From a35c7bceb1f9daeb543cd5e68a9685ab35f3fc81 Mon Sep 17 00:00:00 2001
From: Rshad Zhran <rashzk95@gmail.com>
Date: Thu, 9 Jan 2020 18:05:41 +0100
Subject: [PATCH 1/7] Fix rootkit files & trojans paths for manager

---
 roles/wazuh/ansible-wazuh-manager/defaults/main.yml  |  8 ++++----
 .../templates/var-ossec-etc-ossec-server.conf.j2     | 12 ++++++------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
index 21faa35c..e4f6a17d 100644
--- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
+++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
@@ -95,7 +95,7 @@ wazuh_manager_config:
     use_source_ip: 'yes'
     force_insert: 'yes'
     force_time: 0
-    purge: 'no'
+    purge: 'yes'
     use_password: 'no'
     limit_maxagents: 'yes'
     ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH'
@@ -114,7 +114,7 @@ wazuh_manager_config:
   email_log_source: 'alerts.log'
   extra_emails:
     - enable: false
-      mail_to: 'recipient@example.wazuh.com'
+      mail_to: 'admin@example.net'
       format: full
       level: 7
       event_location: null
@@ -174,7 +174,7 @@ wazuh_manager_config:
   rootcheck:
     frequency: 43200
   openscap:
-    disable: 'no'
+    disable: 'yes'
     timeout: 1800
     interval: '1d'
     scan_on_start: 'yes'
@@ -263,6 +263,7 @@ wazuh_manager_config:
         frequency: '360'
       - format: 'full_command'
         command: 'last -n 20'
+        frequency: '360'
       - format: 'syslog'
         location: '/var/ossec/logs/active-responses.log'
     debian:
@@ -295,7 +296,6 @@ wazuh_manager_config:
     - name: 'restart-ossec'
       executable: 'restart-ossec.sh'
       expect: ''
-      timeout_allowed: 'no'
     - name: 'firewall-drop'
       executable: 'firewall-drop.sh'
       expect: 'srcip'
diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
index 99201c29..94223a94 100644
--- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
+++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
@@ -126,8 +126,8 @@
     <!-- Frequency that rootcheck is executed - every 12 hours -->
     <frequency>{{ wazuh_manager_config.rootcheck.frequency }}</frequency>
 
-    <rootkit_files>/var/ossec/etc/shared/default/rootkit_files.txt</rootkit_files>
-    <rootkit_trojans>/var/ossec/etc/shared/default/rootkit_trojans.txt</rootkit_trojans>
+    <rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
 
     <skip_nfs>yes</skip_nfs>
   </rootcheck>
@@ -292,7 +292,6 @@
   <!-- File integrity monitoring -->
   <syscheck>
     <disabled>{{ wazuh_manager_config.syscheck.disable }}</disabled>
-    <auto_ignore>{{ wazuh_manager_config.syscheck.auto_ignore }}</auto_ignore>
     <alert_new_files>{{ wazuh_manager_config.syscheck.alert_new_files }}</alert_new_files>
     <!-- Frequency that syscheck is executed -- default every 20 hours -->
     <frequency>{{ wazuh_manager_config.syscheck.frequency }}</frequency>
@@ -318,7 +317,7 @@
     {% endif %}
 
     <!-- File types to ignore -->
-    {% if wazuh_manager_config.syscheck.ignore_linux_type is defined and ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7' %}
+    {% if wazuh_manager_config.syscheck.ignore_linux_type is defined %}
     {% for ignore in wazuh_manager_config.syscheck.ignore_linux_type %}
     <ignore type="sregex">{{ ignore }}</ignore>
     {% endfor %}
@@ -346,7 +345,9 @@
     <name>{{ command.name }}</name>
     <executable>{{ command.executable }}</executable>
     <expect>{{ command.expect }}</expect>
-    <timeout_allowed>{{ command.timeout_allowed }}</timeout_allowed>
+    {% if command.timeout_allowed is defined %}
+        <timeout_allowed>{{ command.timeout_allowed }}</timeout_allowed>
+    {% endif %}
   </command>
 {% endfor %}
 
@@ -359,7 +360,6 @@
   <rule_exclude>{{ rule }}</rule_exclude>
   {% endfor %}
   {% endif %}
-  {% if cdb_lists is defined %}
   {% for list in cdb_lists %}
   <list>etc/lists/{{ list.name }}</list>
   {% endfor %}

From 285cbc26fc5e64bdfa11b3e2d51621282c34d8f2 Mon Sep 17 00:00:00 2001
From: Rshad Zhran <rashzk95@gmail.com>
Date: Thu, 9 Jan 2020 19:14:59 +0100
Subject: [PATCH 2/7] Adapt agent to 3.11.1 - detailed changes

---
 .../templates/var-ossec-etc-ossec-agent.conf.j2      | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
index 6629da08..57787b07 100644
--- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
+++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
@@ -86,8 +86,6 @@
   <!-- <directories check_all="yes" realtime="yes" restrict="^/var/ossec/etc/shared/agent.conf$">/var/ossec/etc/shared</directories> -->
     <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
     <directories check_all="yes">/bin,/sbin,/boot</directories>
-
-    <auto_ignore>{{ wazuh_agent_config.syscheck.auto_ignore }}</auto_ignore>
     <scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start>
     {% endif %}
 
@@ -113,7 +111,7 @@
     {% endif %}
 
     <!-- File types to ignore -->
-    {% if wazuh_agent_config.syscheck.ignore_linux_type is defined and ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7' %}
+    {% if wazuh_agent_config.syscheck.ignore_linux_type is defined %}
     {% for ignore in wazuh_agent_config.syscheck.ignore_linux_type %}
     <ignore type="sregex">{{ ignore }}</ignore>
     {% endfor %}
@@ -161,9 +159,9 @@
   </syscheck>
   {% endif %}
 
-  {% if ansible_system == "Linux" and wazuh_agent_config.openscap.disable == 'no' %}
+  {% if ansible_system == "Linux" %}
   <wodle name="open-scap">
-    <disabled>no</disabled>
+    <disabled>{{ wazuh_agent_config.openscap.disable }}</disabled>
     <timeout>{{ wazuh_agent_config.openscap.timeout }}</timeout>
     <interval>{{ wazuh_agent_config.openscap.interval }}</interval>
     <scan-on-start>{{ wazuh_agent_config.openscap.scan_on_start }}</scan-on-start>
@@ -214,9 +212,8 @@
   </wodle>
   {% endif %}
 
-  {% if wazuh_agent_config.cis_cat.disable == 'no' %}
   <wodle name="cis-cat">
-    <disabled>no</disabled>
+    <disabled>{{ wazuh_agent_config.cis_cat.disable }}</disabled>
     <timeout>{{ wazuh_agent_config.cis_cat.timeout }}</timeout>
     <interval>{{ wazuh_agent_config.cis_cat.interval }}</interval>
     <scan-on-start>{{ wazuh_agent_config.cis_cat.scan_on_start }}</scan-on-start>
@@ -229,7 +226,6 @@
     {% endif %}
     <ciscat_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.cis_cat.ciscat_path_win }}{% else %}{{ wazuh_agent_config.cis_cat.ciscat_path }}{% endif %}</ciscat_path>
   </wodle>
-  {% endif %}
 
   <!-- Osquery integration -->
   <wodle name="osquery">

From 144067763b3356dcac4801f962950012394faf6c Mon Sep 17 00:00:00 2001
From: Rshad Zhran <rashzk95@gmail.com>
Date: Thu, 9 Jan 2020 19:15:14 +0100
Subject: [PATCH 3/7] Remove cdb related tasks and config

---
 .../ansible-wazuh-manager/handlers/main.yml   |  3 -
 .../ansible-wazuh-manager/tasks/main.yml      | 26 ------
 .../var-ossec-etc-ossec-server.conf.j2        |  3 +-
 .../ansible-wazuh-manager/vars/cdb_lists.yml  | 88 +------------------
 4 files changed, 5 insertions(+), 115 deletions(-)

diff --git a/roles/wazuh/ansible-wazuh-manager/handlers/main.yml b/roles/wazuh/ansible-wazuh-manager/handlers/main.yml
index 46f1097b..f422b85d 100644
--- a/roles/wazuh/ansible-wazuh-manager/handlers/main.yml
+++ b/roles/wazuh/ansible-wazuh-manager/handlers/main.yml
@@ -1,7 +1,4 @@
 ---
-- name: rebuild cdb_lists
-  command: /var/ossec/bin/ossec-makelists
-
 - name: restart wazuh-manager
   service:
     name: wazuh-manager
diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml
index 0bb00fef..842d33a6 100644
--- a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml
+++ b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml
@@ -198,11 +198,6 @@
   tags:
     - config
 
-- name: Retrieving CDB lists
-  include_vars: cdb_lists.yml
-  tags:
-    - config
-
 - name: Check if syslog output is enabled
   set_fact: syslog_output=true
   when: item.server is not none
@@ -334,27 +329,6 @@
   tags:
     - config
 
-- name: CDB Lists
-  template:
-    src: cdb_lists.j2
-    dest: "/var/ossec/etc/lists/{{ item.name }}"
-    owner: root
-    group: ossec
-    mode: 0640
-  no_log: true
-  register: wazuh_manager_cdb_lists
-  until: wazuh_manager_cdb_lists is succeeded
-  notify:
-    - rebuild cdb_lists
-    - restart wazuh-manager
-  with_items:
-    - "{{ cdb_lists }}"
-  when:
-    - cdb_lists is defined
-    - cdb_lists is iterable
-  tags:
-    - config
-
 - name: Ensure Wazuh Manager, wazuh API service is started and enabled
   service:
     name: "{{ item }}"
diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
index 94223a94..125f948c 100644
--- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
+++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
@@ -360,8 +360,9 @@
   <rule_exclude>{{ rule }}</rule_exclude>
   {% endfor %}
   {% endif %}
+  {% if cdb_lists is defined %}
   {% for list in cdb_lists %}
-  <list>etc/lists/{{ list.name }}</list>
+  <list>etc/lists/{{ list }}</list>
   {% endfor %}
   {% endif %}
 
diff --git a/roles/wazuh/ansible-wazuh-manager/vars/cdb_lists.yml b/roles/wazuh/ansible-wazuh-manager/vars/cdb_lists.yml
index 8e904e14..44188745 100644
--- a/roles/wazuh/ansible-wazuh-manager/vars/cdb_lists.yml
+++ b/roles/wazuh/ansible-wazuh-manager/vars/cdb_lists.yml
@@ -1,87 +1,5 @@
 ---
 cdb_lists:
-  - name: 'audit-keys'
-    content: |
-      audit-wazuh-w:write
-      audit-wazuh-r:read
-      audit-wazuh-a:attribute
-      audit-wazuh-x:execute
-      audit-wazuh-c:command
-  - name: 'aws-source'
-    content: |
-      ec2.amazonaws.com:
-      elasticloadbalancing.amazonaws.com:
-      iam.amazonaws.com:
-      signin.amazonaws.com:
-      kms.amazonaws.com:
-      s3.amazonaws.com:
-  - name: 'aws-eventnames'
-    content: |
-      AddUserToGroup:
-      AllocateAddress:
-      AssociateAddress:
-      AssociateDhcpOptions:
-      AssociateRouteTable:
-      AttachGroupPolicy:
-      AttachNetworkInterface:
-      AttachRolePolicy:
-      AttachUserPolicy:
-      AttachVolume:
-      AuthorizeSecurityGroupIngress:
-      ConsoleLogin:
-      CopySnapshot:
-      CreateAccountAlias:
-      CreateGroup:
-      CreateImage:
-      CreateLoadBalancer:
-      CreatePlacementGroup:
-      CreatePolicy:
-      CreateRole:
-      CreateRouteTable:
-      CreateSecurityGroup:
-      CreateSnapshot:
-      CreateSubnet:
-      CreateTags:
-      CreateUser:
-      CreateVolume:
-      CreateVpc:
-      DeleteAccountAlias:
-      DeleteLoadBalancer:
-      DeletePlacementGroup:
-      DeleteSecurityGroup:
-      DeleteSnapshot:
-      DeleteTags:
-      DeleteUser:
-      DeleteVolume:
-      DeregisterImage:
-      DetachGroupPolicy:
-      DetachNetworkInterface:
-      DetachRolePolicy:
-      DetachVolume:
-      DisableKey:
-      DisassociateAddress:
-      DisassociateAddress:
-      DisassociateRouteTable:
-      GetGroup:
-      ListAliases:
-      ListGroups:
-      ListUsers:
-      ModifyImageAttribute:
-      ModifyInstanceAttribute:
-      ModifyNetworkInterfaceAttribute:
-      ModifySnapshotAttribute:
-      ModifySubnetAttribute:
-      ModifyVolumeAttribute:
-      MonitorInstances:
-      RebootInstances:
-      RegisterImage:
-      RemoveUserFromGroup:
-      RevokeSecurityGroupIngress:
-      RunInstances:
-      StartInstances:
-      StopInstances:
-      TerminateInstances:
-      UnmonitorInstances:
-      UpdateAccessKey:
-      UpdateAccountPasswordPolicy:
-      UpdateInstanceAlias:
+  - 'audit-keys'
+  - 'security-eventchannel'
+  - 'amazon/aws-eventnames'

From cb2ded0e49569b2f8c925ccf8e9954b429272a0e Mon Sep 17 00:00:00 2001
From: Rshad Zhran <rashzk95@gmail.com>
Date: Fri, 10 Jan 2020 11:16:15 +0100
Subject: [PATCH 4/7] Define cdb_lists in wzuh-manger default variables

---
 roles/wazuh/ansible-wazuh-manager/defaults/main.yml          | 4 ++++
 .../templates/var-ossec-etc-ossec-server.conf.j2             | 4 ++--
 roles/wazuh/ansible-wazuh-manager/vars/cdb_lists.yml         | 5 -----
 3 files changed, 6 insertions(+), 7 deletions(-)
 delete mode 100644 roles/wazuh/ansible-wazuh-manager/vars/cdb_lists.yml

diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
index e4f6a17d..385e3e6a 100644
--- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
+++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
@@ -327,6 +327,10 @@ wazuh_manager_config:
   ruleset:
     rules_path: 'custom_ruleset/rules/'
     decoders_path: 'custom_ruleset/decoders/'
+    cdb_lists:
+      - 'audit-keys'
+      - 'security-eventchannel'
+      - 'amazon/aws-eventnames'
   rule_exclude:
     - '0215-policy_rules.xml'
   syslog_outputs:
diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
index 125f948c..f7242951 100644
--- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
+++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
@@ -360,8 +360,8 @@
   <rule_exclude>{{ rule }}</rule_exclude>
   {% endfor %}
   {% endif %}
-  {% if cdb_lists is defined %}
-  {% for list in cdb_lists %}
+  {% if wazuh_manager_config.ruleset.cdb_lists is defined %}
+  {% for list in wazuh_manager_config.ruleset.cdb_lists %}
   <list>etc/lists/{{ list }}</list>
   {% endfor %}
   {% endif %}
diff --git a/roles/wazuh/ansible-wazuh-manager/vars/cdb_lists.yml b/roles/wazuh/ansible-wazuh-manager/vars/cdb_lists.yml
deleted file mode 100644
index 44188745..00000000
--- a/roles/wazuh/ansible-wazuh-manager/vars/cdb_lists.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-cdb_lists:
-  - 'audit-keys'
-  - 'security-eventchannel'
-  - 'amazon/aws-eventnames'

From 50a093d071418f3a375063532f872c3bf096f138 Mon Sep 17 00:00:00 2001
From: Rshad Zhran <rashzk95@gmail.com>
Date: Fri, 10 Jan 2020 13:35:11 +0100
Subject: [PATCH 5/7] Change default email_to

---
 roles/wazuh/ansible-wazuh-manager/defaults/main.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
index 385e3e6a..638fa90b 100644
--- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
+++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
@@ -114,7 +114,7 @@ wazuh_manager_config:
   email_log_source: 'alerts.log'
   extra_emails:
     - enable: false
-      mail_to: 'admin@example.net'
+      mail_to: 'recipient@example.wazuh.com'
       format: full
       level: 7
       event_location: null
@@ -126,7 +126,7 @@ wazuh_manager_config:
     - enable: false
       category: 'syscheck'
       title: 'Daily report: File changes'
-      email_to: 'admin@example.net'
+      email_to: 'recipient@example.wazuh.com'
       location: null
       group: null
       rule: null

From 8ba493ed24560e10aa3ebc6430bbf7703506e9bf Mon Sep 17 00:00:00 2001
From: Rshad Zhran <rashzk95@gmail.com>
Date: Fri, 10 Jan 2020 13:35:41 +0100
Subject: [PATCH 6/7] Change config. tags order

---
 .../var-ossec-etc-ossec-server.conf.j2        | 183 +++++++++---------
 1 file changed, 93 insertions(+), 90 deletions(-)

diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
index f7242951..d8334e2e 100644
--- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
+++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
@@ -26,6 +26,11 @@
     <email_alert_level>{{ wazuh_manager_config.email_level }}</email_alert_level>
   </alerts>
 
+  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
+  <logging>
+    <log_format>{{ wazuh_manager_config.log_format }}</log_format>
+  </logging>
+
 {% if wazuh_manager_config.extra_emails is defined %}
 {% for mail in wazuh_manager_config.extra_emails %}
 {% if mail.enable == true %}
@@ -57,10 +62,7 @@
 {% endfor %}
 {% endif %}
 
-  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
-  <logging>
-    <log_format>{{ wazuh_manager_config.log_format }}</log_format>
-  </logging>
+
 
 {% for connection in wazuh_manager_config.connection %}
   <remote>
@@ -351,92 +353,6 @@
   </command>
 {% endfor %}
 
-  <ruleset>
-  <!-- Default ruleset -->
-  <decoder_dir>ruleset/decoders</decoder_dir>
-  <rule_dir>ruleset/rules</rule_dir>
-  {% if wazuh_manager_config.rule_exclude is defined %}
-  {% for rule in wazuh_manager_config.rule_exclude %}
-  <rule_exclude>{{ rule }}</rule_exclude>
-  {% endfor %}
-  {% endif %}
-  {% if wazuh_manager_config.ruleset.cdb_lists is defined %}
-  {% for list in wazuh_manager_config.ruleset.cdb_lists %}
-  <list>etc/lists/{{ list }}</list>
-  {% endfor %}
-  {% endif %}
-
-  <!-- User-defined ruleset -->
-  <decoder_dir>etc/decoders</decoder_dir>
-  <rule_dir>etc/rules</rule_dir>
-  </ruleset>
-
-{% if wazuh_manager_config.authd.enable == true %}
-  <auth>
-    <disabled>no</disabled>
-    {% if wazuh_manager_config.authd.port is not none %}
-    <port>{{wazuh_manager_config.authd.port}}</port>
-    {% else %}
-    <port>1515</port>
-    {% endif %}
-    {% if wazuh_manager_config.authd.use_source_ip is not none %}
-    <use_source_ip>{{wazuh_manager_config.authd.use_source_ip}}</use_source_ip>
-    {% endif %}
-    {% if wazuh_manager_config.authd.force_insert is not none %}
-    <force_insert>{{wazuh_manager_config.authd.force_insert}}</force_insert>
-    {% endif %}
-    {% if wazuh_manager_config.authd.force_time is not none %}
-    <force_time>{{wazuh_manager_config.authd.force_time}}</force_time>
-    {% endif %}
-    {% if wazuh_manager_config.authd.purge is not none %}
-    <purge>{{wazuh_manager_config.authd.purge}}</purge>
-    {% endif %}
-    {% if wazuh_manager_config.authd.use_password is not none %}
-    <use_password>{{wazuh_manager_config.authd.use_password}}</use_password>
-    {% endif %}
-    {% if wazuh_manager_config.authd.limit_maxagents is not none %}
-    <limit_maxagents>{{wazuh_manager_config.authd.limit_maxagents}}</limit_maxagents>
-    {% endif %}
-    {% if wazuh_manager_config.authd.ciphers is not none %}
-    <ciphers>{{wazuh_manager_config.authd.ciphers}}</ciphers>
-    {% endif %}    
-    {% if wazuh_manager_config.authd.ssl_agent_ca is not none %}
-    <ssl_agent_ca>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}}</ssl_agent_ca>
-    {% endif %}
-    {% if wazuh_manager_config.authd.ssl_verify_host is not none %}
-    <ssl_verify_host>{{wazuh_manager_config.authd.ssl_verify_host}}</ssl_verify_host>
-    {% endif %}
-    {% if wazuh_manager_config.authd.ssl_manager_cert is not none %}
-    <ssl_manager_cert>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_cert | basename}}</ssl_manager_cert>
-    {% endif %}
-    {% if wazuh_manager_config.authd.ssl_manager_key is not none %}
-    <ssl_manager_key>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_key | basename}}</ssl_manager_key>
-    {% endif %}
-    {% if wazuh_manager_config.authd.ssl_auto_negotiate is not none %}
-    <ssl_auto_negotiate>{{wazuh_manager_config.authd.ssl_auto_negotiate}}</ssl_auto_negotiate>
-    {% endif %}
-  </auth>
-{% endif %}
-
-  <cluster>
-    <disabled>{{ wazuh_manager_config.cluster.disable }}</disabled>
-    <name>{{ wazuh_manager_config.cluster.name }}</name>
-    <node_name>{{ wazuh_manager_config.cluster.node_name }}</node_name>
-    <node_type>{{ wazuh_manager_config.cluster.node_type }}</node_type>
-    <key>{{ wazuh_manager_config.cluster.key }}</key>
-    {% if wazuh_manager_config.cluster.interval is defined %}
-    <interval>{{ wazuh_manager_config.cluster.interval }}</interval>
-    {% endif %}
-    <port>{{ wazuh_manager_config.cluster.port }}</port>
-    <bind_addr>{{ wazuh_manager_config.cluster.bind_addr }}</bind_addr>
-    <nodes>
-    {% for node in wazuh_manager_config.cluster.nodes %}
-      <node>{{ node }}</node>
-    {% endfor %}
-    </nodes>
-    <hidden>{{ wazuh_manager_config.cluster.hidden }}</hidden>
-  </cluster>
-
 {% if ansible_system == "Linux" and wazuh_manager_config.vuls.disable == 'no' %}
   <wodle name="command">
     <disabled>no</disabled>
@@ -614,4 +530,91 @@
   </labels>
 {% endif %}
 
+
+  <ruleset>
+  <!-- Default ruleset -->
+  <decoder_dir>ruleset/decoders</decoder_dir>
+  <rule_dir>ruleset/rules</rule_dir>
+  {% if wazuh_manager_config.rule_exclude is defined %}
+  {% for rule in wazuh_manager_config.rule_exclude %}
+  <rule_exclude>{{ rule }}</rule_exclude>
+  {% endfor %}
+  {% endif %}
+  {% if wazuh_manager_config.ruleset.cdb_lists is defined %}
+  {% for list in wazuh_manager_config.ruleset.cdb_lists %}
+  <list>etc/lists/{{ list }}</list>
+  {% endfor %}
+  {% endif %}
+
+  <!-- User-defined ruleset -->
+  <decoder_dir>etc/decoders</decoder_dir>
+  <rule_dir>etc/rules</rule_dir>
+  </ruleset>
+
+{% if wazuh_manager_config.authd.enable == true %}
+  <auth>
+    <disabled>no</disabled>
+    {% if wazuh_manager_config.authd.port is not none %}
+    <port>{{wazuh_manager_config.authd.port}}</port>
+    {% else %}
+    <port>1515</port>
+    {% endif %}
+    {% if wazuh_manager_config.authd.use_source_ip is not none %}
+    <use_source_ip>{{wazuh_manager_config.authd.use_source_ip}}</use_source_ip>
+    {% endif %}
+    {% if wazuh_manager_config.authd.force_insert is not none %}
+    <force_insert>{{wazuh_manager_config.authd.force_insert}}</force_insert>
+    {% endif %}
+    {% if wazuh_manager_config.authd.force_time is not none %}
+    <force_time>{{wazuh_manager_config.authd.force_time}}</force_time>
+    {% endif %}
+    {% if wazuh_manager_config.authd.purge is not none %}
+    <purge>{{wazuh_manager_config.authd.purge}}</purge>
+    {% endif %}
+    {% if wazuh_manager_config.authd.use_password is not none %}
+    <use_password>{{wazuh_manager_config.authd.use_password}}</use_password>
+    {% endif %}
+    {% if wazuh_manager_config.authd.limit_maxagents is not none %}
+    <limit_maxagents>{{wazuh_manager_config.authd.limit_maxagents}}</limit_maxagents>
+    {% endif %}
+    {% if wazuh_manager_config.authd.ciphers is not none %}
+    <ciphers>{{wazuh_manager_config.authd.ciphers}}</ciphers>
+    {% endif %}    
+    {% if wazuh_manager_config.authd.ssl_agent_ca is not none %}
+    <ssl_agent_ca>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}}</ssl_agent_ca>
+    {% endif %}
+    {% if wazuh_manager_config.authd.ssl_verify_host is not none %}
+    <ssl_verify_host>{{wazuh_manager_config.authd.ssl_verify_host}}</ssl_verify_host>
+    {% endif %}
+    {% if wazuh_manager_config.authd.ssl_manager_cert is not none %}
+    <ssl_manager_cert>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_cert | basename}}</ssl_manager_cert>
+    {% endif %}
+    {% if wazuh_manager_config.authd.ssl_manager_key is not none %}
+    <ssl_manager_key>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_key | basename}}</ssl_manager_key>
+    {% endif %}
+    {% if wazuh_manager_config.authd.ssl_auto_negotiate is not none %}
+    <ssl_auto_negotiate>{{wazuh_manager_config.authd.ssl_auto_negotiate}}</ssl_auto_negotiate>
+    {% endif %}
+  </auth>
+{% endif %}
+
+  <cluster>
+    <disabled>{{ wazuh_manager_config.cluster.disable }}</disabled>
+    <name>{{ wazuh_manager_config.cluster.name }}</name>
+    <node_name>{{ wazuh_manager_config.cluster.node_name }}</node_name>
+    <node_type>{{ wazuh_manager_config.cluster.node_type }}</node_type>
+    <key>{{ wazuh_manager_config.cluster.key }}</key>
+    {% if wazuh_manager_config.cluster.interval is defined %}
+    <interval>{{ wazuh_manager_config.cluster.interval }}</interval>
+    {% endif %}
+    <port>{{ wazuh_manager_config.cluster.port }}</port>
+    <bind_addr>{{ wazuh_manager_config.cluster.bind_addr }}</bind_addr>
+    <nodes>
+    {% for node in wazuh_manager_config.cluster.nodes %}
+      <node>{{ node }}</node>
+    {% endfor %}
+    </nodes>
+    <hidden>{{ wazuh_manager_config.cluster.hidden }}</hidden>
+  </cluster>
+
 </ossec_config>

From 5aa0f2e6c42af9c155706a523a4c8570e9aa5e26 Mon Sep 17 00:00:00 2001
From: Rshad Zhran <rashzk95@gmail.com>
Date: Fri, 10 Jan 2020 13:36:12 +0100
Subject: [PATCH 7/7] Define config_profile for CentOS and Ubuntu

---
 .../ansible-wazuh-agent/defaults/main.yml     |   5 +-
 .../var-ossec-etc-ossec-agent.conf.j2         | 193 +++++++++---------
 2 files changed, 101 insertions(+), 97 deletions(-)

diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
index 88c560fa..9db5406d 100644
--- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
+++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
@@ -30,7 +30,8 @@ wazuh_managers:
     api_port: 55000
     api_proto: 'http'
     api_user: null
-wazuh_profile: null
+wazuh_profile_centos: 'centos, centos7, centos7.6'
+wazuh_profile_ubuntu: 'ubuntu, ubuntu18, ubuntu18.04'
 wazuh_auto_restart: 'yes'
 wazuh_agent_authd:
   enable: false
@@ -102,7 +103,7 @@ wazuh_agent_config:
     directories:
       - dirs: /etc,/usr/bin,/usr/sbin
         checks: 'check_all="yes"'
-      - dirs: /bin,/sbin
+      - dirs: /bin,/sbin,/boot
         checks: 'check_all="yes"'
     win_directories:
       - dirs: '%WINDIR%\regedit.exe'
diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
index 57787b07..424410b8 100644
--- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
+++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
@@ -19,8 +19,12 @@
       {% endif %}
     </server>
     {% endfor %}
-    {% if wazuh_profile is not none %}
-    <config-profile>{{ wazuh_profile }}</config-profile>
+    {% if wazuh_profile_centos is not none or wazuh_profile_ubuntu is not none %}
+    {% if ansible_distribution == 'CentOS' %}
+    <config-profile>{{ wazuh_profile_centos }}</config-profile>
+    {% elif ansible_distribution == "Ubuntu" %}
+    <config-profile>{{ wazuh_profile_ubuntu }}</config-profile>
+    {% endif %}
     {% endif %}
     {% if wazuh_notify_time is not none and wazuh_time_reconnect is not none %}
     <notify_time>{{ wazuh_notify_time }}</notify_time>
@@ -37,16 +41,6 @@
     <events_per_second>{{ wazuh_agent_config.client_buffer.events_per_sec }}</events_per_second>
   </client_buffer>
 
-  <logging>
-    <log_format>{{ wazuh_agent_config.log_format }}</log_format>
-  </logging>
-
-  <active-response>
-    <disabled>{{ wazuh_agent_config.active_response.ar_disabled|default('no') }}</disabled>
-    <ca_store>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.active_response.ca_store_win }}{% else %}{{ wazuh_agent_config.active_response.ca_store }}{% endif %}</ca_store>
-    <ca_verification>{{ wazuh_agent_config.active_response.ca_verification }}</ca_verification>
-  </active-response>
-
   {% if wazuh_agent_config.rootcheck is defined %}
   <rootcheck>
     <disabled>no</disabled>
@@ -75,89 +69,6 @@
   </rootcheck>
   {% endif %}
 
-  <!-- Directories to check  (perform all possible verifications) -->
-  {% if wazuh_agent_config.syscheck is defined %}
-  <syscheck>
-    <disabled>no</disabled>
-  <!-- <alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files> -->
-    <!-- Frequency that syscheck is executed -- default every 20 hours -->
-    <frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
-    {% if ansible_system == "Linux" %}
-  <!-- <directories check_all="yes" realtime="yes" restrict="^/var/ossec/etc/shared/agent.conf$">/var/ossec/etc/shared</directories> -->
-    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
-    <directories check_all="yes">/bin,/sbin,/boot</directories>
-    <scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start>
-    {% endif %}
-
-    <!-- Directories to check  (perform all possible verifications) -->
-    {% if wazuh_agent_config.syscheck.directories is defined and ansible_system == "Linux" %}
-    {% for directory in wazuh_agent_config.syscheck.directories %}
-    <directories {{ directory.checks }}>{{ directory.dirs }}</directories>
-    {% endfor %}
-    {% endif %}
-
-    <!-- Directories to check  (perform all possible verifications) -->
-    {% if wazuh_agent_config.syscheck.win_directories is defined and ansible_system == "Windows" %}
-    {% for directory in wazuh_agent_config.syscheck.win_directories %}
-    <directories {{ directory.checks }}>{{ directory.dirs }}</directories>
-    {% endfor %}
-    {% endif %}
-
-    <!-- Files/directories to ignore -->
-    {% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Linux" %}
-    {% for ignore in wazuh_agent_config.syscheck.ignore %}
-    <ignore>{{ ignore }}</ignore>
-    {% endfor %}
-    {% endif %}
-
-    <!-- File types to ignore -->
-    {% if wazuh_agent_config.syscheck.ignore_linux_type is defined %}
-    {% for ignore in wazuh_agent_config.syscheck.ignore_linux_type %}
-    <ignore type="sregex">{{ ignore }}</ignore>
-    {% endfor %}
-    {% endif %}
-
-    {% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Windows" %}
-    {% for ignore in wazuh_agent_config.syscheck.ignore_win %}
-    <ignore type="sregex">{{ ignore }}</ignore>
-    {% endfor %}
-    {% endif %}
-
-    {% if ansible_system == "Linux" %}
-    <!-- Files no diff -->
-    {% for no_diff in wazuh_agent_config.syscheck.no_diff %}
-    <nodiff>{{ no_diff }}</nodiff>
-    {% endfor %}
-    
-    <skip_nfs>{{ wazuh_agent_config.syscheck.skip_nfs }}</skip_nfs>
-    {% endif %}
-
-    {% if ansible_os_family == "Windows" %}
-    {% for registry_key in wazuh_agent_config.syscheck.windows_registry %}
-    {% if registry_key.arch is defined %}
-    <windows_registry arch="{{ registry_key.arch }}">{{ registry_key.key }}</windows_registry>
-    {% else %}
-    <windows_registry>{{ registry_key.key }}</windows_registry>
-    {% endif %}
-    {% endfor %}
-    {% endif %}
-
-    {% if ansible_os_family == "Windows" %}
-    {% for registry_key in wazuh_agent_config.syscheck.windows_registry_ignore %}
-    {% if registry_key.type is defined %}
-    <registry_ignore type="{{ registry_key.type }}">{{ registry_key.key }}</registry_ignore>
-    {% else %}
-    <registry_ignore>{{ registry_key.key }}</registry_ignore>
-    {% endif %}
-    {% endfor %}
-    {% endif %}
-
-    {% if ansible_os_family == "Windows" %}
-    <!-- Frequency for ACL checking (seconds) -->
-    <windows_audit_interval>{{ wazuh_agent_config.syscheck.win_audit_interval }}</windows_audit_interval>
-    {% endif %}
-  </syscheck>
-  {% endif %}
 
   {% if ansible_system == "Linux" %}
   <wodle name="open-scap">
@@ -276,6 +187,88 @@
   {% endif %}
   </sca>
 
+
+  <!-- Directories to check  (perform all possible verifications) -->
+  {% if wazuh_agent_config.syscheck is defined %}
+  <syscheck>
+    <disabled>no</disabled>
+  <!-- <alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files> -->
+    <!-- Frequency that syscheck is executed -- default every 20 hours -->
+    <frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
+    {% if ansible_system == "Linux" %}
+    <scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start>
+    <!-- Directories to check  (perform all possible verifications) -->
+    {% if wazuh_agent_config.syscheck.directories is defined and ansible_system == "Linux" %}
+    {% for directory in wazuh_agent_config.syscheck.directories %}
+    <directories {{ directory.checks }}>{{ directory.dirs }}</directories>
+    {% endfor %}
+    {% endif %}
+    {% endif %}
+
+    <!-- Directories to check  (perform all possible verifications) -->
+    {% if wazuh_agent_config.syscheck.win_directories is defined and ansible_system == "Windows" %}
+    {% for directory in wazuh_agent_config.syscheck.win_directories %}
+    <directories {{ directory.checks }}>{{ directory.dirs }}</directories>
+    {% endfor %}
+    {% endif %}
+
+    <!-- Files/directories to ignore -->
+    {% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Linux" %}
+    {% for ignore in wazuh_agent_config.syscheck.ignore %}
+    <ignore>{{ ignore }}</ignore>
+    {% endfor %}
+    {% endif %}
+
+    <!-- File types to ignore -->
+    {% if wazuh_agent_config.syscheck.ignore_linux_type is defined %}
+    {% for ignore in wazuh_agent_config.syscheck.ignore_linux_type %}
+    <ignore type="sregex">{{ ignore }}</ignore>
+    {% endfor %}
+    {% endif %}
+
+    {% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Windows" %}
+    {% for ignore in wazuh_agent_config.syscheck.ignore_win %}
+    <ignore type="sregex">{{ ignore }}</ignore>
+    {% endfor %}
+    {% endif %}
+
+    {% if ansible_system == "Linux" %}
+    <!-- Files no diff -->
+    {% for no_diff in wazuh_agent_config.syscheck.no_diff %}
+    <nodiff>{{ no_diff }}</nodiff>
+    {% endfor %}
+    
+    <skip_nfs>{{ wazuh_agent_config.syscheck.skip_nfs }}</skip_nfs>
+    {% endif %}
+
+    {% if ansible_os_family == "Windows" %}
+    {% for registry_key in wazuh_agent_config.syscheck.windows_registry %}
+    {% if registry_key.arch is defined %}
+    <windows_registry arch="{{ registry_key.arch }}">{{ registry_key.key }}</windows_registry>
+    {% else %}
+    <windows_registry>{{ registry_key.key }}</windows_registry>
+    {% endif %}
+    {% endfor %}
+    {% endif %}
+
+    {% if ansible_os_family == "Windows" %}
+    {% for registry_key in wazuh_agent_config.syscheck.windows_registry_ignore %}
+    {% if registry_key.type is defined %}
+    <registry_ignore type="{{ registry_key.type }}">{{ registry_key.key }}</registry_ignore>
+    {% else %}
+    <registry_ignore>{{ registry_key.key }}</registry_ignore>
+    {% endif %}
+    {% endfor %}
+    {% endif %}
+
+    {% if ansible_os_family == "Windows" %}
+    <!-- Frequency for ACL checking (seconds) -->
+    <windows_audit_interval>{{ wazuh_agent_config.syscheck.win_audit_interval }}</windows_audit_interval>
+    {% endif %}
+  </syscheck>
+  {% endif %}
+
+
   {% if ansible_system == "Linux" and wazuh_agent_config.vuls.disable == 'no' %}
   <wodle name="command">
     <disabled>no</disabled>
@@ -365,4 +358,14 @@
   </labels>
 {% endif %}
 
+  <active-response>
+    <disabled>{{ wazuh_agent_config.active_response.ar_disabled|default('no') }}</disabled>
+    <ca_store>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.active_response.ca_store_win }}{% else %}{{ wazuh_agent_config.active_response.ca_store }}{% endif %}</ca_store>
+    <ca_verification>{{ wazuh_agent_config.active_response.ca_verification }}</ca_verification>
+  </active-response>
+
+  <logging>
+    <log_format>{{ wazuh_agent_config.log_format }}</log_format>
+  </logging>
+
 </ossec_config>