Adapt agent installation to the default
This commit is contained in:
Rshad Zhran
parent
441cf40bae
commit
da2442ca06
@ -74,8 +74,6 @@ wazuh_agent_config:
|
|||||||
scan_on_start: 'yes'
|
scan_on_start: 'yes'
|
||||||
auto_ignore: 'no'
|
auto_ignore: 'no'
|
||||||
alert_new_files: 'yes'
|
alert_new_files: 'yes'
|
||||||
remove_old_diff: 'yes'
|
|
||||||
restart_audit: 'yes'
|
|
||||||
win_audit_interval: 300
|
win_audit_interval: 300
|
||||||
skip_nfs: 'yes'
|
skip_nfs: 'yes'
|
||||||
ignore:
|
ignore:
|
||||||
@ -93,6 +91,10 @@ wazuh_agent_config:
|
|||||||
- /etc/svc/volatile
|
- /etc/svc/volatile
|
||||||
- /sys/kernel/security
|
- /sys/kernel/security
|
||||||
- /sys/kernel/debug
|
- /sys/kernel/debug
|
||||||
|
- /dev/core
|
||||||
|
ignore_linux_type:
|
||||||
|
- '^/proc'
|
||||||
|
- '.log$|.swp$'
|
||||||
ignore_win:
|
ignore_win:
|
||||||
- '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
|
- '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
|
||||||
no_diff:
|
no_diff:
|
||||||
@ -273,19 +275,15 @@ wazuh_agent_config:
|
|||||||
wday: ''
|
wday: ''
|
||||||
time: ''
|
time: ''
|
||||||
cis_cat:
|
cis_cat:
|
||||||
disable: 'yes'
|
disable: 'no'
|
||||||
install_java: 'yes'
|
install_java: 'no'
|
||||||
timeout: 1800
|
timeout: 1800
|
||||||
interval: '1d'
|
interval: '1d'
|
||||||
scan_on_start: 'yes'
|
scan_on_start: 'yes'
|
||||||
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
|
java_path: 'wodles/java'
|
||||||
java_path_win: '\\server\jre\bin\java.exe'
|
java_path_win: '\\server\jre\bin\java.exe'
|
||||||
ciscat_path: '/var/ossec/wodles/ciscat'
|
ciscat_path: 'wodles/ciscat'
|
||||||
ciscat_path_win: 'C:\cis-cat'
|
ciscat_path_win: 'C:\cis-cat'
|
||||||
content:
|
|
||||||
- type: 'xccdf'
|
|
||||||
path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
|
|
||||||
profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
|
|
||||||
vuls:
|
vuls:
|
||||||
disable: 'yes'
|
disable: 'yes'
|
||||||
interval: '1d'
|
interval: '1d'
|
||||||
@ -318,16 +316,16 @@ wazuh_agent_config:
|
|||||||
linux:
|
linux:
|
||||||
- format: 'syslog'
|
- format: 'syslog'
|
||||||
location: '/var/ossec/logs/active-responses.log'
|
location: '/var/ossec/logs/active-responses.log'
|
||||||
- format: 'command'
|
|
||||||
command: df -P -x squashfs -x tmpfs -x devtmpfs
|
|
||||||
frequency: '360'
|
|
||||||
- format: 'full_command'
|
|
||||||
command: ss -nutal | awk '{print $1,$5,$6;}' | sort -b | column -t
|
|
||||||
alias: 'netstat listening ports'
|
|
||||||
frequency: '360'
|
|
||||||
- format: 'full_command'
|
- format: 'full_command'
|
||||||
command: 'last -n 20'
|
command: 'last -n 20'
|
||||||
frequency: '360'
|
frequency: '360'
|
||||||
|
- format: 'command'
|
||||||
|
command: df -P
|
||||||
|
frequency: '360'
|
||||||
|
- format: 'full_command'
|
||||||
|
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
|
||||||
|
alias: 'netstat listening ports'
|
||||||
|
frequency: '360'
|
||||||
windows:
|
windows:
|
||||||
- format: 'eventlog'
|
- format: 'eventlog'
|
||||||
location: 'Application'
|
location: 'Application'
|
||||||
|
|||||||
@ -51,7 +51,6 @@
|
|||||||
<rootcheck>
|
<rootcheck>
|
||||||
<disabled>no</disabled>
|
<disabled>no</disabled>
|
||||||
{% if ansible_system == "Linux" %}
|
{% if ansible_system == "Linux" %}
|
||||||
<check_unixaudit>yes</check_unixaudit>
|
|
||||||
<check_files>yes</check_files>
|
<check_files>yes</check_files>
|
||||||
<check_trojans>yes</check_trojans>
|
<check_trojans>yes</check_trojans>
|
||||||
<check_dev>yes</check_dev>
|
<check_dev>yes</check_dev>
|
||||||
@ -65,11 +64,6 @@
|
|||||||
|
|
||||||
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
|
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
|
||||||
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
|
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
|
||||||
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
|
|
||||||
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
|
|
||||||
{% if cis_distribution_filename is defined %}
|
|
||||||
<system_audit>/var/ossec/etc/shared/{{ cis_distribution_filename }}</system_audit>
|
|
||||||
{% endif %}
|
|
||||||
<skip_nfs>yes</skip_nfs>
|
<skip_nfs>yes</skip_nfs>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if ansible_os_family == "Windows" %}
|
{% if ansible_os_family == "Windows" %}
|
||||||
@ -118,6 +112,13 @@
|
|||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
<!-- File types to ignore -->
|
||||||
|
{% if wazuh_agent_config.syscheck.ignore is defined and ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7' %}
|
||||||
|
{% for ignore in wazuh_agent_config.syscheck.ignore_linux_type %}
|
||||||
|
<ignore type="sregex">{{ ignore }}</ignore>
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
{% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Windows" %}
|
{% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Windows" %}
|
||||||
{% for ignore in wazuh_agent_config.syscheck.ignore_win %}
|
{% for ignore in wazuh_agent_config.syscheck.ignore_win %}
|
||||||
<ignore type="sregex">{{ ignore }}</ignore>
|
<ignore type="sregex">{{ ignore }}</ignore>
|
||||||
@ -132,13 +133,6 @@
|
|||||||
|
|
||||||
<skip_nfs>{{ wazuh_agent_config.syscheck.skip_nfs }}</skip_nfs>
|
<skip_nfs>{{ wazuh_agent_config.syscheck.skip_nfs }}</skip_nfs>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
<!-- Remove not monitored files -->
|
|
||||||
<remove_old_diff>{{ wazuh_agent_config.syscheck.remove_old_diff }}</remove_old_diff>
|
|
||||||
|
|
||||||
{% if ansible_system == "Linux"%}
|
|
||||||
<!-- Allow the system to restart Auditd after installing the plugin -->
|
|
||||||
<restart_audit>{{ wazuh_agent_config.syscheck.restart_audit }}</restart_audit>
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
{% if ansible_os_family == "Windows" %}
|
{% if ansible_os_family == "Windows" %}
|
||||||
{% for registry_key in wazuh_agent_config.syscheck.windows_registry %}
|
{% for registry_key in wazuh_agent_config.syscheck.windows_registry %}
|
||||||
@ -234,13 +228,6 @@
|
|||||||
<java_path>{{ wazuh_agent_config.cis_cat.java_path }}</java_path>
|
<java_path>{{ wazuh_agent_config.cis_cat.java_path }}</java_path>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
<ciscat_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.cis_cat.ciscat_path_win }}{% else %}{{ wazuh_agent_config.cis_cat.ciscat_path }}{% endif %}</ciscat_path>
|
<ciscat_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.cis_cat.ciscat_path_win }}{% else %}{{ wazuh_agent_config.cis_cat.ciscat_path }}{% endif %}</ciscat_path>
|
||||||
{% if ansible_system == "Linux" %}
|
|
||||||
{% for benchmark in wazuh_agent_config.cis_cat.content %}
|
|
||||||
<content type="{{ benchmark.type }}" path="{{ benchmark.path }}">
|
|
||||||
<profile>{{ benchmark.profile }}</profile>
|
|
||||||
</content>
|
|
||||||
{% endfor %}
|
|
||||||
{% endif %}
|
|
||||||
</wodle>
|
</wodle>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user