From ce013d1dde312c9b0e9a73393402542ee1545186 Mon Sep 17 00:00:00 2001
From: Rshad Zhran <rashzk95@gmail.com>
Date: Mon, 16 Dec 2019 21:57:10 +0100
Subject: [PATCH] Adapt ossec.conf template and variables to v3.11 - manager

---
 .../ansible-wazuh-manager/defaults/main.yml   | 85 +++++++++-------
 .../var-ossec-etc-ossec-server.conf.j2        | 96 +++++++++++--------
 2 files changed, 108 insertions(+), 73 deletions(-)

diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
index 0a5eaf07..3551c3ab 100644
--- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
+++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
@@ -87,7 +87,7 @@ wazuh_manager_config:
   connection:
     - type: 'secure'
       port: '1514'
-      protocol: 'tcp'
+      protocol: 'udp'
       queue_size: 131072
   authd:
     enable: true
@@ -97,6 +97,8 @@ wazuh_manager_config:
     force_time: 0
     purge: 'no'
     use_password: 'no'
+    limit_maxagents: 'yes'
+    ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH'
     ssl_agent_ca: null
     ssl_verify_host: 'no'
     ssl_manager_cert: 'sslmanager.cert'
@@ -105,13 +107,14 @@ wazuh_manager_config:
   email_notification: 'no'
   mail_to:
     - 'admin@example.net'
-  mail_smtp_server: localhost
-  mail_from: wazuh-server@example.com
+  mail_smtp_server: smtp.example.wazuh.com
+  mail_from: ossecm@example.wazuh.com
   mail_maxperhour: 12
   mail_queue_size: 131072
+  email_log_source: 'alerts.log'
   extra_emails:
     - enable: false
-      mail_to: 'admin@example.net'
+      mail_to: 'recipient@example.wazuh.com'
       format: full
       level: 7
       event_location: null
@@ -152,6 +155,10 @@ wazuh_manager_config:
       - /etc/svc/volatile
       - /sys/kernel/security
       - /sys/kernel/debug
+      - /dev/core
+    ignore_linux_type:
+      - '^/proc'
+      - '.log$|.swp$'
     no_diff:
       - /etc/ssl/private.key
     directories:
@@ -164,8 +171,6 @@ wazuh_manager_config:
       timeframe: 'timeframe="3600"'
       value: 'no'
     skip_nfs: 'yes'
-    remove_old_diff: 'yes'
-    restart_audit: 'yes'
   rootcheck:
     frequency: 43200
   openscap:
@@ -181,10 +186,6 @@ wazuh_manager_config:
     scan_on_start: 'yes'
     java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
     ciscat_path: 'wodles/ciscat'
-    content:
-      - type: 'xccdf'
-        path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
-        profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
   osquery:
     disable: 'yes'
     run_daemon: 'yes'
@@ -209,20 +210,40 @@ wazuh_manager_config:
     day: ''
     wday: ''
     time: ''
-  vul_detector:
-    disable: 'yes'
+  vulnerability_detector:
+    enabled: 'no'
     interval: '5m'
     ignore_time: '6h'
     run_on_start: 'yes'
-    ubuntu:
-      disable: 'yes'
-      update_interval: '1h'
-    redhat:
-      disable: 'yes'
-      update_interval: '1h'
-    debian:
-      disable: 'yes'
-      update_interval: '1h'
+    providers:
+      canonical:
+        - name: 'canonical'
+          enabled: 'no'
+          os:
+            - precise
+            - trusty
+            - xenial
+            - bionic
+          update_interval: '1h'
+      debian:
+        - name: 'debian'
+          enabled: 'no'
+          os:
+            - wheezy
+            - stretch
+            - jessie
+            - buster
+          update_interval: '1h'
+      redhat:
+        - name: 'redhat'
+          enabled: 'no'
+          update_from_year: '2010'
+          update_interval: '1h'
+      nvd:
+        - name: 'nvd'
+          enabled: 'no'
+          update_from_year: '2010'
+          update_interval: '1h'    
   vuls:
     disable: 'yes'
     interval: '1d'
@@ -233,15 +254,15 @@ wazuh_manager_config:
       - 'updatenvd'
       - 'nvd-year 2016'
       - 'autoupdate'
-  log_level: 1
+  log_level: 3
   email_level: 12
   localfiles:
     common:
       - format: 'command'
-        command: df -P -x squashfs -x tmpfs -x devtmpfs
+        command: df -P
         frequency: '360'
       - format: 'full_command'
-        command: ss -nutal | awk '{print $1,$5,$6;}' | sort -b | column -t
+        command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
         alias: 'netstat listening ports'
         frequency: '360'
       - format: 'full_command'
@@ -268,18 +289,15 @@ wazuh_manager_config:
         location: '/var/log/audit/audit.log'
   globals:
     - '127.0.0.1'
-    - '192.168.2.1'
+    - '^localhost.localdomain$'
+    - '127.0.0.53'
   commands:
     - name: 'disable-account'
       executable: 'disable-account.sh'
       expect: 'user'
       timeout_allowed: 'yes'
-    # - name: 'restart-ossec'
-    #   executable: 'restart-ossec.sh'
-    #   expect: ''
-    #   timeout_allowed: 'no'
-    - name: 'win_restart-ossec'
-      executable: 'restart-ossec.cmd'
+    - name: 'restart-ossec'
+      executable: 'restart-ossec.sh'
       expect: ''
       timeout_allowed: 'no'
     - name: 'firewall-drop'
@@ -298,6 +316,10 @@ wazuh_manager_config:
       executable: 'route-null.cmd'
       expect: 'srcip'
       timeout_allowed: 'yes'
+    - name: 'win_route-null-2012'
+      executable: 'route-null-2012.cmd'
+      expect: 'srcip'
+      timeout_allowed: 'yes'
     - name: 'netsh'
       executable: 'netsh.cmd'
       expect: 'srcip'
@@ -327,7 +349,6 @@ wazuh_agent_configs:
     syscheck:
       frequency: 43200
       scan_on_start: 'yes'
-      auto_ignore: 'no'
       alert_new_files: 'yes'
       ignore:
         - /etc/mtab
diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
index 733cae18..603ce858 100644
--- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
+++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
@@ -18,7 +18,7 @@
     <smtp_server>{{ wazuh_manager_config.mail_smtp_server }}</smtp_server>
     <email_from>{{ wazuh_manager_config.mail_from }}</email_from>
     <email_maxperhour>{{ wazuh_manager_config.mail_maxperhour }}</email_maxperhour>
-    <queue_size>{{ wazuh_manager_config.mail_queue_size }}</queue_size>
+    <email_log_source>{{ wazuh_manager_config.email_log_source }}</email_log_source>
   </global>
 
   <alerts>
@@ -115,7 +115,6 @@
   <!-- Policy monitoring -->
   <rootcheck>
     <disabled>no</disabled>
-    <check_unixaudit>yes</check_unixaudit>
     <check_files>yes</check_files>
     <check_trojans>yes</check_trojans>
     <check_dev>yes</check_dev>
@@ -129,11 +128,6 @@
 
     <rootkit_files>/var/ossec/etc/shared/default/rootkit_files.txt</rootkit_files>
     <rootkit_trojans>/var/ossec/etc/shared/default/rootkit_trojans.txt</rootkit_trojans>
-    <system_audit>/var/ossec/etc/shared/default/system_audit_rcl.txt</system_audit>
-    <system_audit>/var/ossec/etc/shared/default/system_audit_ssh.txt</system_audit>
-    {% if cis_distribution_filename is defined %}
-    <system_audit>/var/ossec/etc/shared/default/{{ cis_distribution_filename }}</system_audit>
-    {% endif %}
 
     <skip_nfs>yes</skip_nfs>
   </rootcheck>
@@ -202,11 +196,6 @@
     <java_path>{{ wazuh_manager_config.cis_cat.java_path }}</java_path>
     {% endif %}
     <ciscat_path>{{ wazuh_manager_config.cis_cat.ciscat_path }}</ciscat_path>
-    {% for benchmark in wazuh_manager_config.cis_cat.content %}
-    <content type="{{ benchmark.type }}" path="{{ benchmark.path }}">
-      <profile>{{ benchmark.profile }}</profile>
-    </content>
-    {% endfor %}
   </wodle>
 
   <!-- Osquery integration -->
@@ -255,24 +244,45 @@
   {% endif %}
   </sca>
 
-  <wodle name="vulnerability-detector">
-    <disabled>{{ wazuh_manager_config.vul_detector.disable }}</disabled>
-    <interval>{{ wazuh_manager_config.vul_detector.interval }}</interval>
-    <ignore_time>{{ wazuh_manager_config.vul_detector.ignore_time }}</ignore_time>
-    <run_on_start>{{ wazuh_manager_config.vul_detector.run_on_start }}</run_on_start>
-    <feed name="ubuntu-18">
-      <disabled>{{ wazuh_manager_config.vul_detector.ubuntu.disable }}</disabled>
-      <update_interval>{{ wazuh_manager_config.vul_detector.ubuntu.update_interval }}</update_interval>
-    </feed>
-    <feed name="redhat">
-      <disabled>{{ wazuh_manager_config.vul_detector.redhat.disable }}</disabled>
-      <update_interval>{{ wazuh_manager_config.vul_detector.redhat.update_interval }}</update_interval>
-    </feed>
-    <feed name="debian-9">
-      <disabled>{{ wazuh_manager_config.vul_detector.debian.disable }}</disabled>
-      <update_interval>{{ wazuh_manager_config.vul_detector.debian.update_interval }}</update_interval>
-    </feed>
-  </wodle>
+  <vulnerability-detector>
+  {% if wazuh_manager_config.vulnerability_detector.enabled is defined %}
+    <enabled>{{ wazuh_manager_config.vulnerability_detector.enabled }}</enabled>
+  {% endif %}
+  {% if wazuh_manager_config.vulnerability_detector.interval is defined %}
+    <interval>{{ wazuh_manager_config.vulnerability_detector.interval }}</interval>
+  {% endif %}
+  {% if wazuh_manager_config.vulnerability_detector.ignore_time is defined %}
+    <ignore_time>{{ wazuh_manager_config.vulnerability_detector.ignore_time }}</ignore_time>
+  {% endif %}
+  {% if wazuh_manager_config.vulnerability_detector.run_on_start is defined %}
+    <run_on_start>{{ wazuh_manager_config.vulnerability_detector.run_on_start }}</run_on_start>
+  {% endif %}
+  {% if wazuh_manager_config.vulnerability_detector.providers is defined %}
+  {% for provider in wazuh_manager_config.vulnerability_detector.providers %}
+    <provider name={{ provider.name }}>
+
+        {% if provider.enabled is defined %}
+        <enabled>{{ provider.enabled }}</enabled>
+        {% endif %}
+
+        {% if provider.os is defined %}
+        {% for os_ in provider.os %}
+        <os>{{ os_ }}</os>
+        {% endfor %}
+        {% endif %}
+
+        {% if provider.update_from_year is defined %}
+        <update_from_year>{{ provider.update_from_year }}</update_from_year>
+        {% endif %}
+
+        {% if provider.update_interval is defined %}
+        <update_interval>{{ provider.update_interval }}</update_interval>
+        {% endif %}
+
+    </provider>
+  {% endfor %}
+  {% endif %}
+  </vulnerability-detector>
 
   <!-- File integrity monitoring -->
   <syscheck>
@@ -283,7 +293,7 @@
     <frequency>{{ wazuh_manager_config.syscheck.frequency }}</frequency>
     <scan_on_start>{{ wazuh_manager_config.syscheck.scan_on_start }}</scan_on_start>
 
-    <!-- Don't ignore files that change more than 'frequency' times -->
+    <!-- Do not ignore files that change more than 'frequency' times -->
     {% if wazuh_manager_config.syscheck.auto_ignore_frequency is defined %}
     <auto_ignore {{ wazuh_manager_config.syscheck.auto_ignore_frequency.frequency }} {{ wazuh_manager_config.syscheck.auto_ignore_frequency.timeframe }}>{{wazuh_manager_config.syscheck.auto_ignore_frequency.value }}</auto_ignore>
     {% endif %}
@@ -302,6 +312,14 @@
     {% endfor %}
     {% endif %}
 
+    <!-- File types to ignore -->
+    {% if wazuh_manager_config.syscheck.ignore_linux_type is defined and ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7' %}
+    {% for ignore in wazuh_manager_config.syscheck.ignore_linux_type %}
+    <ignore type="sregex">{{ ignore }}</ignore>
+    {% endfor %}
+    {% endif %}
+
+
     <!-- Files no diff -->
     {% for no_diff in wazuh_manager_config.syscheck.no_diff %}
     <nodiff>{{ no_diff }}</nodiff>
@@ -309,16 +327,6 @@
     {% if wazuh_manager_config.syscheck.skip_nfs is defined %}
     <skip_nfs>{{ wazuh_manager_config.syscheck.skip_nfs }}</skip_nfs>
     {% endif %}
-
-    <!-- Remove not monitored files -->
-    {% if wazuh_manager_config.syscheck.remove_old_diff is defined %}
-    <remove_old_diff>{{ wazuh_manager_config.syscheck.remove_old_diff }}</remove_old_diff>
-    {% endif %}
-
-    <!-- Allow the system to restart Auditd after installing the plugin -->
-    {% if wazuh_manager_config.syscheck.restart_audit is defined %}
-    <restart_audit>{{ wazuh_manager_config.syscheck.restart_audit }}</restart_audit>
-    {% endif %}
   </syscheck>
 
   <global>
@@ -380,6 +388,12 @@
     {% if wazuh_manager_config.authd.use_password is not none %}
     <use_password>{{wazuh_manager_config.authd.use_password}}</use_password>
     {% endif %}
+    {% if wazuh_manager_config.authd.limit_maxagents is not none %}
+    <limit_maxagents>{{wazuh_manager_config.authd.limit_maxagents}}</limit_maxagents>
+    {% endif %}
+    {% if wazuh_manager_config.authd.ciphers is not none %}
+    <ciphers>{{wazuh_manager_config.authd.ciphers}}</ciphers>
+    {% endif %}    
     {% if wazuh_manager_config.authd.ssl_agent_ca is not none %}
     <ssl_agent_ca>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}}</ssl_agent_ca>
     {% endif %}