From d907793953f597c8ab0ecc49507433ca4ce9f9c5 Mon Sep 17 00:00:00 2001 From: Zenidd Date: Tue, 23 Jun 2020 16:51:53 +0200 Subject: [PATCH] Bump to version v3.13.0_7.7.1 --- CHANGELOG.md | 14 + .../wazuh-elastic7-template-alerts.json.j2 | 1679 --------------- .../ansible-kibana/defaults/main.yml | 6 +- .../opendistro-kibana/defaults/main.yml | 6 +- roles/wazuh/ansible-filebeat/tasks/config.yml | 8 +- .../templates/elasticsearch.yml.j2 | 1800 ----------------- .../ansible-wazuh-agent/defaults/main.yml | 12 +- .../var-ossec-etc-ossec-agent.conf.j2 | 2 +- .../ansible-wazuh-manager/defaults/main.yml | 8 +- 9 files changed, 35 insertions(+), 3500 deletions(-) delete mode 100644 roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 delete mode 100644 roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index c9b8803d..06255568 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,20 @@ # Change Log All notable changes to this project will be documented in this file. +## [v3.13.0_7.7.1] + +### Added + +- Update to Wazuh v3.13.0 +- Open Distro-Kibana and Filebeat-oss roles ([@manuasir](https://github.com/manuasir)) [PR#424](https://github.com/wazuh/wazuh-ansible/pull/424) + +### Changed + +- Fetch ES template from wazuh/wazuh repository ([@Zenidd](https://github.com/Zenidd)) [PR#435](https://github.com/wazuh/wazuh-ansible/pull/435) + +### Fixed + +- Use local path while generating xpack certificates ([@xr09](https://github.com/xr09)) [PR#432](https://github.com/wazuh/wazuh-ansible/pull/432) ## [v3.12.3_7.6.2] diff --git a/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 b/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 deleted file mode 100644 index 0b153fd4..00000000 --- a/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 +++ /dev/null @@ -1,1679 +0,0 @@ -{ - "order": 0, - "index_patterns": [ - "wazuh-alerts-3.x-*", - "wazuh-archives-3.x-*" - ], - "settings": { - "index.refresh_interval": "5s", - "index.number_of_shards": "3", - "index.number_of_replicas": "0", - "index.auto_expand_replicas": "0-1", - "index.mapping.total_fields.limit": 10000, - "index.query.default_field": [ - "GeoLocation.city_name", - "GeoLocation.continent_code", - "GeoLocation.country_code2", - "GeoLocation.country_code3", - "GeoLocation.country_name", - "GeoLocation.ip", - "GeoLocation.postal_code", - "GeoLocation.real_region_name", - "GeoLocation.region_name", - "GeoLocation.timezone", - "agent.id", - "agent.ip", - "agent.name", - "cluster.name", - "cluster.node", - "command", - "data", - "data.action", - "data.audit", - "data.audit.acct", - "data.audit.arch", - "data.audit.auid", - "data.audit.command", - "data.audit.cwd", - "data.audit.dev", - "data.audit.directory.inode", - "data.audit.directory.mode", - "data.audit.directory.name", - "data.audit.egid", - "data.audit.enforcing", - "data.audit.euid", - "data.audit.exe", - "data.audit.execve.a0", - "data.audit.execve.a1", - "data.audit.execve.a2", - "data.audit.execve.a3", - "data.audit.exit", - "data.audit.file.inode", - "data.audit.file.mode", - "data.audit.file.name", - "data.audit.fsgid", - "data.audit.fsuid", - "data.audit.gid", - "data.audit.id", - "data.audit.key", - "data.audit.list", - "data.audit.old-auid", - "data.audit.old-ses", - "data.audit.old_enforcing", - "data.audit.old_prom", - "data.audit.op", - "data.audit.pid", - "data.audit.ppid", - "data.audit.prom", - "data.audit.res", - "data.audit.session", - "data.audit.sgid", - "data.audit.srcip", - "data.audit.subj", - "data.audit.success", - "data.audit.suid", - "data.audit.syscall", - "data.audit.tty", - "data.audit.uid", - "data.aws.accountId", - "data.aws.account_id", - "data.aws.action", - "data.aws.actor", - "data.aws.aws_account_id", - "data.aws.description", - "data.aws.dstport", - "data.aws.errorCode", - "data.aws.errorMessage", - "data.aws.eventID", - "data.aws.eventName", - "data.aws.eventSource", - "data.aws.eventType", - "data.aws.id", - "data.aws.name", - "data.aws.requestParameters.accessKeyId", - "data.aws.requestParameters.bucketName", - "data.aws.requestParameters.gatewayId", - "data.aws.requestParameters.groupDescription", - "data.aws.requestParameters.groupId", - "data.aws.requestParameters.groupName", - "data.aws.requestParameters.host", - "data.aws.requestParameters.hostedZoneId", - "data.aws.requestParameters.instanceId", - "data.aws.requestParameters.instanceProfileName", - "data.aws.requestParameters.loadBalancerName", - "data.aws.requestParameters.loadBalancerPorts", - "data.aws.requestParameters.masterUserPassword", - "data.aws.requestParameters.masterUsername", - "data.aws.requestParameters.name", - "data.aws.requestParameters.natGatewayId", - "data.aws.requestParameters.networkAclId", - "data.aws.requestParameters.path", - "data.aws.requestParameters.policyName", - "data.aws.requestParameters.port", - "data.aws.requestParameters.stackId", - "data.aws.requestParameters.stackName", - "data.aws.requestParameters.subnetId", - "data.aws.requestParameters.subnetIds", - "data.aws.requestParameters.volumeId", - "data.aws.requestParameters.vpcId", - "data.aws.resource.accessKeyDetails.accessKeyId", - "data.aws.resource.accessKeyDetails.principalId", - "data.aws.resource.accessKeyDetails.userName", - "data.aws.resource.instanceDetails.instanceId", - "data.aws.resource.instanceDetails.instanceState", - "data.aws.resource.instanceDetails.networkInterfaces.privateDnsName", - "data.aws.resource.instanceDetails.networkInterfaces.publicDnsName", - "data.aws.resource.instanceDetails.networkInterfaces.subnetId", - "data.aws.resource.instanceDetails.networkInterfaces.vpcId", - "data.aws.resource.instanceDetails.tags.value", - "data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId", - "data.aws.responseElements.description", - "data.aws.responseElements.instanceId", - "data.aws.responseElements.instances.instanceId", - "data.aws.responseElements.instancesSet.items.instanceId", - "data.aws.responseElements.listeners.port", - "data.aws.responseElements.loadBalancerName", - "data.aws.responseElements.loadBalancers.vpcId", - "data.aws.responseElements.loginProfile.userName", - "data.aws.responseElements.networkAcl.vpcId", - "data.aws.responseElements.ownerId", - "data.aws.responseElements.publicIp", - "data.aws.responseElements.user.userId", - "data.aws.responseElements.user.userName", - "data.aws.responseElements.volumeId", - "data.aws.service.serviceName", - "data.aws.severity", - "data.aws.source", - "data.aws.sourceIPAddress", - "data.aws.srcport", - "data.aws.userIdentity.accessKeyId", - "data.aws.userIdentity.accountId", - "data.aws.userIdentity.userName", - "data.aws.vpcEndpointId", - "data.command", - "data.data", - "data.docker.Actor.Attributes.container", - "data.docker.Actor.Attributes.image", - "data.docker.Actor.Attributes.name", - "data.docker.Actor.ID", - "data.docker.id", - "data.docker.message", - "data.docker.status", - "data.dstip", - "data.dstport", - "data.dstuser", - "data.hardware.serial", - "data.id", - "data.integration", - "data.netinfo.iface.adapter", - "data.netinfo.iface.ipv4.address", - "data.netinfo.iface.ipv6.address", - "data.netinfo.iface.mac", - "data.netinfo.iface.name", - "data.os.architecture", - "data.os.build", - "data.os.codename", - "data.os.hostname", - "data.os.major", - "data.os.minor", - "data.os.name", - "data.os.platform", - "data.os.release", - "data.os.release_version", - "data.os.sysname", - "data.os.version", - "data.oscap.check.description", - "data.oscap.check.id", - "data.oscap.check.identifiers", - "data.oscap.check.oval.id", - "data.oscap.check.rationale", - "data.oscap.check.references", - "data.oscap.check.result", - "data.oscap.check.severity", - "data.oscap.check.title", - "data.oscap.scan.benchmark.id", - "data.oscap.scan.content", - "data.oscap.scan.id", - "data.oscap.scan.profile.id", - "data.oscap.scan.profile.title", - "data.osquery.columns.address", - "data.osquery.columns.command", - "data.osquery.columns.description", - "data.osquery.columns.dst_ip", - "data.osquery.columns.gid", - "data.osquery.columns.hostname", - "data.osquery.columns.md5", - "data.osquery.columns.path", - "data.osquery.columns.sha1", - "data.osquery.columns.sha256", - "data.osquery.columns.src_ip", - "data.osquery.columns.user", - "data.osquery.columns.username", - "data.osquery.name", - "data.osquery.pack", - "data.port.process", - "data.port.protocol", - "data.port.state", - "data.process.args", - "data.process.cmd", - "data.process.egroup", - "data.process.euser", - "data.process.fgroup", - "data.process.name", - "data.process.rgroup", - "data.process.ruser", - "data.process.sgroup", - "data.process.state", - "data.process.suser", - "data.program.architecture", - "data.program.description", - "data.program.format", - "data.program.location", - "data.program.multiarch", - "data.program.name", - "data.program.priority", - "data.program.section", - "data.program.source", - "data.program.vendor", - "data.program.version", - "data.protocol", - "data.pwd", - "data.sca", - "data.sca.check.compliance.cis", - "data.sca.check.compliance.cis_csc", - "data.sca.check.compliance.pci_dss", - "data.sca.check.compliance.hipaa", - "data.sca.check.compliance.nist_800_53", - "data.sca.check.description", - "data.sca.check.directory", - "data.sca.check.file", - "data.sca.check.id", - "data.sca.check.previous_result", - "data.sca.check.process", - "data.sca.check.rationale", - "data.sca.check.reason", - "data.sca.check.references", - "data.sca.check.registry", - "data.sca.check.remediation", - "data.sca.check.result", - "data.sca.check.status", - "data.sca.check.title", - "data.sca.description", - "data.sca.file", - "data.sca.invalid", - "data.sca.name", - "data.sca.policy", - "data.sca.policy_id", - "data.sca.scan_id", - "data.sca.total_checks", - "data.script", - "data.src_ip", - "data.src_port", - "data.srcip", - "data.srcport", - "data.srcuser", - "data.status", - "data.system_name", - "data.title", - "data.tty", - "data.uid", - "data.url", - "data.virustotal.description", - "data.virustotal.error", - "data.virustotal.found", - "data.virustotal.permalink", - "data.virustotal.scan_date", - "data.virustotal.sha1", - "data.virustotal.source.alert_id", - "data.virustotal.source.file", - "data.virustotal.source.md5", - "data.virustotal.source.sha1", - "data.vulnerability.advisories", - "data.vulnerability.bugzilla_reference", - "data.vulnerability.cve", - "data.vulnerability.cwe_reference", - "data.vulnerability.package.condition", - "data.vulnerability.package.name", - "data.vulnerability.package.version", - "data.vulnerability.reference", - "data.vulnerability.severity", - "data.vulnerability.state", - "data.vulnerability.title", - "data.win.eventdata.auditPolicyChanges", - "data.win.eventdata.auditPolicyChangesId", - "data.win.eventdata.binary", - "data.win.eventdata.category", - "data.win.eventdata.categoryId", - "data.win.eventdata.data", - "data.win.eventdata.image", - "data.win.eventdata.ipAddress", - "data.win.eventdata.ipPort", - "data.win.eventdata.keyName", - "data.win.eventdata.logonGuid", - "data.win.eventdata.logonProcessName", - "data.win.eventdata.operation", - "data.win.eventdata.parentImage", - "data.win.eventdata.processId", - "data.win.eventdata.processName", - "data.win.eventdata.providerName", - "data.win.eventdata.returnCode", - "data.win.eventdata.service", - "data.win.eventdata.status", - "data.win.eventdata.subcategory", - "data.win.eventdata.subcategoryGuid", - "data.win.eventdata.subcategoryId", - "data.win.eventdata.subjectDomainName", - "data.win.eventdata.subjectLogonId", - "data.win.eventdata.subjectUserName", - "data.win.eventdata.subjectUserSid", - "data.win.eventdata.targetDomainName", - "data.win.eventdata.targetLinkedLogonId", - "data.win.eventdata.targetLogonId", - "data.win.eventdata.targetUserName", - "data.win.eventdata.targetUserSid", - "data.win.eventdata.workstationName", - "data.win.system.channel", - "data.win.system.computer", - "data.win.system.eventID", - "data.win.system.eventRecordID", - "data.win.system.eventSourceName", - "data.win.system.keywords", - "data.win.system.level", - "data.win.system.message", - "data.win.system.opcode", - "data.win.system.processID", - "data.win.system.providerGuid", - "data.win.system.providerName", - "data.win.system.securityUserID", - "data.win.system.severityValue", - "data.win.system.userID", - "decoder.ftscomment", - "decoder.name", - "decoder.parent", - "full_log", - "host", - "id", - "input", - "location", - "manager.name", - "message", - "offset", - "predecoder.hostname", - "predecoder.program_name", - "previous_log", - "previous_output", - "program_name", - "rule.cis", - "rule.cve", - "rule.description", - "rule.gdpr", - "rule.gpg13", - "rule.groups", - "rule.id", - "rule.info", - "rule.pci_dss", - "syscheck.audit.effective_user.id", - "syscheck.audit.effective_user.name", - "syscheck.audit.group.id", - "syscheck.audit.group.name", - "syscheck.audit.login_user.id", - "syscheck.audit.login_user.name", - "syscheck.audit.process.id", - "syscheck.audit.process.name", - "syscheck.audit.process.ppid", - "syscheck.audit.user.id", - "syscheck.audit.user.name", - "syscheck.diff", - "syscheck.event", - "syscheck.gid_after", - "syscheck.gid_before", - "syscheck.gname_after", - "syscheck.gname_before", - "syscheck.inode_after", - "syscheck.inode_before", - "syscheck.md5_after", - "syscheck.md5_before", - "syscheck.path", - "syscheck.perm_after", - "syscheck.perm_before", - "syscheck.sha1_after", - "syscheck.sha1_before", - "syscheck.sha256_after", - "syscheck.sha256_before", - "syscheck.tags", - "syscheck.uid_after", - "syscheck.uid_before", - "syscheck.uname_after", - "syscheck.uname_before", - "title", - "type" - ] - }, - "mappings": { - "dynamic_templates": [ - { - "string_as_keyword": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "date_detection": false, - "properties": { - "@timestamp": { - "type": "date" - }, - "timestamp": { - "type": "date", - "format": "date_optional_time||epoch_millis" - }, - "@version": { - "type": "text" - }, - "agent": { - "properties": { - "ip": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "manager": { - "properties": { - "name": { - "type": "keyword" - } - } - }, - "cluster": { - "properties": { - "name": { - "type": "keyword" - }, - "node": { - "type": "keyword" - } - } - }, - "full_log": { - "type": "text" - }, - "previous_log": { - "type": "text" - }, - "GeoLocation": { - "properties": { - "area_code": { - "type": "long" - }, - "city_name": { - "type": "keyword" - }, - "continent_code": { - "type": "text" - }, - "coordinates": { - "type": "double" - }, - "country_code2": { - "type": "text" - }, - "country_code3": { - "type": "text" - }, - "country_name": { - "type": "keyword" - }, - "dma_code": { - "type": "long" - }, - "ip": { - "type": "keyword" - }, - "latitude": { - "type": "double" - }, - "location": { - "type": "geo_point" - }, - "longitude": { - "type": "double" - }, - "postal_code": { - "type": "keyword" - }, - "real_region_name": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - }, - "timezone": { - "type": "text" - } - } - }, - "host": { - "type": "keyword" - }, - "syscheck": { - "properties": { - "path": { - "type": "keyword" - }, - "sha1_before": { - "type": "keyword" - }, - "hard_links": { - "type": "keyword" - }, - "sha1_after": { - "type": "keyword" - }, - "uid_before": { - "type": "keyword" - }, - "uid_after": { - "type": "keyword" - }, - "gid_before": { - "type": "keyword" - }, - "gid_after": { - "type": "keyword" - }, - "perm_before": { - "type": "keyword" - }, - "perm_after": { - "type": "keyword" - }, - "md5_after": { - "type": "keyword" - }, - "md5_before": { - "type": "keyword" - }, - "gname_after": { - "type": "keyword" - }, - "gname_before": { - "type": "keyword" - }, - "inode_after": { - "type": "keyword" - }, - "inode_before": { - "type": "keyword" - }, - "mtime_after": { - "type": "date", - "format": "date_optional_time" - }, - "mtime_before": { - "type": "date", - "format": "date_optional_time" - }, - "uname_after": { - "type": "keyword" - }, - "uname_before": { - "type": "keyword" - }, - "size_before": { - "type": "long" - }, - "size_after": { - "type": "long" - }, - "diff": { - "type": "keyword" - }, - "event": { - "type": "keyword" - }, - "audit": { - "properties": { - "effective_user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "group": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "login_user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "process": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "ppid": { - "type": "keyword" - } - } - }, - "user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - } - } - }, - "sha256_after": { - "type": "keyword" - }, - "sha256_before": { - "type": "keyword" - }, - "tags": { - "type": "keyword" - } - } - }, - "location": { - "type": "keyword" - }, - "message": { - "type": "text" - }, - "offset": { - "type": "keyword" - }, - "rule": { - "properties": { - "description": { - "type": "keyword" - }, - "groups": { - "type": "keyword" - }, - "level": { - "type": "long" - }, - "id": { - "type": "keyword" - }, - "cve": { - "type": "keyword" - }, - "info": { - "type": "keyword" - }, - "frequency": { - "type": "long" - }, - "firedtimes": { - "type": "long" - }, - "cis": { - "type": "keyword" - }, - "pci_dss": { - "type": "keyword" - }, - "gdpr": { - "type": "keyword" - }, - "gpg13": { - "type": "keyword" - }, - "hipaa": { - "type": "keyword" - }, - "nist_800_53": { - "type": "keyword" - }, - "mail": { - "type": "boolean" - } - } - }, - "predecoder": { - "properties": { - "program_name": { - "type": "keyword" - }, - "timestamp": { - "type": "keyword" - }, - "hostname": { - "type": "keyword" - } - } - }, - "decoder": { - "properties": { - "parent": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "ftscomment": { - "type": "keyword" - }, - "fts": { - "type": "long" - }, - "accumulate": { - "type": "long" - } - } - }, - "data": { - "properties": { - "audit": { - "properties": { - "acct": { - "type": "keyword" - }, - "arch": { - "type": "keyword" - }, - "auid": { - "type": "keyword" - }, - "command": { - "type": "keyword" - }, - "cwd": { - "type": "keyword" - }, - "dev": { - "type": "keyword" - }, - "directory": { - "properties": { - "inode": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "egid": { - "type": "keyword" - }, - "enforcing": { - "type": "keyword" - }, - "euid": { - "type": "keyword" - }, - "exe": { - "type": "keyword" - }, - "execve": { - "properties": { - "a0": { - "type": "keyword" - }, - "a1": { - "type": "keyword" - }, - "a2": { - "type": "keyword" - }, - "a3": { - "type": "keyword" - } - } - }, - "exit": { - "type": "keyword" - }, - "file": { - "properties": { - "inode": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "fsgid": { - "type": "keyword" - }, - "fsuid": { - "type": "keyword" - }, - "gid": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "key": { - "type": "keyword" - }, - "list": { - "type": "keyword" - }, - "old-auid": { - "type": "keyword" - }, - "old-ses": { - "type": "keyword" - }, - "old_enforcing": { - "type": "keyword" - }, - "old_prom": { - "type": "keyword" - }, - "op": { - "type": "keyword" - }, - "pid": { - "type": "keyword" - }, - "ppid": { - "type": "keyword" - }, - "prom": { - "type": "keyword" - }, - "res": { - "type": "keyword" - }, - "session": { - "type": "keyword" - }, - "sgid": { - "type": "keyword" - }, - "srcip": { - "type": "keyword" - }, - "subj": { - "type": "keyword" - }, - "success": { - "type": "keyword" - }, - "suid": { - "type": "keyword" - }, - "syscall": { - "type": "keyword" - }, - "tty": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - } - } - }, - "protocol": { - "type": "keyword" - }, - "action": { - "type": "keyword" - }, - "srcip": { - "type": "keyword" - }, - "dstip": { - "type": "keyword" - }, - "srcport": { - "type": "keyword" - }, - "dstport": { - "type": "keyword" - }, - "srcuser": { - "type": "keyword" - }, - "dstuser": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "status": { - "type": "keyword" - }, - "data": { - "type": "keyword" - }, - "system_name": { - "type": "keyword" - }, - "url": { - "type": "keyword" - }, - "oscap": { - "properties": { - "check": { - "properties": { - "description": { - "type": "text" - }, - "id": { - "type": "keyword" - }, - "identifiers": { - "type": "text" - }, - "oval": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "rationale": { - "type": "text" - }, - "references": { - "type": "text" - }, - "result": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "scan": { - "properties": { - "benchmark": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "content": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "profile": { - "properties": { - "id": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "return_code": { - "type": "long" - }, - "score": { - "type": "double" - } - } - } - } - }, - "type": { - "type": "keyword" - }, - "netinfo": { - "properties": { - "iface": { - "properties": { - "name": { - "type": "keyword" - }, - "mac": { - "type": "keyword" - }, - "adapter": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "state": { - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "tx_bytes": { - "type": "long" - }, - "rx_bytes": { - "type": "long" - }, - "tx_errors": { - "type": "long" - }, - "rx_errors": { - "type": "long" - }, - "tx_dropped": { - "type": "long" - }, - "rx_dropped": { - "type": "long" - }, - "tx_packets": { - "type": "long" - }, - "rx_packets": { - "type": "long" - }, - "ipv4": { - "properties": { - "gateway": { - "type": "keyword" - }, - "dhcp": { - "type": "keyword" - }, - "address": { - "type": "keyword" - }, - "netmask": { - "type": "keyword" - }, - "broadcast": { - "type": "keyword" - }, - "metric": { - "type": "long" - } - } - }, - "ipv6": { - "properties": { - "gateway": { - "type": "keyword" - }, - "dhcp": { - "type": "keyword" - }, - "address": { - "type": "keyword" - }, - "netmask": { - "type": "keyword" - }, - "broadcast": { - "type": "keyword" - }, - "metric": { - "type": "long" - } - } - } - } - } - } - }, - "os": { - "properties": { - "hostname": { - "type": "keyword" - }, - "architecture": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "version": { - "type": "keyword" - }, - "codename": { - "type": "keyword" - }, - "major": { - "type": "keyword" - }, - "minor": { - "type": "keyword" - }, - "build": { - "type": "keyword" - }, - "platform": { - "type": "keyword" - }, - "sysname": { - "type": "keyword" - }, - "release": { - "type": "keyword" - }, - "release_version": { - "type": "keyword" - } - } - }, - "port": { - "properties": { - "protocol": { - "type": "keyword" - }, - "local_ip": { - "type": "ip" - }, - "local_port": { - "type": "long" - }, - "remote_ip": { - "type": "ip" - }, - "remote_port": { - "type": "long" - }, - "tx_queue": { - "type": "long" - }, - "rx_queue": { - "type": "long" - }, - "inode": { - "type": "long" - }, - "state": { - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "process": { - "type": "keyword" - } - } - }, - "hardware": { - "properties": { - "serial": { - "type": "keyword" - }, - "cpu_name": { - "type": "keyword" - }, - "cpu_cores": { - "type": "long" - }, - "cpu_mhz": { - "type": "double" - }, - "ram_total": { - "type": "long" - }, - "ram_free": { - "type": "long" - }, - "ram_usage": { - "type": "long" - } - } - }, - "program": { - "properties": { - "format": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "priority": { - "type": "keyword" - }, - "section": { - "type": "keyword" - }, - "size": { - "type": "long" - }, - "vendor": { - "type": "keyword" - }, - "install_time": { - "type": "keyword" - }, - "version": { - "type": "keyword" - }, - "architecture": { - "type": "keyword" - }, - "multiarch": { - "type": "keyword" - }, - "source": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "location": { - "type": "keyword" - } - } - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "name": { - "type": "keyword" - }, - "state": { - "type": "keyword" - }, - "ppid": { - "type": "long" - }, - "utime": { - "type": "long" - }, - "stime": { - "type": "long" - }, - "cmd": { - "type": "keyword" - }, - "args": { - "type": "keyword" - }, - "euser": { - "type": "keyword" - }, - "ruser": { - "type": "keyword" - }, - "suser": { - "type": "keyword" - }, - "egroup": { - "type": "keyword" - }, - "sgroup": { - "type": "keyword" - }, - "fgroup": { - "type": "keyword" - }, - "rgroup": { - "type": "keyword" - }, - "priority": { - "type": "long" - }, - "nice": { - "type": "long" - }, - "size": { - "type": "long" - }, - "vm_size": { - "type": "long" - }, - "resident": { - "type": "long" - }, - "share": { - "type": "long" - }, - "start_time": { - "type": "long" - }, - "pgrp": { - "type": "long" - }, - "session": { - "type": "long" - }, - "nlwp": { - "type": "long" - }, - "tgid": { - "type": "long" - }, - "tty": { - "type": "long" - }, - "processor": { - "type": "long" - } - } - }, - "sca": { - "properties": { - "type": { - "type": "keyword" - }, - "scan_id": { - "type": "keyword" - }, - "policy": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "passed": { - "type": "integer" - }, - "failed": { - "type": "integer" - }, - "score": { - "type": "long" - }, - "check": { - "properties": { - "id": { - "type": "keyword" - }, - "title": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "rationale": { - "type": "keyword" - }, - "remediation": { - "type": "keyword" - }, - "compliance": { - "properties": { - "cis": { - "type": "keyword" - }, - "cis_csc": { - "type": "keyword" - }, - "pci_dss": { - "type": "keyword" - }, - "hipaa": { - "type": "keyword" - }, - "nist_800_53": { - "type": "keyword" - } - } - }, - "references": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "directory": { - "type": "keyword" - }, - "registry": { - "type": "keyword" - }, - "process": { - "type": "keyword" - }, - "result": { - "type": "keyword" - }, - "previous_result": { - "type": "keyword" - }, - "reason": { - "type": "keyword" - }, - "status": { - "type": "keyword" - } - } - }, - "invalid": { - "type": "keyword" - }, - "policy_id": { - "type": "keyword" - }, - "total_checks": { - "type": "keyword" - } - } - }, - "command": { - "type": "keyword" - }, - "integration": { - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "title": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - }, - "virustotal": { - "properties": { - "description": { - "type": "keyword" - }, - "error": { - "type": "keyword" - }, - "found": { - "type": "keyword" - }, - "malicious": { - "type": "keyword" - }, - "permalink": { - "type": "keyword" - }, - "positives": { - "type": "keyword" - }, - "scan_date": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - }, - "source": { - "properties": { - "alert_id": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "md5": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - } - } - }, - "total": { - "type": "keyword" - } - } - }, - "vulnerability": { - "properties": { - "advisories": { - "type": "keyword" - }, - "bugzilla_reference": { - "type": "keyword" - }, - "cve": { - "type": "keyword" - }, - "cvss": { - "properties": { - "cvss3_score": { - "type": "keyword" - }, - "cvss_score": { - "type": "keyword" - }, - "cvss_scoring_vector": { - "type": "keyword" - } - } - }, - "cwe_reference": { - "type": "keyword" - }, - "package": { - "properties": { - "condition": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "published": { - "type": "date" - }, - "reference": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "state": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "aws": { - "properties": { - "bytes": { - "type": "long" - }, - "dstaddr": { - "type": "ip" - }, - "srcaddr": { - "type": "ip" - }, - "end": { - "type": "date" - }, - "start": { - "type": "date" - }, - "source_ip_address": { - "type": "ip" - }, - "service": { - "properties": { - "count": { - "type": "long" - }, - "action.networkConnectionAction.remoteIpDetails": { - "properties": { - "ipAddressV4": { - "type": "ip" - }, - "geoLocation": { - "type": "geo_point" - } - } - }, - "eventFirstSeen": { - "type": "date" - }, - "eventLastSeen": { - "type": "date" - } - } - }, - "createdAt": { - "type": "date" - }, - "updatedAt": { - "type": "date" - }, - "resource.instanceDetails": { - "properties": { - "launchTime": { - "type": "date" - }, - "networkInterfaces": { - "properties": { - "privateIpAddress": { - "type": "ip" - }, - "publicIp": { - "type": "ip" - } - } - } - } - } - } - } - } - }, - "program_name": { - "type": "keyword" - }, - "command": { - "type": "keyword" - }, - "type": { - "type": "text" - }, - "title": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "input": { - "properties": { - "type": { - "type": "keyword" - } - } - }, - "previous_output": { - "type": "keyword" - } - } - }, - "version": 1 -} diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index fd392334..3faf5de3 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -5,8 +5,8 @@ elasticsearch_http_port: "9200" elasticsearch_network_host: "127.0.0.1" kibana_server_host: "0.0.0.0" kibana_server_port: "5601" -elastic_stack_version: 7.7.0 -wazuh_version: 3.12.3 +elastic_stack_version: 7.7.1 +wazuh_version: 3.13.0 wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp elasticrepo: @@ -47,7 +47,7 @@ nodejs: # Build from sources build_from_sources: false -wazuh_plugin_branch: 3.12-7.6 +wazuh_plugin_branch: 3.13-7.7 #Nodejs NODE_OPTIONS node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536 diff --git a/roles/opendistro/opendistro-kibana/defaults/main.yml b/roles/opendistro/opendistro-kibana/defaults/main.yml index 428880ee..98c70a2d 100644 --- a/roles/opendistro/opendistro-kibana/defaults/main.yml +++ b/roles/opendistro/opendistro-kibana/defaults/main.yml @@ -12,8 +12,8 @@ kibana_server_host: "0.0.0.0" kibana_server_port: "5601" kibana_server_name: "kibana" kibana_max_payload_bytes: 1048576 -elastic_stack_version: 7.7.0 -wazuh_version: 3.12.3 +elastic_stack_version: 7.7.1 +wazuh_version: 3.13.0 wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp # The OpenDistro package repository @@ -56,7 +56,7 @@ nodejs: # Build from sources build_from_sources: false -wazuh_plugin_branch: 3.12-7.6 +wazuh_plugin_branch: 3.13-7.7 #Nodejs NODE_OPTIONS node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536 diff --git a/roles/wazuh/ansible-filebeat/tasks/config.yml b/roles/wazuh/ansible-filebeat/tasks/config.yml index 2b0b7eda..34f519af 100644 --- a/roles/wazuh/ansible-filebeat/tasks/config.yml +++ b/roles/wazuh/ansible-filebeat/tasks/config.yml @@ -9,12 +9,12 @@ notify: restart filebeat tags: configure -- name: Copy Elasticsearch template. - template: - src: elasticsearch.yml.j2 +- name: Fetch latest Wazuh alerts template + get_url: + url: https://raw.githubusercontent.com/wazuh/wazuh/master/extensions/elasticsearch/7.x/wazuh-template.json dest: "/etc/filebeat/wazuh-template.json" owner: root group: root mode: 0400 notify: restart filebeat - tags: configure \ No newline at end of file + tags: configure diff --git a/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 b/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 deleted file mode 100644 index 88d50c3f..00000000 --- a/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 +++ /dev/null @@ -1,1800 +0,0 @@ -{ - "order": 0, - "index_patterns": [ - "wazuh-alerts-3.x-*", - "wazuh-archives-3.x-*" - ], - "settings": { - "index.refresh_interval": "5s", - "index.number_of_shards": "3", - "index.number_of_replicas": "0", - "index.auto_expand_replicas": "0-1", - "index.mapping.total_fields.limit": 10000, - "index.query.default_field": [ - "GeoLocation.city_name", - "GeoLocation.continent_code", - "GeoLocation.country_code2", - "GeoLocation.country_code3", - "GeoLocation.country_name", - "GeoLocation.ip", - "GeoLocation.postal_code", - "GeoLocation.real_region_name", - "GeoLocation.region_name", - "GeoLocation.timezone", - "agent.id", - "agent.ip", - "agent.name", - "cluster.name", - "cluster.node", - "command", - "data", - "data.action", - "data.audit", - "data.audit.acct", - "data.audit.arch", - "data.audit.auid", - "data.audit.command", - "data.audit.cwd", - "data.audit.dev", - "data.audit.directory.inode", - "data.audit.directory.mode", - "data.audit.directory.name", - "data.audit.egid", - "data.audit.enforcing", - "data.audit.euid", - "data.audit.exe", - "data.audit.execve.a0", - "data.audit.execve.a1", - "data.audit.execve.a2", - "data.audit.execve.a3", - "data.audit.exit", - "data.audit.file.inode", - "data.audit.file.mode", - "data.audit.file.name", - "data.audit.fsgid", - "data.audit.fsuid", - "data.audit.gid", - "data.audit.id", - "data.audit.key", - "data.audit.list", - "data.audit.old-auid", - "data.audit.old-ses", - "data.audit.old_enforcing", - "data.audit.old_prom", - "data.audit.op", - "data.audit.pid", - "data.audit.ppid", - "data.audit.prom", - "data.audit.res", - "data.audit.session", - "data.audit.sgid", - "data.audit.srcip", - "data.audit.subj", - "data.audit.success", - "data.audit.suid", - "data.audit.syscall", - "data.audit.tty", - "data.audit.uid", - "data.aws.accountId", - "data.aws.account_id", - "data.aws.action", - "data.aws.actor", - "data.aws.aws_account_id", - "data.aws.description", - "data.aws.dstport", - "data.aws.errorCode", - "data.aws.errorMessage", - "data.aws.eventID", - "data.aws.eventName", - "data.aws.eventSource", - "data.aws.eventType", - "data.aws.id", - "data.aws.name", - "data.aws.requestParameters.accessKeyId", - "data.aws.requestParameters.bucketName", - "data.aws.requestParameters.gatewayId", - "data.aws.requestParameters.groupDescription", - "data.aws.requestParameters.groupId", - "data.aws.requestParameters.groupName", - "data.aws.requestParameters.host", - "data.aws.requestParameters.hostedZoneId", - "data.aws.requestParameters.instanceId", - "data.aws.requestParameters.instanceProfileName", - "data.aws.requestParameters.loadBalancerName", - "data.aws.requestParameters.loadBalancerPorts", - "data.aws.requestParameters.masterUserPassword", - "data.aws.requestParameters.masterUsername", - "data.aws.requestParameters.name", - "data.aws.requestParameters.natGatewayId", - "data.aws.requestParameters.networkAclId", - "data.aws.requestParameters.path", - "data.aws.requestParameters.policyName", - "data.aws.requestParameters.port", - "data.aws.requestParameters.stackId", - "data.aws.requestParameters.stackName", - "data.aws.requestParameters.subnetId", - "data.aws.requestParameters.subnetIds", - "data.aws.requestParameters.volumeId", - "data.aws.requestParameters.vpcId", - "data.aws.resource.accessKeyDetails.accessKeyId", - "data.aws.resource.accessKeyDetails.principalId", - "data.aws.resource.accessKeyDetails.userName", - "data.aws.resource.instanceDetails.instanceId", - "data.aws.resource.instanceDetails.instanceState", - "data.aws.resource.instanceDetails.networkInterfaces.privateDnsName", - "data.aws.resource.instanceDetails.networkInterfaces.publicDnsName", - "data.aws.resource.instanceDetails.networkInterfaces.subnetId", - "data.aws.resource.instanceDetails.networkInterfaces.vpcId", - "data.aws.resource.instanceDetails.tags.value", - "data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId", - "data.aws.responseElements.description", - "data.aws.responseElements.instanceId", - "data.aws.responseElements.instances.instanceId", - "data.aws.responseElements.instancesSet.items.instanceId", - "data.aws.responseElements.listeners.port", - "data.aws.responseElements.loadBalancerName", - "data.aws.responseElements.loadBalancers.vpcId", - "data.aws.responseElements.loginProfile.userName", - "data.aws.responseElements.networkAcl.vpcId", - "data.aws.responseElements.ownerId", - "data.aws.responseElements.publicIp", - "data.aws.responseElements.user.userId", - "data.aws.responseElements.user.userName", - "data.aws.responseElements.volumeId", - "data.aws.service.serviceName", - "data.aws.severity", - "data.aws.source", - "data.aws.sourceIPAddress", - "data.aws.srcport", - "data.aws.userIdentity.accessKeyId", - "data.aws.userIdentity.accountId", - "data.aws.userIdentity.userName", - "data.aws.vpcEndpointId", - "data.command", - "data.data", - "data.docker.Actor.Attributes.container", - "data.docker.Actor.Attributes.image", - "data.docker.Actor.Attributes.name", - "data.docker.Actor.ID", - "data.docker.id", - "data.docker.message", - "data.docker.status", - "data.dstip", - "data.dstport", - "data.dstuser", - "data.extra_data", - "data.hardware.serial", - "data.id", - "data.integration", - "data.netinfo.iface.adapter", - "data.netinfo.iface.ipv4.address", - "data.netinfo.iface.ipv6.address", - "data.netinfo.iface.mac", - "data.netinfo.iface.name", - "data.os.architecture", - "data.os.build", - "data.os.codename", - "data.os.hostname", - "data.os.major", - "data.os.minor", - "data.os.name", - "data.os.platform", - "data.os.release", - "data.os.release_version", - "data.os.sysname", - "data.os.version", - "data.oscap.check.description", - "data.oscap.check.id", - "data.oscap.check.identifiers", - "data.oscap.check.oval.id", - "data.oscap.check.rationale", - "data.oscap.check.references", - "data.oscap.check.result", - "data.oscap.check.severity", - "data.oscap.check.title", - "data.oscap.scan.benchmark.id", - "data.oscap.scan.content", - "data.oscap.scan.id", - "data.oscap.scan.profile.id", - "data.oscap.scan.profile.title", - "data.osquery.columns.address", - "data.osquery.columns.command", - "data.osquery.columns.description", - "data.osquery.columns.dst_ip", - "data.osquery.columns.gid", - "data.osquery.columns.hostname", - "data.osquery.columns.md5", - "data.osquery.columns.path", - "data.osquery.columns.sha1", - "data.osquery.columns.sha256", - "data.osquery.columns.src_ip", - "data.osquery.columns.user", - "data.osquery.columns.username", - "data.osquery.name", - "data.osquery.pack", - "data.port.process", - "data.port.protocol", - "data.port.state", - "data.process.args", - "data.process.cmd", - "data.process.egroup", - "data.process.euser", - "data.process.fgroup", - "data.process.name", - "data.process.rgroup", - "data.process.ruser", - "data.process.sgroup", - "data.process.state", - "data.process.suser", - "data.program.architecture", - "data.program.description", - "data.program.format", - "data.program.location", - "data.program.multiarch", - "data.program.name", - "data.program.priority", - "data.program.section", - "data.program.source", - "data.program.vendor", - "data.program.version", - "data.protocol", - "data.pwd", - "data.sca", - "data.sca.check.compliance.cis", - "data.sca.check.compliance.cis_csc", - "data.sca.check.compliance.pci_dss", - "data.sca.check.compliance.hipaa", - "data.sca.check.compliance.nist_800_53", - "data.sca.check.description", - "data.sca.check.directory", - "data.sca.check.file", - "data.sca.check.id", - "data.sca.check.previous_result", - "data.sca.check.process", - "data.sca.check.rationale", - "data.sca.check.reason", - "data.sca.check.references", - "data.sca.check.registry", - "data.sca.check.remediation", - "data.sca.check.result", - "data.sca.check.status", - "data.sca.check.title", - "data.sca.description", - "data.sca.file", - "data.sca.invalid", - "data.sca.name", - "data.sca.policy", - "data.sca.policy_id", - "data.sca.scan_id", - "data.sca.total_checks", - "data.script", - "data.src_ip", - "data.src_port", - "data.srcip", - "data.srcport", - "data.srcuser", - "data.status", - "data.system_name", - "data.title", - "data.tty", - "data.uid", - "data.url", - "data.virustotal.description", - "data.virustotal.error", - "data.virustotal.found", - "data.virustotal.permalink", - "data.virustotal.scan_date", - "data.virustotal.sha1", - "data.virustotal.source.alert_id", - "data.virustotal.source.file", - "data.virustotal.source.md5", - "data.virustotal.source.sha1", - "data.vulnerability.advisories", - "data.vulnerability.bugzilla_reference", - "data.vulnerability.cve", - "data.vulnerability.cvss.cvss2.base_score", - "data.vulnerability.cvss.cvss2.exploitability_score", - "data.vulnerability.cvss.cvss2.impact_score", - "data.vulnerability.cvss.cvss2.vector.access_complexity", - "data.vulnerability.cvss.cvss2.vector.attack_vector", - "data.vulnerability.cvss.cvss2.vector.authentication", - "data.vulnerability.cvss.cvss2.vector.availability", - "data.vulnerability.cvss.cvss2.vector.confidentiality_impact", - "data.vulnerability.cvss.cvss2.vector.integrity_impact", - "data.vulnerability.cvss.cvss2.vector.privileges_required", - "data.vulnerability.cvss.cvss2.vector.scope", - "data.vulnerability.cvss.cvss2.vector.user_interaction", - "data.vulnerability.cvss.cvss3.base_score", - "data.vulnerability.cvss.cvss3.exploitability_score", - "data.vulnerability.cvss.cvss3.impact_score", - "data.vulnerability.cvss.cvss3.vector.access_complexity", - "data.vulnerability.cvss.cvss3.vector.attack_vector", - "data.vulnerability.cvss.cvss3.vector.authentication", - "data.vulnerability.cvss.cvss3.vector.availability", - "data.vulnerability.cvss.cvss3.vector.confidentiality_impact", - "data.vulnerability.cvss.cvss3.vector.integrity_impact", - "data.vulnerability.cvss.cvss3.vector.privileges_required", - "data.vulnerability.cvss.cvss3.vector.scope", - "data.vulnerability.cvss.cvss3.vector.user_interaction", - "data.vulnerability.cwe_reference", - "data.vulnerability.package.architecture", - "data.vulnerability.package.condition", - "data.vulnerability.package.generated_cpe", - "data.vulnerability.package.name", - "data.vulnerability.package.version", - "data.vulnerability.rationale", - "data.vulnerability.reference", - "data.vulnerability.severity", - "data.vulnerability.state", - "data.vulnerability.title", - "data.win.eventdata.auditPolicyChanges", - "data.win.eventdata.auditPolicyChangesId", - "data.win.eventdata.binary", - "data.win.eventdata.category", - "data.win.eventdata.categoryId", - "data.win.eventdata.data", - "data.win.eventdata.image", - "data.win.eventdata.ipAddress", - "data.win.eventdata.ipPort", - "data.win.eventdata.keyName", - "data.win.eventdata.logonGuid", - "data.win.eventdata.logonProcessName", - "data.win.eventdata.operation", - "data.win.eventdata.parentImage", - "data.win.eventdata.processId", - "data.win.eventdata.processName", - "data.win.eventdata.providerName", - "data.win.eventdata.returnCode", - "data.win.eventdata.service", - "data.win.eventdata.status", - "data.win.eventdata.subcategory", - "data.win.eventdata.subcategoryGuid", - "data.win.eventdata.subcategoryId", - "data.win.eventdata.subjectDomainName", - "data.win.eventdata.subjectLogonId", - "data.win.eventdata.subjectUserName", - "data.win.eventdata.subjectUserSid", - "data.win.eventdata.targetDomainName", - "data.win.eventdata.targetLinkedLogonId", - "data.win.eventdata.targetLogonId", - "data.win.eventdata.targetUserName", - "data.win.eventdata.targetUserSid", - "data.win.eventdata.workstationName", - "data.win.system.channel", - "data.win.system.computer", - "data.win.system.eventID", - "data.win.system.eventRecordID", - "data.win.system.eventSourceName", - "data.win.system.keywords", - "data.win.system.level", - "data.win.system.message", - "data.win.system.opcode", - "data.win.system.processID", - "data.win.system.providerGuid", - "data.win.system.providerName", - "data.win.system.securityUserID", - "data.win.system.severityValue", - "data.win.system.userID", - "decoder.ftscomment", - "decoder.name", - "decoder.parent", - "full_log", - "host", - "id", - "input", - "location", - "manager.name", - "message", - "offset", - "predecoder.hostname", - "predecoder.program_name", - "previous_log", - "previous_output", - "program_name", - "rule.cis", - "rule.cve", - "rule.description", - "rule.gdpr", - "rule.gpg13", - "rule.groups", - "rule.id", - "rule.info", - "rule.pci_dss", - "rule.hipaa", - "rule.nist_800_53", - "syscheck.audit.effective_user.id", - "syscheck.audit.effective_user.name", - "syscheck.audit.group.id", - "syscheck.audit.group.name", - "syscheck.audit.login_user.id", - "syscheck.audit.login_user.name", - "syscheck.audit.process.id", - "syscheck.audit.process.name", - "syscheck.audit.process.ppid", - "syscheck.audit.user.id", - "syscheck.audit.user.name", - "syscheck.diff", - "syscheck.event", - "syscheck.gid_after", - "syscheck.gid_before", - "syscheck.gname_after", - "syscheck.gname_before", - "syscheck.inode_after", - "syscheck.inode_before", - "syscheck.md5_after", - "syscheck.md5_before", - "syscheck.path", - "syscheck.perm_after", - "syscheck.perm_before", - "syscheck.sha1_after", - "syscheck.sha1_before", - "syscheck.sha256_after", - "syscheck.sha256_before", - "syscheck.tags", - "syscheck.uid_after", - "syscheck.uid_before", - "syscheck.uname_after", - "syscheck.uname_before", - "title", - "type" - ] - }, - "mappings": { - "dynamic_templates": [ - { - "string_as_keyword": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "date_detection": false, - "properties": { - "@timestamp": { - "type": "date" - }, - "timestamp": { - "type": "date", - "format": "date_optional_time||epoch_millis" - }, - "@version": { - "type": "text" - }, - "agent": { - "properties": { - "ip": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "manager": { - "properties": { - "name": { - "type": "keyword" - } - } - }, - "cluster": { - "properties": { - "name": { - "type": "keyword" - }, - "node": { - "type": "keyword" - } - } - }, - "full_log": { - "type": "text" - }, - "previous_log": { - "type": "text" - }, - "GeoLocation": { - "properties": { - "area_code": { - "type": "long" - }, - "city_name": { - "type": "keyword" - }, - "continent_code": { - "type": "text" - }, - "coordinates": { - "type": "double" - }, - "country_code2": { - "type": "text" - }, - "country_code3": { - "type": "text" - }, - "country_name": { - "type": "keyword" - }, - "dma_code": { - "type": "long" - }, - "ip": { - "type": "keyword" - }, - "latitude": { - "type": "double" - }, - "location": { - "type": "geo_point" - }, - "longitude": { - "type": "double" - }, - "postal_code": { - "type": "keyword" - }, - "real_region_name": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - }, - "timezone": { - "type": "text" - } - } - }, - "host": { - "type": "keyword" - }, - "syscheck": { - "properties": { - "path": { - "type": "keyword" - }, - "sha1_before": { - "type": "keyword" - }, - "sha1_after": { - "type": "keyword" - }, - "uid_before": { - "type": "keyword" - }, - "uid_after": { - "type": "keyword" - }, - "gid_before": { - "type": "keyword" - }, - "gid_after": { - "type": "keyword" - }, - "perm_before": { - "type": "keyword" - }, - "perm_after": { - "type": "keyword" - }, - "md5_after": { - "type": "keyword" - }, - "md5_before": { - "type": "keyword" - }, - "gname_after": { - "type": "keyword" - }, - "gname_before": { - "type": "keyword" - }, - "inode_after": { - "type": "keyword" - }, - "inode_before": { - "type": "keyword" - }, - "mtime_after": { - "type": "date", - "format": "date_optional_time" - }, - "mtime_before": { - "type": "date", - "format": "date_optional_time" - }, - "uname_after": { - "type": "keyword" - }, - "uname_before": { - "type": "keyword" - }, - "size_before": { - "type": "long" - }, - "size_after": { - "type": "long" - }, - "diff": { - "type": "keyword" - }, - "event": { - "type": "keyword" - }, - "audit": { - "properties": { - "effective_user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "group": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "login_user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "process": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "ppid": { - "type": "keyword" - } - } - }, - "user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - } - } - }, - "sha256_after": { - "type": "keyword" - }, - "sha256_before": { - "type": "keyword" - }, - "tags": { - "type": "keyword" - } - } - }, - "location": { - "type": "keyword" - }, - "message": { - "type": "text" - }, - "offset": { - "type": "keyword" - }, - "rule": { - "properties": { - "description": { - "type": "keyword" - }, - "groups": { - "type": "keyword" - }, - "level": { - "type": "long" - }, - "id": { - "type": "keyword" - }, - "cve": { - "type": "keyword" - }, - "info": { - "type": "keyword" - }, - "frequency": { - "type": "long" - }, - "firedtimes": { - "type": "long" - }, - "cis": { - "type": "keyword" - }, - "pci_dss": { - "type": "keyword" - }, - "gdpr": { - "type": "keyword" - }, - "gpg13": { - "type": "keyword" - }, - "hipaa": { - "type": "keyword" - }, - "nist_800_53": { - "type": "keyword" - }, - "mail": { - "type": "boolean" - } - } - }, - "predecoder": { - "properties": { - "program_name": { - "type": "keyword" - }, - "timestamp": { - "type": "keyword" - }, - "hostname": { - "type": "keyword" - } - } - }, - "decoder": { - "properties": { - "parent": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "ftscomment": { - "type": "keyword" - }, - "fts": { - "type": "long" - }, - "accumulate": { - "type": "long" - } - } - }, - "data": { - "properties": { - "audit": { - "properties": { - "acct": { - "type": "keyword" - }, - "arch": { - "type": "keyword" - }, - "auid": { - "type": "keyword" - }, - "command": { - "type": "keyword" - }, - "cwd": { - "type": "keyword" - }, - "dev": { - "type": "keyword" - }, - "directory": { - "properties": { - "inode": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "egid": { - "type": "keyword" - }, - "enforcing": { - "type": "keyword" - }, - "euid": { - "type": "keyword" - }, - "exe": { - "type": "keyword" - }, - "execve": { - "properties": { - "a0": { - "type": "keyword" - }, - "a1": { - "type": "keyword" - }, - "a2": { - "type": "keyword" - }, - "a3": { - "type": "keyword" - } - } - }, - "exit": { - "type": "keyword" - }, - "file": { - "properties": { - "inode": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "fsgid": { - "type": "keyword" - }, - "fsuid": { - "type": "keyword" - }, - "gid": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "key": { - "type": "keyword" - }, - "list": { - "type": "keyword" - }, - "old-auid": { - "type": "keyword" - }, - "old-ses": { - "type": "keyword" - }, - "old_enforcing": { - "type": "keyword" - }, - "old_prom": { - "type": "keyword" - }, - "op": { - "type": "keyword" - }, - "pid": { - "type": "keyword" - }, - "ppid": { - "type": "keyword" - }, - "prom": { - "type": "keyword" - }, - "res": { - "type": "keyword" - }, - "session": { - "type": "keyword" - }, - "sgid": { - "type": "keyword" - }, - "srcip": { - "type": "keyword" - }, - "subj": { - "type": "keyword" - }, - "success": { - "type": "keyword" - }, - "suid": { - "type": "keyword" - }, - "syscall": { - "type": "keyword" - }, - "tty": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - } - } - }, - "protocol": { - "type": "keyword" - }, - "action": { - "type": "keyword" - }, - "srcip": { - "type": "keyword" - }, - "dstip": { - "type": "keyword" - }, - "srcport": { - "type": "keyword" - }, - "dstport": { - "type": "keyword" - }, - "srcuser": { - "type": "keyword" - }, - "dstuser": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "status": { - "type": "keyword" - }, - "data": { - "type": "keyword" - }, - "extra_data": { - "type": "keyword" - }, - "system_name": { - "type": "keyword" - }, - "url": { - "type": "keyword" - }, - "oscap": { - "properties": { - "check": { - "properties": { - "description": { - "type": "text" - }, - "id": { - "type": "keyword" - }, - "identifiers": { - "type": "text" - }, - "oval": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "rationale": { - "type": "text" - }, - "references": { - "type": "text" - }, - "result": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "scan": { - "properties": { - "benchmark": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "content": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "profile": { - "properties": { - "id": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "return_code": { - "type": "long" - }, - "score": { - "type": "double" - } - } - } - } - }, - "type": { - "type": "keyword" - }, - "netinfo": { - "properties": { - "iface": { - "properties": { - "name": { - "type": "keyword" - }, - "mac": { - "type": "keyword" - }, - "adapter": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "state": { - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "tx_bytes": { - "type": "long" - }, - "rx_bytes": { - "type": "long" - }, - "tx_errors": { - "type": "long" - }, - "rx_errors": { - "type": "long" - }, - "tx_dropped": { - "type": "long" - }, - "rx_dropped": { - "type": "long" - }, - "tx_packets": { - "type": "long" - }, - "rx_packets": { - "type": "long" - }, - "ipv4": { - "properties": { - "gateway": { - "type": "keyword" - }, - "dhcp": { - "type": "keyword" - }, - "address": { - "type": "keyword" - }, - "netmask": { - "type": "keyword" - }, - "broadcast": { - "type": "keyword" - }, - "metric": { - "type": "long" - } - } - }, - "ipv6": { - "properties": { - "gateway": { - "type": "keyword" - }, - "dhcp": { - "type": "keyword" - }, - "address": { - "type": "keyword" - }, - "netmask": { - "type": "keyword" - }, - "broadcast": { - "type": "keyword" - }, - "metric": { - "type": "long" - } - } - } - } - } - } - }, - "os": { - "properties": { - "hostname": { - "type": "keyword" - }, - "architecture": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "version": { - "type": "keyword" - }, - "codename": { - "type": "keyword" - }, - "major": { - "type": "keyword" - }, - "minor": { - "type": "keyword" - }, - "build": { - "type": "keyword" - }, - "platform": { - "type": "keyword" - }, - "sysname": { - "type": "keyword" - }, - "release": { - "type": "keyword" - }, - "release_version": { - "type": "keyword" - } - } - }, - "port": { - "properties": { - "protocol": { - "type": "keyword" - }, - "local_ip": { - "type": "ip" - }, - "local_port": { - "type": "long" - }, - "remote_ip": { - "type": "ip" - }, - "remote_port": { - "type": "long" - }, - "tx_queue": { - "type": "long" - }, - "rx_queue": { - "type": "long" - }, - "inode": { - "type": "long" - }, - "state": { - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "process": { - "type": "keyword" - } - } - }, - "hardware": { - "properties": { - "serial": { - "type": "keyword" - }, - "cpu_name": { - "type": "keyword" - }, - "cpu_cores": { - "type": "long" - }, - "cpu_mhz": { - "type": "double" - }, - "ram_total": { - "type": "long" - }, - "ram_free": { - "type": "long" - }, - "ram_usage": { - "type": "long" - } - } - }, - "program": { - "properties": { - "format": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "priority": { - "type": "keyword" - }, - "section": { - "type": "keyword" - }, - "size": { - "type": "long" - }, - "vendor": { - "type": "keyword" - }, - "install_time": { - "type": "keyword" - }, - "version": { - "type": "keyword" - }, - "architecture": { - "type": "keyword" - }, - "multiarch": { - "type": "keyword" - }, - "source": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "location": { - "type": "keyword" - } - } - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "name": { - "type": "keyword" - }, - "state": { - "type": "keyword" - }, - "ppid": { - "type": "long" - }, - "utime": { - "type": "long" - }, - "stime": { - "type": "long" - }, - "cmd": { - "type": "keyword" - }, - "args": { - "type": "keyword" - }, - "euser": { - "type": "keyword" - }, - "ruser": { - "type": "keyword" - }, - "suser": { - "type": "keyword" - }, - "egroup": { - "type": "keyword" - }, - "sgroup": { - "type": "keyword" - }, - "fgroup": { - "type": "keyword" - }, - "rgroup": { - "type": "keyword" - }, - "priority": { - "type": "long" - }, - "nice": { - "type": "long" - }, - "size": { - "type": "long" - }, - "vm_size": { - "type": "long" - }, - "resident": { - "type": "long" - }, - "share": { - "type": "long" - }, - "start_time": { - "type": "long" - }, - "pgrp": { - "type": "long" - }, - "session": { - "type": "long" - }, - "nlwp": { - "type": "long" - }, - "tgid": { - "type": "long" - }, - "tty": { - "type": "long" - }, - "processor": { - "type": "long" - } - } - }, - "sca": { - "properties": { - "type": { - "type": "keyword" - }, - "scan_id": { - "type": "keyword" - }, - "policy": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "passed": { - "type": "integer" - }, - "failed": { - "type": "integer" - }, - "score": { - "type": "long" - }, - "check": { - "properties": { - "id": { - "type": "keyword" - }, - "title": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "rationale": { - "type": "keyword" - }, - "remediation": { - "type": "keyword" - }, - "compliance": { - "properties": { - "cis": { - "type": "keyword" - }, - "cis_csc": { - "type": "keyword" - }, - "pci_dss": { - "type": "keyword" - }, - "hipaa": { - "type": "keyword" - }, - "nist_800_53": { - "type": "keyword" - } - } - }, - "references": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "directory": { - "type": "keyword" - }, - "registry": { - "type": "keyword" - }, - "process": { - "type": "keyword" - }, - "result": { - "type": "keyword" - }, - "previous_result": { - "type": "keyword" - }, - "reason": { - "type": "keyword" - }, - "status": { - "type": "keyword" - } - } - }, - "invalid": { - "type": "keyword" - }, - "policy_id": { - "type": "keyword" - }, - "total_checks": { - "type": "keyword" - } - } - }, - "command": { - "type": "keyword" - }, - "integration": { - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "title": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - }, - "virustotal": { - "properties": { - "description": { - "type": "keyword" - }, - "error": { - "type": "keyword" - }, - "found": { - "type": "keyword" - }, - "malicious": { - "type": "keyword" - }, - "permalink": { - "type": "keyword" - }, - "positives": { - "type": "keyword" - }, - "scan_date": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - }, - "source": { - "properties": { - "alert_id": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "md5": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - } - } - }, - "total": { - "type": "keyword" - } - } - }, - "vulnerability": { - "properties": { - "advisories": { - "type": "keyword" - }, - "bugzilla_reference": { - "type": "keyword" - }, - "cve": { - "type": "keyword" - }, - "cvss": { - "properties": { - "cvss2": { - "properties": { - "base_score": { - "type": "keyword" - }, - "exploitability_score": { - "type": "keyword" - }, - "impact_score": { - "type": "keyword" - }, - "vector": { - "properties": { - "access_complexity": { - "type": "keyword" - }, - "attack_vector": { - "type": "keyword" - }, - "authentication": { - "type": "keyword" - }, - "availability": { - "type": "keyword" - }, - "confidentiality_impact": { - "type": "keyword" - }, - "integrity_impact": { - "type": "keyword" - }, - "privileges_required": { - "type": "keyword" - }, - "scope": { - "type": "keyword" - }, - "user_interaction": { - "type": "keyword" - } - } - } - } - }, - "cvss3": { - "properties": { - "base_score": { - "type": "keyword" - }, - "exploitability_score": { - "type": "keyword" - }, - "impact_score": { - "type": "keyword" - }, - "vector": { - "properties": { - "access_complexity": { - "type": "keyword" - }, - "attack_vector": { - "type": "keyword" - }, - "authentication": { - "type": "keyword" - }, - "availability": { - "type": "keyword" - }, - "confidentiality_impact": { - "type": "keyword" - }, - "integrity_impact": { - "type": "keyword" - }, - "privileges_required": { - "type": "keyword" - }, - "scope": { - "type": "keyword" - }, - "user_interaction": { - "type": "keyword" - } - } - } - } - } - } - }, - "cwe_reference": { - "type": "keyword" - }, - "package": { - "properties": { - "architecture": { - "type": "keyword" - }, - "condition": { - "type": "keyword" - }, - "generated_cpe": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "published": { - "type": "date" - }, - "updated": { - "type": "date" - }, - "rationale": { - "type": "keyword" - }, - "reference": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "state": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "aws": { - "properties": { - "bytes": { - "type": "long" - }, - "dstaddr": { - "type": "ip" - }, - "srcaddr": { - "type": "ip" - }, - "end": { - "type": "date" - }, - "start": { - "type": "date" - }, - "source_ip_address": { - "type": "ip" - }, - "service": { - "properties": { - "count": { - "type": "long" - }, - "action.networkConnectionAction.remoteIpDetails": { - "properties": { - "ipAddressV4": { - "type": "ip" - }, - "geoLocation": { - "type": "geo_point" - } - } - }, - "eventFirstSeen": { - "type": "date" - }, - "eventLastSeen": { - "type": "date" - } - } - }, - "createdAt": { - "type": "date" - }, - "updatedAt": { - "type": "date" - }, - "resource.instanceDetails": { - "properties": { - "launchTime": { - "type": "date" - }, - "networkInterfaces": { - "properties": { - "privateIpAddress": { - "type": "ip" - }, - "publicIp": { - "type": "ip" - } - } - } - } - } - } - } - } - }, - "program_name": { - "type": "keyword" - }, - "command": { - "type": "keyword" - }, - "type": { - "type": "text" - }, - "title": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "input": { - "properties": { - "type": { - "type": "keyword" - } - } - }, - "previous_output": { - "type": "keyword" - } - } - }, - "version": 1 -} diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index bac623e7..180d546d 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_agent_version: 3.12.3-1 +wazuh_agent_version: 3.13.0-1 # Custom packages installation @@ -12,7 +12,7 @@ wazuh_custom_packages_installation_agent_rpm_url: "" wazuh_agent_sources_installation: enabled: false - branch: "v3.12.3" + branch: "v3.13.0" user_language: "y" user_no_stop: "y" user_install_type: "agent" @@ -21,7 +21,7 @@ wazuh_agent_sources_installation: user_enable_active_response: "y" user_enable_syscheck: "y" user_enable_rootcheck: "y" - user_enable_openscap: "y" + user_enable_openscap: "n" user_enable_sca: "y" user_enable_authd: "y" user_generate_authd_cert: "n" @@ -64,9 +64,9 @@ wazuh_winagent_config: # Adding quotes to auth_path_x86 since win_shell outputs error otherwise auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe check_md5: True - md5: 4ae4e930d3ae9d572b07cd9e7207d783 -wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.12.3-1.msi -wazuh_winagent_package_name: wazuh-agent-3.12.3-1.msi + md5: d0f13c0c417c74ccbad7b45f66518513 +wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.13.0-1.msi +wazuh_winagent_package_name: wazuh-agent-3.13.0-1.msi wazuh_agent_config: repo: apt: 'deb https://packages.wazuh.com/3.x/apt/ stable main' diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 index 2ee7f97d..d8522158 100644 --- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 +++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 @@ -69,7 +69,7 @@ {% endif %} - {% if ansible_system == "Linux" %} + {% if ansible_system == "Linux" and wazuh_agent_config.openscap.disable == 'no' %} {{ wazuh_agent_config.openscap.disable }} {{ wazuh_agent_config.openscap.timeout }} diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index a046addf..7bd4846a 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_manager_version: 3.12.3-1 +wazuh_manager_version: 3.13.0-1 wazuh_manager_fqdn: "wazuh-server" wazuh_manager_package_state: present @@ -15,7 +15,7 @@ wazuh_custom_packages_installation_api_rpm_url: "https://s3-us-west-1.amazonaws. # Sources installation wazuh_manager_sources_installation: enabled: false - branch: "v3.12.3" + branch: "v3.13.0" user_language: "en" user_no_stop: "y" user_install_type: "server" @@ -24,7 +24,7 @@ wazuh_manager_sources_installation: user_enable_active_response: null user_enable_syscheck: "y" user_enable_rootcheck: "y" - user_enable_openscap: "y" + user_enable_openscap: "n" user_enable_authd: "y" user_generate_authd_cert: null user_update: "y" @@ -40,7 +40,7 @@ wazuh_manager_sources_installation: wazuh_api_sources_installation: enabled: false - branch: "v3.12.3" + branch: "v3.13.0" update: "y" remove: "y" directory: null