enforcing": {
"type": "keyword",
"doc_values": "true"
},
"list": {
"type": "keyword",
"doc_values": "true"
},
"old-auid": {
"type": "keyword",
"doc_values": "true"
},
"old-ses": {
"type": "keyword",
"doc_values": "true"
},
"old_enforcing": {
"type": "keyword",
"doc_values": "true"
},
"old_prom": {
"type": "keyword",
"doc_values": "true"
},
"op": {
"type": "keyword",
"doc_values": "true"
},
"prom": {
"type": "keyword",
"doc_values": "true"
},
"res": {
"type": "keyword",
"doc_values": "true"
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"subj": {
"type": "keyword",
"doc_values": "true"
},
"success": {
"type": "keyword",
"doc_values": "true"
}
}
}
}
},
"agent": {
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"status": {
"type": "keyword"
},
"ip": {
"type": "keyword"
},
"host": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
}
}
}
}

2
ansible-role-kibana/defaults/main.yml
View File

@ -3,4 +3,4 @@ elasticsearch_http_port: "9200"
elasticsearch_network_host: "127.0.0.1"
kibana_server_host: "0.0.0.0"
kibana_server_port: "5601"
elastic_stack_version: 5.5.0
elastic_stack_version: 5.5.2

2
ansible-role-kibana/tasks/main.yml
View File

@ -35,7 +35,7 @@
tags: install
- name: Install Wazuh-APP (can take a while)
shell: "/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-2.0_{{ elastic_stack_version }}.zip"
shell: "/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-2.1.0_{{ elastic_stack_version }}.zip"
args:
creates: /usr/share/kibana/plugins/wazuh/package.json
notify: restart kibana

4
ansible-role-logstash/defaults/main.yml
View File

@ -4,7 +4,9 @@ logstash_input_beats: false
elasticsearch_network_host: "127.0.0.1"
elasticsearch_http_port: "9200"
elastic_stack_version: 5.5.0
elasticsearch_shards: 5
elasticsearch_replicas: 1
elastic_stack_version: 5.5.2
logstash_ssl: false
logstash_ssl_dir: /etc/pki/logstash

1
ansible-role-logstash/tasks/Debian.yml
View File

@ -42,6 +42,7 @@
- name: Debian/Ubuntu | Checking if wazuh-manager is installed
command: dpkg -l wazuh-manager
register: wazuh_manager_check_deb
when: logstash_input_beats == false
args:
warn: no

1
ansible-role-logstash/tasks/RedHat.yml
View File

@ -28,6 +28,7 @@
- name: RedHat/CentOS/Fedora | Checking if wazuh-manager is installed
command: rpm -q wazuh-manager
register: wazuh_manager_check_rpm
when: logstash_input_beats == false
args:
warn: no

1
ansible-role-logstash/templates/01-wazuh.conf.j2
View File

@ -1,3 +1,4 @@
#jinja2: trim_blocks:False
# {{ ansible_managed }}
# Wazuh - Logstash configuration file

4
ansible-role-logstash/templates/wazuh-elastic5-template.json.j2
View File

@ -3,8 +3,8 @@
"template": "wazuh*",
"settings": {
"index.refresh_interval": "5s",
"number_of_shards" : 1,
"number_of_replicas" : 0
"number_of_shards": {{ elasticsearch_shards }},
"number_of_replicas": {{ elasticsearch_replicas }}
},
"mappings": {
"wazuh": {

29
ansible-wazuh-agent/defaults/main.yml
View File

@ -1,12 +1,29 @@
---
wazuh_manager_ip: 127.0.0.1
wazuh_manager_proto: udp
wazuh_authd_port: 1515
wazuh_register_client: false
wazuh_manager_ip: null
wazuh_profile: null
wazuh_manager_proto: tcp
wazuh_agent_authd:
enable: false
port: 1515
ssl_agent_ca: null
ssl_agent_cert: null
ssl_agent_key: null
ssl_auto_negotiate: 'no'
wazuh_notify_time: null
wazuh_time_reconnect: null
wazuh_winagent_config:
install_dir: 'C:\wazuh-agent\'
version: '2.1.0'
revision: '1'
repo: https://packages.wazuh.com/windows/
md5: 715fbd55f670c2cecc607f2cbd0b2310
wazuh_agent_config:
log_format: 'plain'
syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
ignore:
- /etc/mtab
- /etc/mnttab
@ -28,6 +45,10 @@ wazuh_agent_config:
checks: 'check_all="yes"'
- dirs: /bin,/sbin
checks: 'check_all="yes"'
windows_registry:
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
arch: 'both'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
rootcheck:
frequency: 43200
openscap:

3
ansible-wazuh-agent/handlers/main.yml
View File

@ -1,3 +1,6 @@
---
- name: restart wazuh-agent
service: name=wazuh-agent state=restarted enabled=yes
- name: restart wazuh-agent windows
win_service: name=OssecSvc start_mode=auto state=restarted

89
ansible-wazuh-agent/tasks/Linux.yml Normal file
View File

@ -0,0 +1,89 @@
---
- include: "RedHat.yml"
when: ansible_os_family == "RedHat"
- include: "Debian.yml"
when: ansible_os_family == "Debian"
- name: Linux | Install wazuh-agent
package: name=wazuh-agent state=latest
tags:
- init
- name: Retrieving authd Credentials
include_vars: authd_pass.yml
tags:
- config
- name: Copy CA, SSL key and cert for authd
copy:
src: "{{ item }}"
dest: "/var/ossec/etc/{{ item | basename }}"
mode: 0644
with_items:
- "{{ wazuh_agent_authd.ssl_agent_ca }}"
- "{{ wazuh_agent_authd.ssl_agent_cert }}"
- "{{ wazuh_agent_authd.ssl_agent_key }}"
tags:
- config
when:
- wazuh_agent_authd.ssl_agent_ca is not none
- wazuh_agent_authd.enable == true
- name: Linux | Check if client.keys exists
stat: path=/var/ossec/etc/client.keys
register: check_keys
tags:
- config
- name: Linux | Register agent
shell: >
/var/ossec/bin/agent-auth
-m {{ wazuh_manager_ip }}
-p {{ wazuh_agent_authd.port }}
{% if authd_pass is defined %}-P {{ authd_pass }}{% endif %}
{% if wazuh_agent_authd.ssl_agent_ca is not none %}
-v "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}"
-x "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_cert | basename }}"
-k "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_key | basename }}"
{% endif %}
{% if wazuh_agent_authd.ssl_auto_negotiate == 'yes' %}-a{% endif %}
register: agent_auth_output
when:
- wazuh_agent_authd.enable == true
- check_keys.stat.size == 0
- wazuh_manager_ip is not none
tags:
- config
- name: Linux | Verify agent registration
shell: echo {{ agent_auth_output }} | grep "Valid key created"
when:
- wazuh_agent_authd.enable == true
- check_keys.stat.size == 0
- wazuh_manager_ip is not none
tags:
- config
- name: Linux | Installing agent configuration (ossec.conf)
template: src=var-ossec-etc-ossec-agent.conf.j2
dest=/var/ossec/etc/ossec.conf
owner=root
group=ossec
mode=0644
notify: restart wazuh-agent
tags:
- init
- config
- name: Linux | Ensure Wazuh Agent service is started and enabled
service:
name: wazuh-agent
enabled: yes
state: started
- include: "RMRedHat.yml"
when: ansible_os_family == "RedHat"
- include: "RMDebian.yml"
when: ansible_os_family == "Debian"

3
ansible-wazuh-agent/tasks/RMDebian.yml
View File

@ -1,4 +1,5 @@
---
- apt_repository:
- name: Remove Wazuh repository (and clean up left-over metadata)
apt_repository:
repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
state: absent

79
ansible-wazuh-agent/tasks/Windows.yml Normal file
View File

@ -0,0 +1,79 @@
---
- name: Windows | Get current installed version
win_shell: "{{ wazuh_winagent_config.install_dir }}ossec-agent.exe -h"
args:
removes: "{{ wazuh_winagent_config.install_dir }}ossec-agent.exe"
register: agent_version
failed_when: False
changed_when: False
- name: Windows | Check Wazuh agent version installed
set_fact: correct_version=true
when:
- agent_version.stdout is defined
- wazuh_winagent_config.version in agent_version.stdout
- name: Windows | Downloading windows Wazuh agent installer
win_get_url:
dest: C:\wazuh-agent-installer.exe
url: "{{ wazuh_winagent_config.repo }}wazuh-winagent-v{{ wazuh_winagent_config.version }}-{{ wazuh_winagent_config.revision }}.exe"
when:
- correct_version is not defined
- name: Windows | Verify the downloaded Wazuh agent installer
win_stat:
path: C:\wazuh-agent-installer.exe
get_checksum: yes
checksum_algorithm: md5
register: installer_md5
when:
- correct_version is not defined
failed_when:
- installer_md5.stat.checksum != wazuh_winagent_config.md5
- name: Windows | Install Wazuh agent
win_shell: C:\wazuh-agent-installer.exe /S /D={{ wazuh_winagent_config.install_dir }}
when:
- correct_version is not defined
- name: Windows | Check if client.keys exists
win_stat: path="{{ wazuh_winagent_config.install_dir }}client.keys"
register: check_windows_key
notify: restart wazuh-agent windows
tags:
- config
- name: Retrieving authd Credentials
include_vars: authd_pass.yml
tags:
- config
- name: Windows | Register agent
win_shell: >
{{ wazuh_winagent_config.install_dir }}agent-auth.exe
-m {{ wazuh_manager_ip }}
-p {{ wazuh_agent_authd.port }}
{% if authd_pass is defined %}-P {{ authd_pass }}{% endif %}
args:
chdir: "{{ wazuh_winagent_config.install_dir }}"
register: agent_auth_output
notify: restart wazuh-agent windows
when:
- wazuh_agent_authd.enable == true
- check_windows_key.stat.exists == false
- wazuh_manager_ip is not none
tags:
- config
- name: Windows | Installing agent configuration (ossec.conf)
win_template:
src: var-ossec-etc-ossec-agent.conf.j2
dest: "{{ wazuh_winagent_config.install_dir }}ossec.conf"
notify: restart wazuh-agent windows
tags:
- config
- name: Windows | Delete downloaded Wazuh agent installer file
win_file:
path: C:\wazuh-agent-installer.exe
state: absent

49
ansible-wazuh-agent/tasks/main.yml
View File

@ -1,47 +1,6 @@
---
- include: "RedHat.yml"
when: ansible_os_family == "RedHat"
- include: "Windows.yml"
when: ansible_os_family == "Windows"
- include: "Debian.yml"
when: ansible_os_family == "Debian"
- name: Install wazuh-agent
package: name=wazuh-agent state=present
tags:
- init
- name: "Register agent"
shell: /var/ossec/bin/agent-auth -m {{ wazuh_manager_ip }} -p {{ wazuh_authd_port }}
register: agent_auth_output
when: wazuh_register_client == true
tags:
- config
- name: "Verify agent registration"
shell: echo {{ agent_auth_output }} | grep "Valid key created"
when: wazuh_register_client == true
tags:
- config
- name: "Installing agent configuration (ossec.conf)"
template: src=var-ossec-etc-ossec-agent.conf.j2
dest=/var/ossec/etc/ossec.conf
owner=root
group=ossec
mode=0644
notify: restart wazuh-agent
tags:
- init
- config
- name: Ensure Wazuh Agent service is started and enabled
service:
name: wazuh-agent
enabled: yes
state: started
- include: "RMRedHat.yml"
when: ansible_os_family == "RedHat"
- include: "RMDebian.yml"
when: ansible_os_family == "Debian"
- include: "Linux.yml"
when: ansible_system == "Linux"

49
ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
View File

@ -1,4 +1,4 @@
#jinja2: lstrip_blocks: True
#jinja2: trim_blocks: False
<!--
Wazuh - Agent
More info at: https://documentation.wazuh.com
@ -7,20 +7,32 @@
<ossec_config>
<client>
{% if wazuh_manager_ip is not none %}
<server-ip>{{ wazuh_manager_ip }}</server-ip>
{% if wazuh_profile is defined %}
{% else %}
<server-ip>SERVER-IP</server-ip>
{% endif %}
{% if wazuh_profile is not none %}
<config-profile>{{ wazuh_profile }}</config-profile>
{% endif %}
<protocol>{{ wazuh_manager_proto }}</protocol>
{% if wazuh_manager_port is defined %}
<port>{{ wazuh_manager_port }}</port>
{% endif %}
{% if wazuh_notify_time is defined and wazuh_time_reconnect is defined %}
{% if wazuh_notify_time is not none and wazuh_time_reconnect is not none %}
<notify_time>{{ wazuh_notify_time }}</notify_time>
<time-reconnect>{{ wazuh_time_reconnect }}</time-reconnect>
{% endif %}
</client>
<logging>
<log_format>{{ wazuh_agent_config.log_format }}</log_format>
</logging>
<active-response>
<disabled>no</disabled>
</active-response>
<rootcheck>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
@ -35,6 +47,13 @@
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>{{ wazuh_agent_config.rootcheck.frequency }}</frequency>
{% if ansible_os_family == "Windows" %}
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
{% endif %}
{% if ansible_system == "Linux" %}
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
@ -42,11 +61,23 @@
{% if cis_distribution_filename is defined %}
<system_audit>/var/ossec/etc/shared/{{ cis_distribution_filename }}</system_audit>
{% endif %}
{% endif %}
<skip_nfs>yes</skip_nfs>
</rootcheck>
<syscheck>
<disabled>no</disabled>
{% if ansible_os_family == "Windows" %}
<directories check_all="yes" realtime="yes" restrict="^C:\wazuh-agent/shared/agent.conf$">C:\wazuh-agent</directories>
{% endif %}
{% if ansible_system == "Linux" %}
<directories check_all="yes" realtime="yes" restrict="^/var/ossec/etc/shared/agent.conf$">/var/ossec/etc/shared</directories>
{% endif %}
<auto_ignore>{{ wazuh_agent_config.syscheck.auto_ignore }}</auto_ignore>
<alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files>
<!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
<scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start>
@ -69,9 +100,19 @@
{% for no_diff in wazuh_agent_config.syscheck.no_diff %}
<nodiff>{{ no_diff }}</nodiff>
{% endfor %}
{% if ansible_os_family == "Windows" %}
{% for registry_key in wazuh_agent_config.syscheck.windows_registry %}
{% if registry_key.arch is defined %}
<windows_registry arch="{{ registry_key.arch }}">{{ registry_key.key }}</windows_registry>
{% else %}
<windows_registry>{{ registry_key.key }}</windows_registry>
{% endif %}
{% endfor %}
{% endif %}
</syscheck>
{% if wazuh_agent_config.openscap.disable == 'no' %}
{% if wazuh_agent_config.openscap.disable == 'no' and ansible_system == "Linux"%}
<wodle name="open-scap">
<disabled>no</disabled>
<timeout>{{ wazuh_agent_config.openscap.timeout }}</timeout>

2
ansible-wazuh-agent/vars/authd_pass.yml Normal file
View File

@ -0,0 +1,2 @@
---
#authd_pass: 'foobar'

101
ansible-wazuh-manager/defaults/main.yml
View File

@ -5,16 +5,56 @@ wazuh_manager_config:
json_output: 'yes'
alerts_log: 'yes'
logall: 'no'
log_format: 'plain'
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
authd:
enable: false
email_notification: no
port: 1515
use_source_ip: 'no'
force_insert: 'no'
force_time: 0
purge: 'no'
use_password: 'no'
ssl_agent_ca: null
ssl_verify_host: 'no'
ssl_manager_cert: null
ssl_manager_key: null
ssl_auto_negotiate: 'no'
email_notification: 'no'
mail_to:
- admin@example.net
- 'admin@example.net'
mail_smtp_server: localhost
mail_from: wazuh-server@example.com
extra_emails:
- enable: false
mail_to: 'admin@example.net'
format: full
level: 7
event_location: null
group: null
do_not_delay: false
do_not_group: false
rule_id: null
reports:
- enable: false
category: 'syscheck'
title: 'Daily report: File changes'
email_to: 'admin@example.net'
location: null
group: null
rule: null
level: null
srcip: null
user: null
showlogs: null
syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
ignore:
- /etc/mtab
- /etc/mnttab
@ -61,10 +101,6 @@ wazuh_manager_config:
globals:
- '127.0.0.1'
- '192.168.2.1'
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
commands:
- name: 'disable-account'
executable: 'disable-account.sh'
@ -74,6 +110,10 @@ wazuh_manager_config:
executable: 'restart-ossec.sh'
expect: ''
timeout_allowed: 'no'
- name: 'win_restart-ossec'
executable: 'restart-ossec.cmd'
expect: ''
timeout_allowed: 'no'
- name: 'firewall-drop'
executable: 'firewall-drop.sh'
expect: 'srcip'
@ -91,26 +131,45 @@ wazuh_manager_config:
expect: 'srcip'
timeout_allowed: 'yes'
active_responses:
- command: 'restart-ossec'
location: 'local'
rules_id: '100002'
- command: 'win_restart-ossec'
location: 'local'
rules_id: '100003'
- command: 'host-deny'
location: 'local'
level: 6
timeout: 600
syslog_outputs:
- server: null
port: null
format: null
wazuh_agent_configs:
- type: os
type_value: linux
frequency_check: 79200
ignore_files:
type_value: Linux
syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
ignore:
- /etc/mtab
- /etc/mnttab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/svc/volatile
no_diff:
- /etc/ssl/private.key
directories:
- check_all: yes
dirs: /etc,/usr/bin,/usr/sbin
- check_all: yes
dirs: /bin,/sbin
- dirs: /etc,/usr/bin,/usr/sbin
checks: 'check_all="yes"'
- dirs: /bin,/sbin
checks: 'check_all="yes"'
rootcheck:
frequency: 43200
cis_distribution_filename: null
localfiles:
- format: 'syslog'
location: '/var/log/messages'
@ -124,3 +183,19 @@ wazuh_agent_configs:
location: '/var/log/httpd/access_log'
- format: 'apache'
location: '/var/ossec/logs/active-responses.log'
- type: os
type_value: Windows
syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
windows_registry:
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
arch: 'both'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
localfiles:
- format: 'Security'
location: 'eventchannel'
- format: 'System'
location: 'eventlog'

3
ansible-wazuh-manager/handlers/main.yml
View File

@ -1,4 +1,7 @@
---
- name: rebuild cdb_lists
shell: /var/ossec/bin/ossec-makelists
- name: restart wazuh-manager
service: name=wazuh-manager
state=restarted

149
ansible-wazuh-manager/tasks/main.yml
View File

@ -6,7 +6,7 @@
when: ansible_os_family == "Debian"
- name: Install wazuh-manager, wazuh-api and expect
package: pkg={{ item }} state=present
package: pkg={{ item }} state=latest
with_items:
- wazuh-manager
- wazuh-api
@ -21,7 +21,7 @@
chdir: /var/ossec/etc/
tags:
- config
when: wazuh_manager_config.authd.ssl_agent_ca is not defined
when: not wazuh_manager_config.authd.ssl_agent_ca is not none
- name: Copy CA, SSL key and cert for authd
copy:
@ -34,7 +34,7 @@
- "{{ wazuh_manager_config.authd.ssl_manager_key }}"
tags:
- config
when: wazuh_manager_config.authd.ssl_agent_ca is defined
when: wazuh_manager_config.authd.ssl_agent_ca is not none
- name: Verifying for old init authd service
stat: path=/etc/init.d/ossec-authd
@ -90,7 +90,7 @@
- name: Configure the shared-agent.conf
template: src=var-ossec-etc-shared-agent.conf.j2
dest=/var/ossec/etc/shared/agent.conf
owner=root
owner=ossec
group=ossec
mode=0640
notify: restart wazuh-manager
@ -98,61 +98,85 @@
- init
- config
- name: Check if client-syslog is enabled
shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-csyslogd is running' | xargs echo"
register: csyslog_running
changed_when: False
- name: Enable client-syslog
command: /var/ossec/bin/ossec-control enable client-syslog
when: csyslog_running.stdout == '0' and wazuh_manager_config.syslog_outputs is defined
- name: Start client-syslog
command: /var/ossec/bin/ossec-control start client-syslog
when: csyslog_running.stdout == '0' and wazuh_manager_config.syslog_outputs is defined
- name: Check if ossec-agentlessd is enabled
shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-agentlessd is running' | xargs echo"
register: agentless_running
changed_when: False
- name: Enable ossec-agentlessd
command: /var/ossec/bin/ossec-control enable agentless
when: agentless_running.stdout == '0' and agentless_creeds is defined
- name: Start ossec-agentlessd
command: /var/ossec/bin/ossec-control start agentless
when: agentless_running.stdout == '0' and agentless_creeds is defined
- name: Check if ossec-authd is enabled
shell: "/var/ossec/bin/ossec-control status | grep -c 'ossec-authd is running' | xargs echo"
register: authd_running
changed_when: False
- name: Enable ossec-authd
command: /var/ossec/bin/ossec-control enable auth
when:
- authd_running.stdout == '0'
- wazuh_manager_config.authd.enable == true
- name: Start ossec-authd
command: /var/ossec/bin/ossec-control start auth
when:
- authd_running.stdout == '0'
- wazuh_manager_config.authd.enable == true
- name: Retrieving Agentless Credentials
include_vars: agentless_creeds.yml
tags:
- config
- name: Retrieving authd Credentials
include_vars: authd_pass.yml
tags:
- config
- name: Retrieving Agentless Credentials
include_vars: agentless_creeds.yml
- name: Retrieving Wazuh-api User Credentials
include_vars: wazuh_api_creds.yml
tags:
- config
- name: Retrieving Wazuh-api User Credentials
include_vars: wazuh_api_creds.yml
- name: Retrieving CDB lists
include_vars: cdb_lists.yml
tags:
- config
- name: Check if syslog output is enabled
set_fact: syslog_output=true
when: item.server is not none
with_items:
- "{{ wazuh_manager_config.syslog_outputs }}"
tags:
- config
- name: Check if client-syslog is enabled
shell: "grep -c 'ossec-csyslogd' /var/ossec/bin/.process_list | xargs echo"
args:
removes: /var/ossec/bin/.process_list
changed_when: False
register: csyslog_enabled
tags:
- config
- name: Enable client-syslog
command: /var/ossec/bin/ossec-control enable client-syslog
notify: restart wazuh-manager
when:
- csyslog_enabled.stdout == '0' or "skipped" in csyslog_enabled.stdout
- syslog_output is defined and syslog_output == true
tags:
- config
- name: Check if ossec-agentlessd is enabled
shell: "grep -c 'ossec-agentlessd' /var/ossec/bin/.process_list | xargs echo"
args:
removes: /var/ossec/bin/.process_list
changed_when: False
register: agentlessd_enabled
tags:
- config
- name: Enable ossec-agentlessd
command: /var/ossec/bin/ossec-control enable agentless
notify: restart wazuh-manager
when:
- agentlessd_enabled.stdout == '0' or "skipped" in agentlessd_enabled.stdout
- agentless_creeds is defined
tags:
- config
- name: Check if ossec-authd is enabled
shell: "grep -c 'ossec-authd' /var/ossec/bin/.process_list | xargs echo"
args:
removes: /var/ossec/bin/.process_list
changed_when: False
register: authd_enabled
tags:
- config
- name: Enable ossec-authd
command: /var/ossec/bin/ossec-control enable auth
notify: restart wazuh-manager
when:
- authd_enabled.stdout == '0' or "skipped" in authd_enabled.stdout
- wazuh_manager_config.authd.enable == true
tags:
- config
@ -187,7 +211,7 @@
notify: restart wazuh-manager
when:
- wazuh_manager_config.authd.use_password is defined
- wazuh_manager_config.authd.use_password == true
- wazuh_manager_config.authd.use_password == 'yes'
tags:
- config
@ -201,6 +225,8 @@
no_log: true
notify: restart wazuh-api
when: wazuh_api_user is defined
tags:
- config
- name: Agentless Hosts & Passwd
template:
@ -211,10 +237,31 @@
mode: 0644
no_log: true
when: agentless_creeds is defined
tags:
- config
- name: Encode the secret
shell: /usr/bin/base64 /var/ossec/agentless/.passlist_tmp > /var/ossec/agentless/.passlist && rm /var/ossec/agentless/.passlist_tmp
when: agentless_creeds is defined
tags:
- config
- name: CDB Lists
template:
src: cdb_lists.j2
dest: "/var/ossec/etc/lists/{{ item.name }}"
owner: root
group: ossec
mode: 0640
no_log: true
notify:
- rebuild cdb_lists
- restart wazuh-manager
with_items:
- "{{ cdb_lists }}"
when: cdb_lists is defined
tags:
- config
- name: Ensure Wazuh Manager, wazuh api service is started and enabled
service:

1
ansible-wazuh-manager/templates/cdb_lists.j2 Normal file
View File

@ -0,0 +1 @@
{{ item.content }}

85
ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
View File

@ -1,4 +1,4 @@
#jinja2: trim_blocks:False
#jinja2: trim_blocks: False
<!--
Wazuh - Manager - Default configuration
More info at: https://documentation.wazuh.com
@ -22,66 +22,74 @@
<email_from>{{ wazuh_manager_config.mail_from }}</email_from>
</global>
<logging>
<log_format>{{ wazuh_manager_config.log_format }}</log_format>
</logging>
{% if wazuh_manager_config.authd.enable == true %}
<auth>
<disabled>no</disabled>
{% if wazuh_manager_config.authd.port is defined %}<port>{{wazuh_manager_config.authd.port}}</port>{% else %}<port>1515</port>{% endif %}
{% if wazuh_manager_config.authd.use_source_ip is defined %}<use_source_ip>{{wazuh_manager_config.authd.use_source_ip}}</use_source_ip>{% endif %}
{% if wazuh_manager_config.authd.force_insert is defined %}<force_insert>{{wazuh_manager_config.authd.force_insert}}</force_insert>{% endif %}
{% if wazuh_manager_config.authd.force_time is defined %}<force_time>{{wazuh_manager_config.authd.force_time}}</force_time>{% endif %}
{% if wazuh_manager_config.authd.purge is defined %}<purge>{{wazuh_manager_config.authd.purge}}</purge>{% endif %}
{% if wazuh_manager_config.authd.use_password is defined %}<use_password>{{wazuh_manager_config.authd.use_password}}</use_password>{% endif %}
{% if wazuh_manager_config.authd.ssl_agent_ca is defined %}<ssl_agent_ca>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}}</ssl_agent_ca>{% endif %}
{% if wazuh_manager_config.authd.ssl_verify_host is defined %}<ssl_verify_host>{{wazuh_manager_config.authd.ssl_verify_host}}</ssl_verify_host>{% endif %}
{% if wazuh_manager_config.authd.ssl_manager_cert is defined %}<ssl_manager_cert>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_cert | basename}}</ssl_manager_cert>{% endif %}
{% if wazuh_manager_config.authd.ssl_manager_key is defined %}<ssl_manager_key>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_key | basename}}</ssl_manager_key>{% endif %}
{% if wazuh_manager_config.authd.ssl_auto_negotiate is defined %}<ssl_auto_negotiate>{{wazuh_manager_config.authd.ssl_auto_negotiate}}</ssl_auto_negotiate>{% endif %}
{% if wazuh_manager_config.authd.port is not none %}<port>{{wazuh_manager_config.authd.port}}</port>{% else %}<port>1515</port>{% endif %}
{% if wazuh_manager_config.authd.use_source_ip is not none %}<use_source_ip>{{wazuh_manager_config.authd.use_source_ip}}</use_source_ip>{% endif %}
{% if wazuh_manager_config.authd.force_insert is not none %}<force_insert>{{wazuh_manager_config.authd.force_insert}}</force_insert>{% endif %}
{% if wazuh_manager_config.authd.force_time is not none %}<force_time>{{wazuh_manager_config.authd.force_time}}</force_time>{% endif %}
{% if wazuh_manager_config.authd.purge is not none %}<purge>{{wazuh_manager_config.authd.purge}}</purge>{% endif %}
{% if wazuh_manager_config.authd.use_password is not none %}<use_password>{{wazuh_manager_config.authd.use_password}}</use_password>{% endif %}
{% if wazuh_manager_config.authd.ssl_agent_ca is not none %}<ssl_agent_ca>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}}</ssl_agent_ca>{% endif %}
{% if wazuh_manager_config.authd.ssl_verify_host is not none %}<ssl_verify_host>{{wazuh_manager_config.authd.ssl_verify_host}}</ssl_verify_host>{% endif %}
{% if wazuh_manager_config.authd.ssl_manager_cert is not none %}<ssl_manager_cert>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_cert | basename}}</ssl_manager_cert>{% endif %}
{% if wazuh_manager_config.authd.ssl_manager_key is not none %}<ssl_manager_key>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_key | basename}}</ssl_manager_key>{% endif %}
{% if wazuh_manager_config.authd.ssl_auto_negotiate is not none %}<ssl_auto_negotiate>{{wazuh_manager_config.authd.ssl_auto_negotiate}}</ssl_auto_negotiate>{% endif %}
</auth>
{% endif %}
{% if wazuh_manager_config.extra_emails is defined %}
{% for mail in wazuh_manager_config.extra_emails %}
{% if mail.enable == true %}
<email_alerts>
<email_to>{{ mail.mail_to }}</email_to>
{% if mail.format is defined %}
{% if mail.format is not none %}
<format>{{ mail.format }}</format>
{% endif %}
{% if mail.level is defined %}
{% if mail.level is not none %}
<level>{{ mail.level }}</level>
{% endif %}
{% if mail.event_location is defined %}
{% if mail.event_location is not none %}
<event_location>{{ mail.event_location }}</event_location>
{% endif %}
{% if mail.group is defined %}
{% if mail.group is not none %}
<group>{{ mail.group }}</group>
{% endif %}
{% if mail.do_not_delay is defined and mail.do_not_delay == true %}
{% if mail.do_not_delay is not none and mail.do_not_delay == true %}
<do_not_delay />
{% endif %}
{% if mail.do_not_group is defined and mail.do_not_group == true %}
{% if mail.do_not_group is not none and mail.do_not_group == true %}
<do_not_group />
{% endif %}
{% if mail.rule_id is defined %}
{% if mail.rule_id is not none %}
<rule_id>{{ mail.rule_id }}</rule_id>
{% endif %}
</email_alerts>
{% endif %}
{% endfor %}
{% endif %}
{% if wazuh_manager_config.reports is defined %}
{% for report in wazuh_manager_config.reports %}
{% if report.enable == true %}
<reports>
<category>{{ report.category }}</category>
<title>{{ report.title }}</title>
<email_to>{{ report.email_to }}</email_to>
{% if report.location is defined %}<location>{{ report.location }}</location>{% endif %}
{% if report.group is defined %}<group>{{ report.group }}</group>{% endif %}
{% if report.rule is defined %}<rule>{{ report.rule }}</rule>{% endif %}
{% if report.level is defined %}<level>{{ report.level }}</level>{% endif %}
{% if report.srcip is defined %}<srcip>{{ report.srcip }}</srcip>{% endif %}
{% if report.user is defined %}<user>{{ report.user }}</user>{% endif %}
{% if report.showlogs is defined %}<showlogs>{{ report.showlogs }}</showlogs>{% endif %}
{% if report.location is not none %}<location>{{ report.location }}</location>{% endif %}
{% if report.group is not none %}<group>{{ report.group }}</group>{% endif %}
{% if report.rule is not none %}<rule>{{ report.rule }}</rule>{% endif %}
{% if report.level is not none %}<level>{{ report.level }}</level>{% endif %}
{% if report.srcip is not none %}<srcip>{{ report.srcip }}</srcip>{% endif %}
{% if report.user is not none %}<user>{{ report.user }}</user>{% endif %}
{% if report.showlogs is not none %}<showlogs>{{ report.showlogs }}</showlogs>{% endif %}
</reports>
{% endif %}
{% endfor %}
{% endif %}
@ -91,11 +99,11 @@
</alerts>
<remote>
{% for connection in wazuh_manager_config.connection %}
{% for connection in wazuh_manager_config.connection %}
<connection>{{ connection.type }}</connection>
<port>{{ connection.port }}</port>
<protocol>{{ connection.protocol }}</protocol>
{% endfor %}
{% endfor %}
</remote>
<rootcheck>
@ -124,6 +132,8 @@
</rootcheck>
<syscheck>
<auto_ignore>{{ wazuh_manager_config.syscheck.auto_ignore }}</auto_ignore>
<alert_new_files>{{ wazuh_manager_config.syscheck.alert_new_files }}</alert_new_files>
<!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>{{ wazuh_manager_config.syscheck.frequency }}</frequency>
<scan_on_start>{{ wazuh_manager_config.syscheck.scan_on_start }}</scan_on_start>
@ -231,7 +241,11 @@
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
{% if cdb_lists is defined %}
{% for list in cdb_lists %}
<list>etc/lists/{{ list.name }}</list>
{% endfor %}
{% endif %}
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
@ -241,10 +255,15 @@
<!-- Active Response Config -->
{% for response in wazuh_manager_config.active_responses %}
<active-response>
<disabled>no</disabled>
<command>{{ response.command }}</command>
<location>{{ response.location }}</location>
<level>{{ response.level }}</level>
<timeout>{{ response.timeout }}</timeout>
{%if response.location is defined %}<location>{{ response.location }}</location>{% endif %}
{%if response.agent_id is defined %}<agent_id>{{ response.agent_id }}</agent_id>{% endif %}
{%if response.level is defined %}<level>{{ response.level }}</level>{% endif %}
{%if response.rules_group is defined %}<rules_group>{{ response.rules_group }}</rules_group>{% endif %}
{%if response.rules_id is defined %}<rules_id>{{ response.rules_id }}</rules_id>{% endif %}
{%if response.timeout is defined %}<timeout>{{ response.timeout }}</timeout>{% endif %}
{%if response.repeated_offenders is defined %}<repeated_offenders>{{ response.repeated_offenders }}</repeated_offenders>{% endif %}
</active-response>
{% endfor %}
@ -263,11 +282,13 @@
{% if wazuh_manager_config.syslog_outputs is defined %}
{% for syslog_output in wazuh_manager_config.syslog_outputs %}
{% if syslog_output.server is not none %}
<syslog_output>
<server>{{ syslog_output.server }}</server>
<port>{{ syslog_output.port }}</port>
<format>{{ syslog_output.format }}</format>
</syslog_output>
{% endif %}
{% endfor %}
{% endif %}

89
ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2
View File

@ -1,44 +1,79 @@
{% for item in wazuh_agent_configs %}
<agent_config {{ item.type }}="{{ item.type_value }}">
#jinja2: trim_blocks: False
{% if wazuh_agent_configs is defined %}
{% for agent_config in wazuh_agent_configs %}
<agent_config {{ agent_config.type }}="{{ agent_config.type_value }}">
<syscheck>
<auto_ignore>{{ agent_config.syscheck.auto_ignore }}</auto_ignore>
<alert_new_files>{{ agent_config.syscheck.alert_new_files }}</alert_new_files>
<!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>{{ agent_config.syscheck.frequency }}</frequency>
<scan_on_start>{{ agent_config.syscheck.scan_on_start }}</scan_on_start>
<!-- Directories to check (perform all possible verifications) -->
{% for directory in item.directories %}
<directories check_all="{{ directory.check_all }}">{{ directory.dirs }}</directories>
{% endfor %}
<!-- files we don't watch/ignore -->
<frequency>{{ item.frequency_check }}</frequency>
{% for ignore_file in item.ignore_files %}
<ignore>{{ ignore_file }}</ignore>
{% if agent_config.syscheck.directories is defined %}
{% for directory in agent_config.syscheck.directories %}
<directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% endif %}
<!-- Files/directories to ignore -->
{% if agent_config.syscheck.ignore is defined %}
{% for ignore in agent_config.syscheck.ignore %}
<ignore>{{ ignore }}</ignore>
{% endfor %}
{% endif %}
<!-- Files no diff -->
{% if agent_config.syscheck.no_diff is defined %}
{% for no_diff in agent_config.syscheck.no_diff %}
<nodiff>{{ no_diff }}</nodiff>
{% endfor %}
{% endif %}
{% if agent_config.syscheck.windows_registry is defined %}
{% for registry_key in agent_config.syscheck.windows_registry %}
{% if registry_key.arch is defined %}
<windows_registry arch="{{ registry_key.arch }}">{{ registry_key.key }}</windows_registry>
{% else %}
<windows_registry>{{ registry_key.key }}</windows_registry>
{% endif %}
{% endfor %}
{% endif %}
</syscheck>
<!-- Files to monitor (localfiles) -->
{% for localfile in item.localfiles %}
{% for localfile in agent_config.localfiles %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.command is defined %}
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency>
{% else %}
<location>{{ localfile.location }}</location>
{% endif %}
</localfile>
{% endfor %}
{% endfor %}
{% if agent_config.rootcheck is defined %}
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
{% if item.cis_distribution_filename is defined %}
<system_audit>/var/ossec/etc/shared/{{ item.cis_distribution_filename }}</system_audit>
{% else %}
{# none specified so install all #}
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt</system_audit>
{% endif %}
</rootcheck>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>{{ agent_config.rootcheck.frequency }}</frequency>
{% if agent_config.rootcheck.cis_distribution_filename is not none %}
<system_audit>/var/ossec/etc/shared/{{ agent_config.rootcheck.cis_distribution_filename }}</system_audit>
{% endif %}
<skip_nfs>yes</skip_nfs>
</rootcheck>
{% endif %}
</agent_config>
{% endfor %}
{% endif %}

17
ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2
View File

@ -16,3 +16,20 @@
</rule>
</group>
<!--
Used with active-response to restart an agent when agent.conf file
is successfully retrieved.
-->
<group name="local,ossec,">
<rule id="100002" level="1">
<if_group>syscheck</if_group>
<match>/var/ossec/etc/shared/agent.conf</match>
<description>Linux | agent.conf was modified</description>
</rule>
<rule id="100003" level="1">
<if_group>syscheck</if_group>
<match>C:\wazuh-agent/shared/agent.conf</match>
<description>Windows | agent.conf was modified</description>
</rule>
</group>

9
ansible-wazuh-manager/vars/cdb_lists.yml Normal file
View File

@ -0,0 +1,9 @@
---
cdb_lists:
- name: 'audit-keys'
content: |
audit-wazuh-w:write
audit-wazuh-r:read
audit-wazuh-a:attribute
audit-wazuh-x:execute
audit-wazuh-c:command