From da2442ca0685f2e2286943f31dbc69263c59cf4c Mon Sep 17 00:00:00 2001
From: Rshad Zhran <rashzk95@gmail.com>
Date: Thu, 5 Dec 2019 17:03:50 +0100
Subject: [PATCH] Adapt agent installation to the default

---
 .../ansible-wazuh-agent/defaults/main.yml     | 32 +++++++++----------
 .../var-ossec-etc-ossec-agent.conf.j2         | 27 ++++------------
 2 files changed, 22 insertions(+), 37 deletions(-)

diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
index 64935264..dc447edd 100644
--- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
+++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
@@ -74,8 +74,6 @@ wazuh_agent_config:
     scan_on_start: 'yes'
     auto_ignore: 'no'
     alert_new_files: 'yes'
-    remove_old_diff: 'yes'
-    restart_audit: 'yes'
     win_audit_interval: 300
     skip_nfs: 'yes'
     ignore:
@@ -93,6 +91,10 @@ wazuh_agent_config:
       - /etc/svc/volatile
       - /sys/kernel/security
       - /sys/kernel/debug
+      - /dev/core
+    ignore_linux_type:
+      - '^/proc'
+      - '.log$|.swp$'
     ignore_win:
       - '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
     no_diff:
@@ -273,19 +275,15 @@ wazuh_agent_config:
     wday: ''
     time: ''
   cis_cat:
-    disable: 'yes'
-    install_java: 'yes'
+    disable: 'no'
+    install_java: 'no'
     timeout: 1800
     interval: '1d'
     scan_on_start: 'yes'
-    java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
+    java_path: 'wodles/java'
     java_path_win: '\\server\jre\bin\java.exe'
-    ciscat_path: '/var/ossec/wodles/ciscat'
+    ciscat_path: 'wodles/ciscat'
     ciscat_path_win: 'C:\cis-cat'
-    content:
-      - type: 'xccdf'
-        path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
-        profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
   vuls:
     disable: 'yes'
     interval: '1d'
@@ -318,16 +316,16 @@ wazuh_agent_config:
     linux:
       - format: 'syslog'
         location: '/var/ossec/logs/active-responses.log'
-      - format: 'command'
-        command: df -P -x squashfs -x tmpfs -x devtmpfs
-        frequency: '360'
-      - format: 'full_command'
-        command: ss -nutal | awk '{print $1,$5,$6;}' | sort -b | column -t
-        alias: 'netstat listening ports'
-        frequency: '360'
       - format: 'full_command'
         command: 'last -n 20'
         frequency: '360'
+      - format: 'command'
+        command: df -P
+        frequency: '360'
+      - format: 'full_command'
+        command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
+        alias: 'netstat listening ports'
+        frequency: '360'
     windows:
       - format: 'eventlog'
         location: 'Application'
diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
index 61c28012..ae5e47da 100644
--- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
+++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
@@ -51,7 +51,6 @@
   <rootcheck>
     <disabled>no</disabled>
     {% if ansible_system == "Linux" %}
-    <check_unixaudit>yes</check_unixaudit>
     <check_files>yes</check_files>
     <check_trojans>yes</check_trojans>
     <check_dev>yes</check_dev>
@@ -65,11 +64,6 @@
 
     <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
     <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
-    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
-    <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
-    {% if cis_distribution_filename is defined %}
-    <system_audit>/var/ossec/etc/shared/{{ cis_distribution_filename }}</system_audit>
-    {% endif %}
     <skip_nfs>yes</skip_nfs>
     {% endif %}
     {% if ansible_os_family == "Windows" %}
@@ -118,6 +112,13 @@
     {% endfor %}
     {% endif %}
 
+    <!-- File types to ignore -->
+    {% if wazuh_agent_config.syscheck.ignore is defined and ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7' %}
+    {% for ignore in wazuh_agent_config.syscheck.ignore_linux_type %}
+    <ignore type="sregex">{{ ignore }}</ignore>
+    {% endfor %}
+    {% endif %}
+
     {% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Windows" %}
     {% for ignore in wazuh_agent_config.syscheck.ignore_win %}
     <ignore type="sregex">{{ ignore }}</ignore>
@@ -132,13 +133,6 @@
     
     <skip_nfs>{{ wazuh_agent_config.syscheck.skip_nfs }}</skip_nfs>
     {% endif %}
-    <!-- Remove not monitored files -->
-    <remove_old_diff>{{ wazuh_agent_config.syscheck.remove_old_diff }}</remove_old_diff>
-
-    {% if ansible_system == "Linux"%}
-    <!-- Allow the system to restart Auditd after installing the plugin -->
-    <restart_audit>{{ wazuh_agent_config.syscheck.restart_audit }}</restart_audit>
-    {% endif %} 
 
     {% if ansible_os_family == "Windows" %}
     {% for registry_key in wazuh_agent_config.syscheck.windows_registry %}
@@ -234,13 +228,6 @@
     <java_path>{{ wazuh_agent_config.cis_cat.java_path }}</java_path>
     {% endif %}
     <ciscat_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.cis_cat.ciscat_path_win }}{% else %}{{ wazuh_agent_config.cis_cat.ciscat_path }}{% endif %}</ciscat_path>
-    {% if ansible_system == "Linux" %}
-    {% for benchmark in wazuh_agent_config.cis_cat.content %}
-    <content type="{{ benchmark.type }}" path="{{ benchmark.path }}">
-      <profile>{{ benchmark.profile }}</profile>
-    </content>
-    {% endfor %}
-    {% endif %}
   </wodle>
   {% endif %}