afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Adapt ossec.conf template and variables to v3.11 - manager

Browse Source
This commit is contained in:
Rshad Zhran 2019-12-16 21:57:10 +01:00
parent 2ddd8b9e72
commit ce013d1dde
2 changed files with 108 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
roles/wazuh/ansible-wazuh-manager/defaults/main.yml
View File

@ -87,7 +87,7 @@ wazuh_manager_config:
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
protocol: 'udp'
queue_size: 131072
authd:
enable: true
@ -97,6 +97,8 @@ wazuh_manager_config:
force_time: 0
purge: 'no'
use_password: 'no'
limit_maxagents: 'yes'
ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH'
ssl_agent_ca: null
ssl_verify_host: 'no'
ssl_manager_cert: 'sslmanager.cert'
@ -105,13 +107,14 @@ wazuh_manager_config:
email_notification: 'no'
mail_to:
- 'admin@example.net'
mail_smtp_server: localhost
mail_from: wazuh-server@example.com
mail_smtp_server: smtp.example.wazuh.com
mail_from: ossecm@example.wazuh.com
mail_maxperhour: 12
mail_queue_size: 131072
email_log_source: 'alerts.log'
extra_emails:
- enable: false
mail_to: 'admin@example.net'
mail_to: 'recipient@example.wazuh.com'
format: full
level: 7
event_location: null
@ -152,6 +155,10 @@ wazuh_manager_config:
- /etc/svc/volatile
- /sys/kernel/security
- /sys/kernel/debug
- /dev/core
ignore_linux_type:
- '^/proc'
- '.log$|.swp$'
no_diff:
- /etc/ssl/private.key
directories:
@ -164,8 +171,6 @@ wazuh_manager_config:
timeframe: 'timeframe="3600"'
value: 'no'
skip_nfs: 'yes'
remove_old_diff: 'yes'
restart_audit: 'yes'
rootcheck:
frequency: 43200
openscap:
@ -181,10 +186,6 @@ wazuh_manager_config:
scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
ciscat_path: 'wodles/ciscat'
content:
- type: 'xccdf'
path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
osquery:
disable: 'yes'
run_daemon: 'yes'
@ -209,20 +210,40 @@ wazuh_manager_config:
day: ''
wday: ''
time: ''
vul_detector:
disable: 'yes'
vulnerability_detector:
enabled: 'no'
interval: '5m'
ignore_time: '6h'
run_on_start: 'yes'
ubuntu:
disable: 'yes'
update_interval: '1h'
redhat:
disable: 'yes'
update_interval: '1h'
debian:
disable: 'yes'
update_interval: '1h'
providers:
canonical:
- name: 'canonical'
enabled: 'no'
os:
- precise
- trusty
- xenial
- bionic
update_interval: '1h'
debian:
- name: 'debian'
enabled: 'no'
os:
- wheezy
- stretch
- jessie
- buster
update_interval: '1h'
redhat:
- name: 'redhat'
enabled: 'no'
update_from_year: '2010'
update_interval: '1h'
nvd:
- name: 'nvd'
enabled: 'no'
update_from_year: '2010'
update_interval: '1h'
vuls:
disable: 'yes'
interval: '1d'
@ -233,15 +254,15 @@ wazuh_manager_config:
- 'updatenvd'
- 'nvd-year 2016'
- 'autoupdate'
log_level: 1
log_level: 3
email_level: 12
localfiles:
common:
- format: 'command'
command: df -P -x squashfs -x tmpfs -x devtmpfs
command: df -P
frequency: '360'
- format: 'full_command'
command: ss -nutal | awk '{print $1,$5,$6;}' | sort -b | column -t
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
- format: 'full_command'
@ -268,18 +289,15 @@ wazuh_manager_config:
location: '/var/log/audit/audit.log'
globals:
- '127.0.0.1'
- '192.168.2.1'
- '^localhost.localdomain$'
- '127.0.0.53'
commands:
- name: 'disable-account'
executable: 'disable-account.sh'
expect: 'user'
timeout_allowed: 'yes'
# - name: 'restart-ossec'
# executable: 'restart-ossec.sh'
# expect: ''
# timeout_allowed: 'no'
- name: 'win_restart-ossec'
executable: 'restart-ossec.cmd'
- name: 'restart-ossec'
executable: 'restart-ossec.sh'
expect: ''
timeout_allowed: 'no'
- name: 'firewall-drop'
@ -298,6 +316,10 @@ wazuh_manager_config:
executable: 'route-null.cmd'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'win_route-null-2012'
executable: 'route-null-2012.cmd'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'netsh'
executable: 'netsh.cmd'
expect: 'srcip'
@ -327,7 +349,6 @@ wazuh_agent_configs:
syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
ignore:
- /etc/mtab

96
roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
View File

@ -18,7 +18,7 @@
<smtp_server>{{ wazuh_manager_config.mail_smtp_server }}</smtp_server>
<email_from>{{ wazuh_manager_config.mail_from }}</email_from>
<email_maxperhour>{{ wazuh_manager_config.mail_maxperhour }}</email_maxperhour>
<queue_size>{{ wazuh_manager_config.mail_queue_size }}</queue_size>
<email_log_source>{{ wazuh_manager_config.email_log_source }}</email_log_source>
</global>
<alerts>
@ -115,7 +115,6 @@
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
@ -129,11 +128,6 @@
<rootkit_files>/var/ossec/etc/shared/default/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/default/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/default/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/default/system_audit_ssh.txt</system_audit>
{% if cis_distribution_filename is defined %}
<system_audit>/var/ossec/etc/shared/default/{{ cis_distribution_filename }}</system_audit>
{% endif %}
<skip_nfs>yes</skip_nfs>
</rootcheck>
@ -202,11 +196,6 @@
<java_path>{{ wazuh_manager_config.cis_cat.java_path }}</java_path>
{% endif %}
<ciscat_path>{{ wazuh_manager_config.cis_cat.ciscat_path }}</ciscat_path>
{% for benchmark in wazuh_manager_config.cis_cat.content %}
<content type="{{ benchmark.type }}" path="{{ benchmark.path }}">
<profile>{{ benchmark.profile }}</profile>
</content>
{% endfor %}
</wodle>
<!-- Osquery integration -->
@ -255,24 +244,45 @@
{% endif %}
</sca>
<wodle name="vulnerability-detector">
<disabled>{{ wazuh_manager_config.vul_detector.disable }}</disabled>
<interval>{{ wazuh_manager_config.vul_detector.interval }}</interval>
<ignore_time>{{ wazuh_manager_config.vul_detector.ignore_time }}</ignore_time>
<run_on_start>{{ wazuh_manager_config.vul_detector.run_on_start }}</run_on_start>
<feed name="ubuntu-18">
<disabled>{{ wazuh_manager_config.vul_detector.ubuntu.disable }}</disabled>
<update_interval>{{ wazuh_manager_config.vul_detector.ubuntu.update_interval }}</update_interval>
</feed>
<feed name="redhat">
<disabled>{{ wazuh_manager_config.vul_detector.redhat.disable }}</disabled>
<update_interval>{{ wazuh_manager_config.vul_detector.redhat.update_interval }}</update_interval>
</feed>
<feed name="debian-9">
<disabled>{{ wazuh_manager_config.vul_detector.debian.disable }}</disabled>
<update_interval>{{ wazuh_manager_config.vul_detector.debian.update_interval }}</update_interval>
</feed>
</wodle>
<vulnerability-detector>
{% if wazuh_manager_config.vulnerability_detector.enabled is defined %}
<enabled>{{ wazuh_manager_config.vulnerability_detector.enabled }}</enabled>
{% endif %}
{% if wazuh_manager_config.vulnerability_detector.interval is defined %}
<interval>{{ wazuh_manager_config.vulnerability_detector.interval }}</interval>
{% endif %}
{% if wazuh_manager_config.vulnerability_detector.ignore_time is defined %}
<ignore_time>{{ wazuh_manager_config.vulnerability_detector.ignore_time }}</ignore_time>
{% endif %}
{% if wazuh_manager_config.vulnerability_detector.run_on_start is defined %}
<run_on_start>{{ wazuh_manager_config.vulnerability_detector.run_on_start }}</run_on_start>
{% endif %}
{% if wazuh_manager_config.vulnerability_detector.providers is defined %}
{% for provider in wazuh_manager_config.vulnerability_detector.providers %}
<provider name={{ provider.name }}>
{% if provider.enabled is defined %}
<enabled>{{ provider.enabled }}</enabled>
{% endif %}
{% if provider.os is defined %}
{% for os_ in provider.os %}
<os>{{ os_ }}</os>
{% endfor %}
{% endif %}
{% if provider.update_from_year is defined %}
<update_from_year>{{ provider.update_from_year }}</update_from_year>
{% endif %}
{% if provider.update_interval is defined %}
<update_interval>{{ provider.update_interval }}</update_interval>
{% endif %}
</provider>
{% endfor %}
{% endif %}
</vulnerability-detector>
<!-- File integrity monitoring -->
<syscheck>
@ -283,7 +293,7 @@
<frequency>{{ wazuh_manager_config.syscheck.frequency }}</frequency>
<scan_on_start>{{ wazuh_manager_config.syscheck.scan_on_start }}</scan_on_start>
<!-- Don't ignore files that change more than 'frequency' times -->
<!-- Do not ignore files that change more than 'frequency' times -->
{% if wazuh_manager_config.syscheck.auto_ignore_frequency is defined %}
<auto_ignore {{ wazuh_manager_config.syscheck.auto_ignore_frequency.frequency }} {{ wazuh_manager_config.syscheck.auto_ignore_frequency.timeframe }}>{{wazuh_manager_config.syscheck.auto_ignore_frequency.value }}</auto_ignore>
{% endif %}
@ -302,6 +312,14 @@
{% endfor %}
{% endif %}
<!-- File types to ignore -->
{% if wazuh_manager_config.syscheck.ignore_linux_type is defined and ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7' %}
{% for ignore in wazuh_manager_config.syscheck.ignore_linux_type %}
<ignore type="sregex">{{ ignore }}</ignore>
{% endfor %}
{% endif %}
<!-- Files no diff -->
{% for no_diff in wazuh_manager_config.syscheck.no_diff %}
<nodiff>{{ no_diff }}</nodiff>
@ -309,16 +327,6 @@
{% if wazuh_manager_config.syscheck.skip_nfs is defined %}
<skip_nfs>{{ wazuh_manager_config.syscheck.skip_nfs }}</skip_nfs>
{% endif %}
<!-- Remove not monitored files -->
{% if wazuh_manager_config.syscheck.remove_old_diff is defined %}
<remove_old_diff>{{ wazuh_manager_config.syscheck.remove_old_diff }}</remove_old_diff>
{% endif %}
<!-- Allow the system to restart Auditd after installing the plugin -->
{% if wazuh_manager_config.syscheck.restart_audit is defined %}
<restart_audit>{{ wazuh_manager_config.syscheck.restart_audit }}</restart_audit>
{% endif %}
</syscheck>
<global>
@ -380,6 +388,12 @@
{% if wazuh_manager_config.authd.use_password is not none %}
<use_password>{{wazuh_manager_config.authd.use_password}}</use_password>
{% endif %}
{% if wazuh_manager_config.authd.limit_maxagents is not none %}
<limit_maxagents>{{wazuh_manager_config.authd.limit_maxagents}}</limit_maxagents>
{% endif %}
{% if wazuh_manager_config.authd.ciphers is not none %}
<ciphers>{{wazuh_manager_config.authd.ciphers}}</ciphers>
{% endif %}
{% if wazuh_manager_config.authd.ssl_agent_ca is not none %}
<ssl_agent_ca>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}}</ssl_agent_ca>
{% endif %}