afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Adapt ossec.conf template and variables to v3.11 - manager

Browse Source
This commit is contained in:
Rshad Zhran 2019-12-16 21:57:10 +01:00
parent 2ddd8b9e72
commit ce013d1dde
2 changed files with 108 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
roles/wazuh/ansible-wazuh-manager/defaults/main.yml
View File

@ -87,7 +87,7 @@ wazuh_manager_config:
connection: connection:
- type: 'secure' - type: 'secure'
port: '1514' port: '1514'
protocol: 'tcp' protocol: 'udp'
queue_size: 131072 queue_size: 131072
authd: authd:
enable: true enable: true
@ -97,6 +97,8 @@ wazuh_manager_config:
force_time: 0 force_time: 0
purge: 'no' purge: 'no'
use_password: 'no' use_password: 'no'
limit_maxagents: 'yes'
ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH'
ssl_agent_ca: null ssl_agent_ca: null
ssl_verify_host: 'no' ssl_verify_host: 'no'
ssl_manager_cert: 'sslmanager.cert' ssl_manager_cert: 'sslmanager.cert'
@ -105,13 +107,14 @@ wazuh_manager_config:
email_notification: 'no' email_notification: 'no'
mail_to: mail_to:
- 'admin@example.net' - 'admin@example.net'
mail_smtp_server: localhost mail_smtp_server: smtp.example.wazuh.com
mail_from: wazuh-server@example.com mail_from: ossecm@example.wazuh.com
mail_maxperhour: 12 mail_maxperhour: 12
mail_queue_size: 131072 mail_queue_size: 131072
email_log_source: 'alerts.log'
extra_emails: extra_emails:
- enable: false - enable: false
mail_to: 'admin@example.net' mail_to: 'recipient@example.wazuh.com'
format: full format: full
level: 7 level: 7
event_location: null event_location: null
@ -152,6 +155,10 @@ wazuh_manager_config:
- /etc/svc/volatile - /etc/svc/volatile
- /sys/kernel/security - /sys/kernel/security
- /sys/kernel/debug - /sys/kernel/debug
- /dev/core
ignore_linux_type:
- '^/proc'
- '.log$|.swp$'
no_diff: no_diff:
- /etc/ssl/private.key - /etc/ssl/private.key
directories: directories:
@ -164,8 +171,6 @@ wazuh_manager_config:
timeframe: 'timeframe="3600"' timeframe: 'timeframe="3600"'
value: 'no' value: 'no'
skip_nfs: 'yes' skip_nfs: 'yes'
remove_old_diff: 'yes'
restart_audit: 'yes'
rootcheck: rootcheck:
frequency: 43200 frequency: 43200
openscap: openscap:
@ -181,10 +186,6 @@ wazuh_manager_config:
scan_on_start: 'yes' scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin' java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
ciscat_path: 'wodles/ciscat' ciscat_path: 'wodles/ciscat'
content:
- type: 'xccdf'
path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
osquery: osquery:
disable: 'yes' disable: 'yes'
run_daemon: 'yes' run_daemon: 'yes'
@ -209,19 +210,39 @@ wazuh_manager_config:
day: '' day: ''
wday: '' wday: ''
time: '' time: ''
vul_detector: vulnerability_detector:
disable: 'yes' enabled: 'no'
interval: '5m' interval: '5m'
ignore_time: '6h' ignore_time: '6h'
run_on_start: 'yes' run_on_start: 'yes'
ubuntu: providers:
disable: 'yes' canonical:
update_interval: '1h' - name: 'canonical'
redhat: enabled: 'no'
disable: 'yes' os:
- precise
- trusty
- xenial
- bionic
update_interval: '1h' update_interval: '1h'
debian: debian:
disable: 'yes' - name: 'debian'
enabled: 'no'
os:
- wheezy
- stretch
- jessie
- buster
update_interval: '1h'
redhat:
- name: 'redhat'
enabled: 'no'
update_from_year: '2010'
update_interval: '1h'
nvd:
- name: 'nvd'
enabled: 'no'
update_from_year: '2010'
update_interval: '1h' update_interval: '1h'
vuls: vuls:
disable: 'yes' disable: 'yes'
@ -233,15 +254,15 @@ wazuh_manager_config:
- 'updatenvd' - 'updatenvd'
- 'nvd-year 2016' - 'nvd-year 2016'
- 'autoupdate' - 'autoupdate'
log_level: 1 log_level: 3
email_level: 12 email_level: 12
localfiles: localfiles:
common: common:
- format: 'command' - format: 'command'
command: df -P -x squashfs -x tmpfs -x devtmpfs command: df -P
frequency: '360' frequency: '360'
- format: 'full_command' - format: 'full_command'
command: ss -nutal | awk '{print $1,$5,$6;}' | sort -b | column -t command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports' alias: 'netstat listening ports'
frequency: '360' frequency: '360'
- format: 'full_command' - format: 'full_command'
@ -268,18 +289,15 @@ wazuh_manager_config:
location: '/var/log/audit/audit.log' location: '/var/log/audit/audit.log'
globals: globals:
- '127.0.0.1' - '127.0.0.1'
- '192.168.2.1' - '^localhost.localdomain$'
- '127.0.0.53'
commands: commands:
- name: 'disable-account' - name: 'disable-account'
executable: 'disable-account.sh' executable: 'disable-account.sh'
expect: 'user' expect: 'user'
timeout_allowed: 'yes' timeout_allowed: 'yes'
# - name: 'restart-ossec' - name: 'restart-ossec'
# executable: 'restart-ossec.sh' executable: 'restart-ossec.sh'
# expect: ''
# timeout_allowed: 'no'
- name: 'win_restart-ossec'
executable: 'restart-ossec.cmd'
expect: '' expect: ''
timeout_allowed: 'no' timeout_allowed: 'no'
- name: 'firewall-drop' - name: 'firewall-drop'
@ -298,6 +316,10 @@ wazuh_manager_config:
executable: 'route-null.cmd' executable: 'route-null.cmd'
expect: 'srcip' expect: 'srcip'
timeout_allowed: 'yes' timeout_allowed: 'yes'
- name: 'win_route-null-2012'
executable: 'route-null-2012.cmd'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'netsh' - name: 'netsh'
executable: 'netsh.cmd' executable: 'netsh.cmd'
expect: 'srcip' expect: 'srcip'
@ -327,7 +349,6 @@ wazuh_agent_configs:
syscheck: syscheck:
frequency: 43200 frequency: 43200
scan_on_start: 'yes' scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes' alert_new_files: 'yes'
ignore: ignore:
- /etc/mtab - /etc/mtab

96
roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
View File

@ -18,7 +18,7 @@
<smtp_server>{{ wazuh_manager_config.mail_smtp_server }}</smtp_server> <smtp_server>{{ wazuh_manager_config.mail_smtp_server }}</smtp_server>
<email_from>{{ wazuh_manager_config.mail_from }}</email_from> <email_from>{{ wazuh_manager_config.mail_from }}</email_from>
<email_maxperhour>{{ wazuh_manager_config.mail_maxperhour }}</email_maxperhour> <email_maxperhour>{{ wazuh_manager_config.mail_maxperhour }}</email_maxperhour>
<queue_size>{{ wazuh_manager_config.mail_queue_size }}</queue_size> <email_log_source>{{ wazuh_manager_config.email_log_source }}</email_log_source>
</global> </global>
<alerts> <alerts>
@ -115,7 +115,6 @@
<!-- Policy monitoring --> <!-- Policy monitoring -->
<rootcheck> <rootcheck>
<disabled>no</disabled> <disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files> <check_files>yes</check_files>
<check_trojans>yes</check_trojans> <check_trojans>yes</check_trojans>
<check_dev>yes</check_dev> <check_dev>yes</check_dev>
@ -129,11 +128,6 @@
<rootkit_files>/var/ossec/etc/shared/default/rootkit_files.txt</rootkit_files> <rootkit_files>/var/ossec/etc/shared/default/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/default/rootkit_trojans.txt</rootkit_trojans> <rootkit_trojans>/var/ossec/etc/shared/default/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/default/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/default/system_audit_ssh.txt</system_audit>
{% if cis_distribution_filename is defined %}
<system_audit>/var/ossec/etc/shared/default/{{ cis_distribution_filename }}</system_audit>
{% endif %}
<skip_nfs>yes</skip_nfs> <skip_nfs>yes</skip_nfs>
</rootcheck> </rootcheck>
@ -202,11 +196,6 @@
<java_path>{{ wazuh_manager_config.cis_cat.java_path }}</java_path> <java_path>{{ wazuh_manager_config.cis_cat.java_path }}</java_path>
{% endif %} {% endif %}
<ciscat_path>{{ wazuh_manager_config.cis_cat.ciscat_path }}</ciscat_path> <ciscat_path>{{ wazuh_manager_config.cis_cat.ciscat_path }}</ciscat_path>
{% for benchmark in wazuh_manager_config.cis_cat.content %}
<content type="{{ benchmark.type }}" path="{{ benchmark.path }}">
<profile>{{ benchmark.profile }}</profile>
</content>
{% endfor %}
</wodle> </wodle>
<!-- Osquery integration --> <!-- Osquery integration -->
@ -255,24 +244,45 @@
{% endif %} {% endif %}
</sca> </sca>
<wodle name="vulnerability-detector"> <vulnerability-detector>
<disabled>{{ wazuh_manager_config.vul_detector.disable }}</disabled> {% if wazuh_manager_config.vulnerability_detector.enabled is defined %}
<interval>{{ wazuh_manager_config.vul_detector.interval }}</interval> <enabled>{{ wazuh_manager_config.vulnerability_detector.enabled }}</enabled>
<ignore_time>{{ wazuh_manager_config.vul_detector.ignore_time }}</ignore_time> {% endif %}
<run_on_start>{{ wazuh_manager_config.vul_detector.run_on_start }}</run_on_start> {% if wazuh_manager_config.vulnerability_detector.interval is defined %}
<feed name="ubuntu-18"> <interval>{{ wazuh_manager_config.vulnerability_detector.interval }}</interval>
<disabled>{{ wazuh_manager_config.vul_detector.ubuntu.disable }}</disabled> {% endif %}
<update_interval>{{ wazuh_manager_config.vul_detector.ubuntu.update_interval }}</update_interval> {% if wazuh_manager_config.vulnerability_detector.ignore_time is defined %}
</feed> <ignore_time>{{ wazuh_manager_config.vulnerability_detector.ignore_time }}</ignore_time>
<feed name="redhat"> {% endif %}
<disabled>{{ wazuh_manager_config.vul_detector.redhat.disable }}</disabled> {% if wazuh_manager_config.vulnerability_detector.run_on_start is defined %}
<update_interval>{{ wazuh_manager_config.vul_detector.redhat.update_interval }}</update_interval> <run_on_start>{{ wazuh_manager_config.vulnerability_detector.run_on_start }}</run_on_start>
</feed> {% endif %}
<feed name="debian-9"> {% if wazuh_manager_config.vulnerability_detector.providers is defined %}
<disabled>{{ wazuh_manager_config.vul_detector.debian.disable }}</disabled> {% for provider in wazuh_manager_config.vulnerability_detector.providers %}
<update_interval>{{ wazuh_manager_config.vul_detector.debian.update_interval }}</update_interval> <provider name={{ provider.name }}>
</feed>
</wodle> {% if provider.enabled is defined %}
<enabled>{{ provider.enabled }}</enabled>
{% endif %}
{% if provider.os is defined %}
{% for os_ in provider.os %}
<os>{{ os_ }}</os>
{% endfor %}
{% endif %}
{% if provider.update_from_year is defined %}
<update_from_year>{{ provider.update_from_year }}</update_from_year>
{% endif %}
{% if provider.update_interval is defined %}
<update_interval>{{ provider.update_interval }}</update_interval>
{% endif %}
</provider>
{% endfor %}
{% endif %}
</vulnerability-detector>
<!-- File integrity monitoring --> <!-- File integrity monitoring -->
<syscheck> <syscheck>
@ -283,7 +293,7 @@
<frequency>{{ wazuh_manager_config.syscheck.frequency }}</frequency> <frequency>{{ wazuh_manager_config.syscheck.frequency }}</frequency>
<scan_on_start>{{ wazuh_manager_config.syscheck.scan_on_start }}</scan_on_start> <scan_on_start>{{ wazuh_manager_config.syscheck.scan_on_start }}</scan_on_start>
<!-- Don't ignore files that change more than 'frequency' times --> <!-- Do not ignore files that change more than 'frequency' times -->
{% if wazuh_manager_config.syscheck.auto_ignore_frequency is defined %} {% if wazuh_manager_config.syscheck.auto_ignore_frequency is defined %}
<auto_ignore {{ wazuh_manager_config.syscheck.auto_ignore_frequency.frequency }} {{ wazuh_manager_config.syscheck.auto_ignore_frequency.timeframe }}>{{wazuh_manager_config.syscheck.auto_ignore_frequency.value }}</auto_ignore> <auto_ignore {{ wazuh_manager_config.syscheck.auto_ignore_frequency.frequency }} {{ wazuh_manager_config.syscheck.auto_ignore_frequency.timeframe }}>{{wazuh_manager_config.syscheck.auto_ignore_frequency.value }}</auto_ignore>
{% endif %} {% endif %}
@ -302,6 +312,14 @@
{% endfor %} {% endfor %}
{% endif %} {% endif %}
<!-- File types to ignore -->
{% if wazuh_manager_config.syscheck.ignore_linux_type is defined and ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7' %}
{% for ignore in wazuh_manager_config.syscheck.ignore_linux_type %}
<ignore type="sregex">{{ ignore }}</ignore>
{% endfor %}
{% endif %}
<!-- Files no diff --> <!-- Files no diff -->
{% for no_diff in wazuh_manager_config.syscheck.no_diff %} {% for no_diff in wazuh_manager_config.syscheck.no_diff %}
<nodiff>{{ no_diff }}</nodiff> <nodiff>{{ no_diff }}</nodiff>
@ -309,16 +327,6 @@
{% if wazuh_manager_config.syscheck.skip_nfs is defined %} {% if wazuh_manager_config.syscheck.skip_nfs is defined %}
<skip_nfs>{{ wazuh_manager_config.syscheck.skip_nfs }}</skip_nfs> <skip_nfs>{{ wazuh_manager_config.syscheck.skip_nfs }}</skip_nfs>
{% endif %} {% endif %}
<!-- Remove not monitored files -->
{% if wazuh_manager_config.syscheck.remove_old_diff is defined %}
<remove_old_diff>{{ wazuh_manager_config.syscheck.remove_old_diff }}</remove_old_diff>
{% endif %}
<!-- Allow the system to restart Auditd after installing the plugin -->
{% if wazuh_manager_config.syscheck.restart_audit is defined %}
<restart_audit>{{ wazuh_manager_config.syscheck.restart_audit }}</restart_audit>
{% endif %}
</syscheck> </syscheck>
<global> <global>
@ -380,6 +388,12 @@
{% if wazuh_manager_config.authd.use_password is not none %} {% if wazuh_manager_config.authd.use_password is not none %}
<use_password>{{wazuh_manager_config.authd.use_password}}</use_password> <use_password>{{wazuh_manager_config.authd.use_password}}</use_password>
{% endif %} {% endif %}
{% if wazuh_manager_config.authd.limit_maxagents is not none %}
<limit_maxagents>{{wazuh_manager_config.authd.limit_maxagents}}</limit_maxagents>
{% endif %}
{% if wazuh_manager_config.authd.ciphers is not none %}
<ciphers>{{wazuh_manager_config.authd.ciphers}}</ciphers>
{% endif %}
{% if wazuh_manager_config.authd.ssl_agent_ca is not none %} {% if wazuh_manager_config.authd.ssl_agent_ca is not none %}
<ssl_agent_ca>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}}</ssl_agent_ca> <ssl_agent_ca>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}}</ssl_agent_ca>
{% endif %} {% endif %}