afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updating to Wazuh 3 and Elastic Stack 6

Browse Source
This commit is contained in:
Miguelangel Freitas 2017-12-19 19:24:52 -05:00 committed by Miguelangel Freitas
parent 15e091e338
commit fb34566fbc
40 changed files with 644 additions and 1193 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ansible-role-elasticsearch/defaults/main.yml
View File

@ -4,6 +4,6 @@ elasticsearch_node_name: node-1
elasticsearch_http_port: 9200
elasticsearch_network_host: 127.0.0.1
elasticsearch_jvm_xms: null
elastic_stack_version: 5.6.4
elastic_stack_version: 6.1.0
elasticsearch_shards: 5
elasticsearch_replicas: 1

2
ansible-role-elasticsearch/tasks/Debian.yml
View File

@ -28,7 +28,7 @@
- name: Debian/Ubuntu | Install Elastic repo
apt_repository:
repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main
repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main'
state: present
filename: 'elastic_repo'

4
ansible-role-elasticsearch/tasks/RedHat.yml
View File

@ -15,8 +15,8 @@
- name: RedHat/CentOS/Fedora | Install Elastic repo
yum_repository:
name: elastic_repo
description: Elastic repository for 5.x packages
baseurl: https://artifacts.elastic.co/packages/5.x/yum
description: Elastic repository for 6.x packages
baseurl: https://artifacts.elastic.co/packages/6.x/yum
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
gpgcheck: yes

35
ansible-role-elasticsearch/tasks/main.yml
View File

@ -25,6 +25,10 @@
notify: restart elasticsearch
tags: configure
- name: Reload systemd
systemd: daemon_reload=yes
ignore_errors: yes
- name: Ensure Elasticsearch started and enabled
service:
name: elasticsearch
@ -37,31 +41,50 @@
- configure
- init
- name: Check for Wazuh template
- name: Check for Wazuh Alerts template
uri:
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh"
method: GET
status_code: 200, 404
register: wazuh_template_exits
register: wazuh_alerts_template_exits
tags: init
- name: Installing Wazuh template
- name: Installing Wazuh Alerts template
uri:
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh"
method: PUT
status_code: 200
body_format: json
body: "{{ lookup('template','wazuh-elastic5-template.json.j2') }}"
when: wazuh_template_exits.status != 200
body: "{{ lookup('template','wazuh-elastic6-template-alerts.json.j2') }}"
when: wazuh_alerts_template_exits.status != 200
tags: init
- name: Injecting sample alert
uri:
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/wazuh-alerts-{{ ansible_date_time.date | regex_replace('-', '.') }}/wazuh/sample"
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/wazuh-alerts-3.x-{{ ansible_date_time.date | regex_replace('-', '.') }}/wazuh/sample"
method: PUT
status_code: 200, 201
body_format: json
body: "{{ lookup('template','alert_sample.json.j2') }}"
when: wazuh_alerts_template_exits.status != 200
tags: init
- name: Check for Wazuh Monitoring template
uri:
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh-agent"
method: GET
status_code: 200, 404
register: wazuh_monitoring_template_exits
tags: init
- name: Installing Wazuh Monitoring template
uri:
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh-agent"
method: PUT
status_code: 200
body_format: json
body: "{{ lookup('template','wazuh-elastic6-template-monitoring.json.j2') }}"
when: wazuh_monitoring_template_exits.status != 200
tags: init
- import_tasks: "RMRedHat.yml"

74
ansible-role-elasticsearch/templates/alert_sample.json.j2
View File

@ -1,11 +1,7 @@
{
"@timestamp": "2015-03-18T15:55:55.000Z",
"AlertsFile": "sample",
"title": "sample",
"full_log": "sample",
"id": "sample",
"srcuser": "sample",
"srcip": "sample",
"location": "sample",
"GeoLocation": {
"country_name": "sample",
@ -14,34 +10,50 @@
"agent": {
"name": "sample"
},
"audit": {
"command": "sample",
"type": "sample",
"egid": "sample",
"euid": "sample",
"exe": "sample",
"gid": "sample",
"uid": "sample",
"directory": {
"name": "sample"
},
"file": {
"mode": "sample",
"name": "sample"
}
},
"oscap": {
"check": {
"result": "sample",
"severity": "sample",
"title": "sample"
},
"scan": {
"id": "sample",
"content": "sample",
"score": 1.55,
"profile": {
"data": {
"title": "sample",
"protocol": "sample",
"action": "sample",
"srcip": "sample",
"dstip": "sample",
"srcport": "sample",
"dstport": "sample",
"srcuser": "sample",
"dstuser": "sample",
"id": "sample",
"status": "sample",
"data": "sample",
"system_name": "sample",
"url": "sample",
"audit": {
"command": "sample",
"type": "sample",
"egid": "sample",
"euid": "sample",
"exe": "sample",
"gid": "sample",
"uid": "sample",
"directory": {
"name": "sample"
},
"file": {
"mode": "sample",
"name": "sample"
}
},
"oscap": {
"check": {
"result": "sample",
"severity": "sample",
"title": "sample"
},
"scan": {
"id": "sample",
"content": "sample",
"score": 1.55,
"profile": {
"title": "sample"
}
}
}
},

4
ansible-role-elasticsearch/templates/elasticsearch.yml.j2
View File

@ -31,11 +31,11 @@ node.name: {{ elasticsearch_node_name }}
#
# Path to directory where to store the data (separate multiple locations by comma):
#
#path.data: /path/to/data
path.data: /var/lib/elasticsearch
#
# Path to log files:
#
#path.logs: /path/to/logs
path.logs: /var/log/elasticsearch
#
# ----------------------------------- Memory -----------------------------------
#

31
ansible-role-elasticsearch/templates/jvm.options.j2
View File

@ -18,6 +18,9 @@
##
################################################################
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
{% if elasticsearch_jvm_xms is not none %}
@ -50,18 +53,15 @@
## optimizations
# disable calls to System#gc
-XX:+DisableExplicitGC
# pre-touch memory pages used by the JVM during initialization
-XX:+AlwaysPreTouch
## basic
# force the server VM (remove on 32-bit client JVMs)
# force the server VM
-server
# explicitly set the stack size (reduce to 320k on 32-bit client JVMs)
# explicitly set the stack size
-Xss1m
# set to headless, just in case
@ -73,8 +73,9 @@
# use our provided JNA always versus the system one
-Djna.nosys=true
# use old-style file permissions on JDK9
-Djdk.io.permissionsUseCanonicalPath=true
# turn off a JDK optimization that throws away stack traces for common
# exceptions because stack traces are important for debugging
-XX:-OmitStackTraceInFastThrow
# flags to configure Netty
-Dio.netty.noUnsafe=true
@ -84,7 +85,6 @@
# log4j 2
-Dlog4j.shutdownHookEnabled=false
-Dlog4j2.disable.jmx=true
-Dlog4j.skipJansi=true
## heap dumps
@ -94,7 +94,7 @@
# specify an alternative path for heap dumps
# ensure the directory exists and has sufficient space
#-XX:HeapDumpPath=${heap.dump.path}
-XX:HeapDumpPath=/var/lib/elasticsearch
## GC logging
@ -109,10 +109,9 @@
# ensure the directory exists
#-Xloggc:${loggc}
# Elasticsearch 5.0.0 will throw an exception on unquoted field names in JSON.
# If documents were already indexed with unquoted fields in a previous version
# of Elasticsearch, some operations may throw errors.
#
# WARNING: This option will be removed in Elasticsearch 6.0.0 and is provided
# only for migration purposes.
#-Delasticsearch.json.allow_unquoted_field_names=true
# By default, the GC log file will not rotate.
# By uncommenting the lines below, the GC log file
# will be rotated every 128MB at most 32 times.
#-XX:+UseGCLogFileRotation
#-XX:NumberOfGCLogFiles=32
#-XX:GCLogFileSize=128M

597
ansible-role-elasticsearch/templates/wazuh-elastic5-template.json.j2 → ansible-role-elasticsearch/templates/wazuh-elastic6-template-alerts.json.j2
View File

@ -1,6 +1,6 @@
{
"order": 0,
"template": "wazuh*",
"template": "wazuh-alerts-3.*",
"settings": {
"index.refresh_interval": "5s",
"number_of_shards": {{ elasticsearch_shards }},
@ -51,9 +51,13 @@
}
}
},
"dstuser": {
"type": "keyword",
"doc_values": "true"
"cluster": {
"properties": {
"name": {
"type": "keyword",
"doc_values": "true"
}
}
},
"AlertsFile": {
"type": "keyword",
@ -302,319 +306,308 @@
}
}
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"protocol": {
"type": "keyword",
"doc_values": "true"
},
"action": {
"type": "keyword",
"doc_values": "true"
},
"dstip": {
"type": "keyword",
"doc_values": "true"
},
"dstport": {
"type": "keyword",
"doc_values": "true"
},
"srcuser": {
"type": "keyword",
"doc_values": "true"
"data": {
"properties": {
"protocol": {
"type": "keyword",
"doc_values": "true"
},
"action": {
"type": "keyword",
"doc_values": "true"
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"dstip": {
"type": "keyword",
"doc_values": "true"
},
"srcport": {
"type": "keyword",
"doc_values": "true"
},
"dstport": {
"type": "keyword",
"doc_values": "true"
},
"srcuser": {
"type": "keyword",
"doc_values": "true"
},
"dstuser": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"status": {
"type": "keyword",
"doc_values": "true"
},
"data": {
"type": "keyword",
"doc_values": "true"
},
"system_name": {
"type": "keyword",
"doc_values": "true"
},
"url": {
"type": "keyword",
"doc_values": "true"
},
"oscap": {
"properties": {
"check.title": {
"type": "keyword",
"doc_values": "true"
},
"check.id": {
"type": "keyword",
"doc_values": "true"
},
"check.result": {
"type": "keyword",
"doc_values": "true"
},
"check.severity": {
"type": "keyword",
"doc_values": "true"
},
"check.description": {
"type": "text"
},
"check.rationale": {
"type": "text"
},
"check.references": {
"type": "text"
},
"check.identifiers": {
"type": "text"
},
"check.oval.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.content": {
"type": "keyword",
"doc_values": "true"
},
"scan.benchmark.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.title": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.score": {
"type": "double",
"doc_values": "true"
},
"scan.return_code": {
"type": "long",
"doc_values": "true"
}
}
},
"audit": {
"properties": {
"type": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"syscall": {
"type": "keyword",
"doc_values": "true"
},
"exit": {
"type": "keyword",
"doc_values": "true"
},
"ppid": {
"type": "keyword",
"doc_values": "true"
},
"pid": {
"type": "keyword",
"doc_values": "true"
},
"auid": {
"type": "keyword",
"doc_values": "true"
},
"uid": {
"type": "keyword",
"doc_values": "true"
},
"gid": {
"type": "keyword",
"doc_values": "true"
},
"euid": {
"type": "keyword",
"doc_values": "true"
},
"suid": {
"type": "keyword",
"doc_values": "true"
},
"fsuid": {
"type": "keyword",
"doc_values": "true"
},
"egid": {
"type": "keyword",
"doc_values": "true"
},
"sgid": {
"type": "keyword",
"doc_values": "true"
},
"fsgid": {
"type": "keyword",
"doc_values": "true"
},
"tty": {
"type": "keyword",
"doc_values": "true"
},
"session": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"exe": {
"type": "keyword",
"doc_values": "true"
},
"key": {
"type": "keyword",
"doc_values": "true"
},
"cwd": {
"type": "keyword",
"doc_values": "true"
},
"directory.name": {
"type": "keyword",
"doc_values": "true"
},
"directory.inode": {
"type": "keyword",
"doc_values": "true"
},
"directory.mode": {
"type": "keyword",
"doc_values": "true"
},
"file.name": {
"type": "keyword",
"doc_values": "true"
},
"file.inode": {
"type": "keyword",
"doc_values": "true"
},
"file.mode": {
"type": "keyword",
"doc_values": "true"
},
"acct": {
"type": "keyword",
"doc_values": "true"
},
"dev": {
"type": "keyword",
"doc_values": "true"
},
"enforcing": {
"type": "keyword",
"doc_values": "true"
},
"list": {
"type": "keyword",
"doc_values": "true"
},
"old-auid": {
"type": "keyword",
"doc_values": "true"
},
"old-ses": {
"type": "keyword",
"doc_values": "true"
},
"old_enforcing": {
"type": "keyword",
"doc_values": "true"
},
"old_prom": {
"type": "keyword",
"doc_values": "true"
},
"op": {
"type": "keyword",
"doc_values": "true"
},
"prom": {
"type": "keyword",
"doc_values": "true"
},
"res": {
"type": "keyword",
"doc_values": "true"
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"subj": {
"type": "keyword",
"doc_values": "true"
},
"success": {
"type": "keyword",
"doc_values": "true"
}
}
}
}
},
"program_name": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"status": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"url": {
"type": "keyword",
"doc_values": "true"
},
"data": {
"type": "keyword",
"doc_values": "true"
},
"system_name": {
"type": "keyword",
"doc_values": "true"
},
"type": {
"type": "text"
},
"title": {
"type": "keyword",
"doc_values": "true"
},
"oscap": {
"properties": {
"check.title": {
"type": "keyword",
"doc_values": "true"
},
"check.id": {
"type": "keyword",
"doc_values": "true"
},
"check.result": {
"type": "keyword",
"doc_values": "true"
},
"check.severity": {
"type": "keyword",
"doc_values": "true"
},
"check.description": {
"type": "text"
},
"check.rationale": {
"type": "text"
},
"check.references": {
"type": "text"
},
"check.identifiers": {
"type": "text"
},
"check.oval.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.content": {
"type": "keyword",
"doc_values": "true"
},
"scan.benchmark.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.title": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.score": {
"type": "double",
"doc_values": "true"
},
"scan.return_code": {
"type": "long",
"doc_values": "true"
}
}
},
"audit": {
"properties": {
"type": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"syscall": {
"type": "keyword",
"doc_values": "true"
},
"exit": {
"type": "keyword",
"doc_values": "true"
},
"ppid": {
"type": "keyword",
"doc_values": "true"
},
"pid": {
"type": "keyword",
"doc_values": "true"
},
"auid": {
"type": "keyword",
"doc_values": "true"
},
"uid": {
"type": "keyword",
"doc_values": "true"
},
"gid": {
"type": "keyword",
"doc_values": "true"
},
"euid": {
"type": "keyword",
"doc_values": "true"
},
"suid": {
"type": "keyword",
"doc_values": "true"
},
"fsuid": {
"type": "keyword",
"doc_values": "true"
},
"egid": {
"type": "keyword",
"doc_values": "true"
},
"sgid": {
"type": "keyword",
"doc_values": "true"
},
"fsgid": {
"type": "keyword",
"doc_values": "true"
},
"tty": {
"type": "keyword",
"doc_values": "true"
},
"session": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"exe": {
"type": "keyword",
"doc_values": "true"
},
"key": {
"type": "keyword",
"doc_values": "true"
},
"cwd": {
"type": "keyword",
"doc_values": "true"
},
"directory.name": {
"type": "keyword",
"doc_values": "true"
},
"directory.inode": {
"type": "keyword",
"doc_values": "true"
},
"directory.mode": {
"type": "keyword",
"doc_values": "true"
},
"file.name": {
"type": "keyword",
"doc_values": "true"
},
"file.inode": {
"type": "keyword",
"doc_values": "true"
},
"file.mode": {
"type": "keyword",
"doc_values": "true"
},
"acct": {
"type": "keyword",
"doc_values": "true"
},
"dev": {
"type": "keyword",
"doc_values": "true"
},
"enforcing": {
"type": "keyword",
"doc_values": "true"
},
"list": {
"type": "keyword",
"doc_values": "true"
},
"old-auid": {
"type": "keyword",
"doc_values": "true"
},
"old-ses": {
"type": "keyword",
"doc_values": "true"
},
"old_enforcing": {
"type": "keyword",
"doc_values": "true"
},
"old_prom": {
"type": "keyword",
"doc_values": "true"
},
"op": {
"type": "keyword",
"doc_values": "true"
},
"prom": {
"type": "keyword",
"doc_values": "true"
},
"res": {
"type": "keyword",
"doc_values": "true"
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"subj": {
"type": "keyword",
"doc_values": "true"
},
"success": {
"type": "keyword",
"doc_values": "true"
}
}
}
}
},
"agent": {
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"status": {
"type": "keyword"
},
"ip": {
"type": "keyword"
},
"host": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
}
}

34
ansible-role-elasticsearch/templates/wazuh-elastic6-template-monitoring.json.j2 Normal file
View File

@ -0,0 +1,34 @@
{
"order": 0,
"template": "wazuh-monitoring*",
"settings": {
"index.refresh_interval": "5s",
"number_of_shards": {{ elasticsearch_shards }},
"number_of_replicas": {{ elasticsearch_replicas }}
},
"mappings": {
"wazuh-agent": {
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"status": {
"type": "keyword"
},
"ip": {
"type": "keyword"
},
"host": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
}
}
}
}

2
ansible-role-filebeat/tasks/Debian.yml
View File

@ -12,6 +12,6 @@
- name: Debian/Ubuntu | Add Filebeat repository.
apt_repository:
repo: 'deb https://artifacts.elastic.co/packages/5.x/apt stable main'
repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main'
state: present
update_cache: yes

4
ansible-role-filebeat/tasks/RedHat.yml
View File

@ -2,7 +2,7 @@
- name: RedHat/CentOS/Fedora | Install Filebeats repo
yum_repository:
name: elastic_repo
description: Elastic repository for 5.x packages
baseurl: https://artifacts.elastic.co/packages/5.x/yum
description: Elastic repository for 6.x packages
baseurl: https://artifacts.elastic.co/packages/6.x/yum
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
gpgcheck: yes

4
ansible-role-filebeat/tasks/main.yml
View File

@ -13,6 +13,10 @@
- import_tasks: config.yml
when: filebeat_create_config
- name: Reload systemd
systemd: daemon_reload=yes
ignore_errors: yes
- name: Ensure Filebeat is started and enabled at boot.
service:
name: filebeat

2
ansible-role-kibana/defaults/main.yml
View File

@ -3,4 +3,4 @@ elasticsearch_http_port: "9200"
elasticsearch_network_host: "127.0.0.1"
kibana_server_host: "0.0.0.0"
kibana_server_port: "5601"
elastic_stack_version: 5.6.4
elastic_stack_version: 6.1.0

2
ansible-role-kibana/tasks/Debian.yml
View File

@ -12,7 +12,7 @@
- name: Debian/Ubuntu | Install Elastic repo
apt_repository:
repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main
repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main'
state: present
filename: 'elastic_repo'

4
ansible-role-kibana/tasks/RedHat.yml
View File

@ -2,8 +2,8 @@
- name: RedHat/CentOS/Fedora | Install Elastic repo
yum_repository:
name: elastic_repo
description: Elastic repository for 5.x packages
baseurl: https://artifacts.elastic.co/packages/5.x/yum
description: Elastic repository for 6.x packages
baseurl: https://artifacts.elastic.co/packages/6.x/yum
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
gpgcheck: yes

21
ansible-role-kibana/tasks/main.yml
View File

@ -9,6 +9,10 @@
wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=300
tags: configure
- name: Reload systemd
systemd: daemon_reload=yes
ignore_errors: yes
- name: Kibana configuration
template:
src: kibana.yml.j2
@ -26,18 +30,23 @@
register: wazuh_app_verify
tags: install
- name: Upgrading Wazuh-APP
shell: "{{ item }}"
- name: Removing old Wazuh-APP
command: /usr/share/kibana/bin/kibana-plugin remove wazuh
when: wazuh_app_verify.stdout == "0"
tags: install
- name: Removing bundles
file: path=/usr/share/kibana/optimize/bundles state=absent
when: wazuh_app_verify.stdout == "0"
with_items:
- /usr/share/kibana/bin/kibana-plugin remove wazuh
- rm -rf /usr/share/kibana/optimize/bundles
tags: install
- name: Install Wazuh-APP (can take a while)
shell: "/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-2.1.1_{{ elastic_stack_version }}.zip"
shell: "/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.0.0_{{ elastic_stack_version }}.zip"
environment:
NODE_OPTIONS: "--max-old-space-size=3072"
args:
creates: /usr/share/kibana/plugins/wazuh/package.json
when: wazuh_app_verify.stdout == "0"
notify: restart kibana
tags: install

2
ansible-role-logstash/defaults/main.yml
View File

@ -6,7 +6,7 @@ elasticsearch_network_host: "127.0.0.1"
elasticsearch_http_port: "9200"
elasticsearch_shards: 5
elasticsearch_replicas: 1
elastic_stack_version: 5.6.4
elastic_stack_version: 6.1.0
logstash_ssl: false
logstash_ssl_dir: /etc/pki/logstash

2
ansible-role-logstash/tasks/Debian.yml
View File

@ -31,7 +31,7 @@
- name: Debian/Ubuntu | Install Elasticsearch repo
apt_repository:
repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main
repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main'
state: present
filename: 'elastic_repo'

4
ansible-role-logstash/tasks/RedHat.yml
View File

@ -15,8 +15,8 @@
- name: RedHat/CentOS/Fedora | Install Logstash repo
yum_repository:
name: elastic_repo
description: Elastic repository for 5.x packages
baseurl: https://artifacts.elastic.co/packages/5.x/yum
description: Elastic repository for 6.x packages
baseurl: https://artifacts.elastic.co/packages/6.x/yum
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
gpgcheck: yes

8
ansible-role-logstash/tasks/config.yml
View File

@ -1,12 +1,4 @@
---
- name: Logstash template
template:
src: wazuh-elastic5-template.json.j2
dest: /etc/logstash/wazuh-elastic5-template.json
owner: root
group: root
tags: configure
- name: Ensure Logstash SSL key pair directory exists.
file:
path: "{{ logstash_ssl_dir }}"

4
ansible-role-logstash/tasks/main.yml
View File

@ -8,6 +8,10 @@
- import_tasks: config.yml
when: logstash_create_config
- name: Reload systemd
systemd: daemon_reload=yes
ignore_errors: yes
- name: Ensure Logstash started and enabled
service:
name: logstash

20
ansible-role-logstash/templates/01-wazuh.conf.j2
View File

@ -25,10 +25,21 @@ input {
}
}
{% endif %}
filter {
if [data][srcip] {
mutate {
add_field => [ "@src_ip", "%{[data][srcip]}" ]
}
}
if [data][aws][sourceIPAddress] {
mutate {
add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
}
}
}
filter {
geoip {
source => "srcip"
source => "@src_ip"
target => "GeoLocation"
fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"]
}
@ -37,7 +48,7 @@ filter {
target => "@timestamp"
}
mutate {
remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count", "@version", "log", "offset", "type"]
remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type","@src_ip"]
}
}
output {
@ -46,8 +57,5 @@ output {
hosts => ["{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"]
index => "wazuh-alerts-%{+YYYY.MM.dd}"
document_type => "wazuh"
template => "/etc/logstash/wazuh-elastic5-template.json"
template_name => "wazuh"
template_overwrite => true
}
}

622
ansible-role-logstash/templates/wazuh-elastic5-template.json.j2
View File

@ -1,622 +0,0 @@
{
"order": 0,
"template": "wazuh*",
"settings": {
"index.refresh_interval": "5s",
"number_of_shards": {{ elasticsearch_shards }},
"number_of_replicas": {{ elasticsearch_replicas }}
},
"mappings": {
"wazuh": {
"dynamic_templates": [
{
"string_as_keyword": {
"match_mapping_type": "string",
"mapping": {
"type": "keyword",
"doc_values": "true"
}
}
}
],
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"@version": {
"type": "text"
},
"agent": {
"properties": {
"ip": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"name": {
"type": "keyword",
"doc_values": "true"
}
}
},
"manager": {
"properties": {
"name": {
"type": "keyword",
"doc_values": "true"
}
}
},
"dstuser": {
"type": "keyword",
"doc_values": "true"
},
"AlertsFile": {
"type": "keyword",
"doc_values": "true"
},
"full_log": {
"type": "text"
},
"previous_log": {
"type": "text"
},
"GeoLocation": {
"properties": {
"area_code": {
"type": "long"
},
"city_name": {
"type": "keyword",
"doc_values": "true"
},
"continent_code": {
"type": "text"
},
"coordinates": {
"type": "double"
},
"country_code2": {
"type": "text"
},
"country_code3": {
"type": "text"
},
"country_name": {
"type": "keyword",
"doc_values": "true"
},
"dma_code": {
"type": "long"
},
"ip": {
"type": "keyword",
"doc_values": "true"
},
"latitude": {
"type": "double"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "double"
},
"postal_code": {
"type": "keyword"
},
"real_region_name": {
"type": "keyword",
"doc_values": "true"
},
"region_name": {
"type": "keyword",
"doc_values": "true"
},
"timezone": {
"type": "text"
}
}
},
"host": {
"type": "keyword",
"doc_values": "true"
},
"syscheck": {
"properties": {
"path": {
"type": "keyword",
"doc_values": "true"
},
"sha1_before": {
"type": "keyword",
"doc_values": "true"
},
"sha1_after": {
"type": "keyword",
"doc_values": "true"
},
"uid_before": {
"type": "keyword",
"doc_values": "true"
},
"uid_after": {
"type": "keyword",
"doc_values": "true"
},
"gid_before": {
"type": "keyword",
"doc_values": "true"
},
"gid_after": {
"type": "keyword",
"doc_values": "true"
},
"perm_before": {
"type": "keyword",
"doc_values": "true"
},
"perm_after": {
"type": "keyword",
"doc_values": "true"
},
"md5_after": {
"type": "keyword",
"doc_values": "true"
},
"md5_before": {
"type": "keyword",
"doc_values": "true"
},
"gname_after": {
"type": "keyword",
"doc_values": "true"
},
"gname_before": {
"type": "keyword",
"doc_values": "true"
},
"inode_after": {
"type": "keyword",
"doc_values": "true"
},
"inode_before": {
"type": "keyword",
"doc_values": "true"
},
"mtime_after": {
"type": "date",
"format": "dateOptionalTime",
"doc_values": "true"
},
"mtime_before": {
"type": "date",
"format": "dateOptionalTime",
"doc_values": "true"
},
"uname_after": {
"type": "keyword",
"doc_values": "true"
},
"uname_before": {
"type": "keyword",
"doc_values": "true"
},
"size_before": {
"type": "long",
"doc_values": "true"
},
"size_after": {
"type": "long",
"doc_values": "true"
},
"diff": {
"type": "keyword",
"doc_values": "true"
},
"event": {
"type": "keyword",
"doc_values": "true"
}
}
},
"location": {
"type": "keyword",
"doc_values": "true"
},
"message": {
"type": "text"
},
"offset": {
"type": "keyword"
},
"rule": {
"properties": {
"description": {
"type": "keyword",
"doc_values": "true"
},
"groups": {
"type": "keyword",
"doc_values": "true"
},
"level": {
"type": "long",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"cve": {
"type": "keyword",
"doc_values": "true"
},
"info": {
"type": "keyword",
"doc_values": "true"
},
"frequency": {
"type": "long",
"doc_values": "true"
},
"firedtimes": {
"type": "long",
"doc_values": "true"
},
"cis": {
"type": "keyword",
"doc_values": "true"
},
"pci_dss": {
"type": "keyword",
"doc_values": "true"
}
}
},
"decoder": {
"properties": {
"parent": {
"type": "keyword",
"doc_values": "true"
},
"name": {
"type": "keyword",
"doc_values": "true"
},
"ftscomment": {
"type": "keyword",
"doc_values": "true"
},
"fts": {
"type": "long",
"doc_values": "true"
},
"accumulate": {
"type": "long",
"doc_values": "true"
}
}
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"protocol": {
"type": "keyword",
"doc_values": "true"
},
"action": {
"type": "keyword",
"doc_values": "true"
},
"dstip": {
"type": "keyword",
"doc_values": "true"
},
"dstport": {
"type": "keyword",
"doc_values": "true"
},
"srcuser": {
"type": "keyword",
"doc_values": "true"
},
"program_name": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"status": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"url": {
"type": "keyword",
"doc_values": "true"
},
"data": {
"type": "keyword",
"doc_values": "true"
},
"system_name": {
"type": "keyword",
"doc_values": "true"
},
"type": {
"type": "text"
},
"title": {
"type": "keyword",
"doc_values": "true"
},
"oscap": {
"properties": {
"check.title": {
"type": "keyword",
"doc_values": "true"
},
"check.id": {
"type": "keyword",
"doc_values": "true"
},
"check.result": {
"type": "keyword",
"doc_values": "true"
},
"check.severity": {
"type": "keyword",
"doc_values": "true"
},
"check.description": {
"type": "text"
},
"check.rationale": {
"type": "text"
},
"check.references": {
"type": "text"
},
"check.identifiers": {
"type": "text"
},
"check.oval.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.content": {
"type": "keyword",
"doc_values": "true"
},
"scan.benchmark.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.title": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.score": {
"type": "double",
"doc_values": "true"
},
"scan.return_code": {
"type": "long",
"doc_values": "true"
}
}
},
"audit": {
"properties": {
"type": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"syscall": {
"type": "keyword",
"doc_values": "true"
},
"exit": {
"type": "keyword",
"doc_values": "true"
},
"ppid": {
"type": "keyword",
"doc_values": "true"
},
"pid": {
"type": "keyword",
"doc_values": "true"
},
"auid": {
"type": "keyword",
"doc_values": "true"
},
"uid": {
"type": "keyword",
"doc_values": "true"
},
"gid": {
"type": "keyword",
"doc_values": "true"
},
"euid": {
"type": "keyword",
"doc_values": "true"
},
"suid": {
"type": "keyword",
"doc_values": "true"
},
"fsuid": {
"type": "keyword",
"doc_values": "true"
},
"egid": {
"type": "keyword",
"doc_values": "true"
},
"sgid": {
"type": "keyword",
"doc_values": "true"
},
"fsgid": {
"type": "keyword",
"doc_values": "true"
},
"tty": {
"type": "keyword",
"doc_values": "true"
},
"session": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"exe": {
"type": "keyword",
"doc_values": "true"
},
"key": {
"type": "keyword",
"doc_values": "true"
},
"cwd": {
"type": "keyword",
"doc_values": "true"
},
"directory.name": {
"type": "keyword",
"doc_values": "true"
},
"directory.inode": {
"type": "keyword",
"doc_values": "true"
},
"directory.mode": {
"type": "keyword",
"doc_values": "true"
},
"file.name": {
"type": "keyword",
"doc_values": "true"
},
"file.inode": {
"type": "keyword",
"doc_values": "true"
},
"file.mode": {
"type": "keyword",
"doc_values": "true"
},
"acct": {
"type": "keyword",
"doc_values": "true"
},
"dev": {
"type": "keyword",
"doc_values": "true"
},
"enforcing": {
"type": "keyword",
"doc_values": "true"
},
"list": {
"type": "keyword",
"doc_values": "true"
},
"old-auid": {
"type": "keyword",
"doc_values": "true"
},
"old-ses": {
"type": "keyword",
"doc_values": "true"
},
"old_enforcing": {
"type": "keyword",
"doc_values": "true"
},
"old_prom": {
"type": "keyword",
"doc_values": "true"
},
"op": {
"type": "keyword",
"doc_values": "true"
},
"prom": {
"type": "keyword",
"doc_values": "true"
},
"res": {
"type": "keyword",
"doc_values": "true"
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"subj": {
"type": "keyword",
"doc_values": "true"
},
"success": {
"type": "keyword",
"doc_values": "true"
}
}
}
}
},
"agent": {
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"status": {
"type": "keyword"
},
"ip": {
"type": "keyword"
},
"host": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
}
}
}
}

13
ansible-wazuh-agent/defaults/main.yml
View File

@ -1,7 +1,10 @@
---
wazuh_manager_ip: null
wazuh_managers:
- address: 127.0.0.1
port: 1514
protocol: tcp
wazuh_profile: null
wazuh_manager_proto: tcp
wazuh_auto_restart: 'yes'
wazuh_agent_authd:
enable: false
port: 1515
@ -13,10 +16,10 @@ wazuh_notify_time: null
wazuh_time_reconnect: null
wazuh_winagent_config:
install_dir: 'C:\wazuh-agent\'
version: '2.1.1'
version: '3.0.0'
revision: '1'
repo: https://packages.wazuh.com/windows/
md5: fd9a3ce30cd6f9f553a1bc71e74a6c9f
repo: https://packages.wazuh.com/3.x/windows/
md5: 896dcc5b786fda30db9649dd7a6043c0
wazuh_agent_config:
log_format: 'plain'
syscheck:

2
ansible-wazuh-agent/tasks/Debian.yml
View File

@ -10,7 +10,7 @@
- name: Debian/Ubuntu | Add Wazuh repositories
apt_repository:
repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
repo: 'deb https://packages.wazuh.com/3.x/apt/ stable main'
state: present
update_cache: yes

27
ansible-wazuh-agent/tasks/RedHat.yml
View File

@ -1,30 +1,23 @@
---
- name: CentOS | Install Wazuh repository
- name: RedHat/CentOS/Fedora | Install Wazuh repo
yum_repository:
name: wazuh_repo
description: CentOS-$releasever - Wazuh
baseurl: https://packages.wazuh.com/yum/el/$releasever/$basearch
description: Wazuh repository
baseurl: https://packages.wazuh.com/3.x/yum/
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck: yes
when: ansible_distribution == 'CentOS'
when:
- ansible_distribution_major_version|int > 5
- name: Fedora | Install Wazuh repository
- name: RedHat/CentOS 5 | Install Wazuh repo
yum_repository:
name: wazuh_repo
description: Fedora-$releasever - Wazuh
baseurl: https://packages.wazuh.com/yum/fc/$releasever/$basearch
description: Wazuh repository
baseurl: https://packages.wazuh.com/3.x/yum/5/
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck: yes
when: ansible_distribution == 'Fedora'
- name: RedHat | Install Wazuh repository
yum_repository:
name: wazuh_repo
description: CentOS-$releasever - Wazuh
baseurl: https://packages.wazuh.com/yum/rhel/$releasever/$basearch
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck: yes
when: ansible_distribution == 'RedHat'
when:
- ansible_distribution_major_version|int < 5
- name: Set Distribution CIS filename for RHEL5
set_fact:

23
ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
View File

@ -7,22 +7,27 @@
<ossec_config>
<client>
{% if wazuh_manager_ip is not none %}
<server-ip>{{ wazuh_manager_ip }}</server-ip>
{% else %}
<server-ip>SERVER-IP</server-ip>
{% endif %}
{% for manager in wazuh_managers %}
<server>
<address>{{ manager.address }}</address>
{% if manager.port is defined %}
<port>{{ manager.port }}</port>
{% endif %}
{% if manager.protocol is defined %}
<protocol>{{ manager.protocol }}</protocol>
{% endif %}
</server>
{% endfor %}
{% if wazuh_profile is not none %}
<config-profile>{{ wazuh_profile }}</config-profile>
{% endif %}
<protocol>{{ wazuh_manager_proto }}</protocol>
{% if wazuh_manager_port is defined %}
<port>{{ wazuh_manager_port }}</port>
{% endif %}
{% if wazuh_notify_time is not none and wazuh_time_reconnect is not none %}
<notify_time>{{ wazuh_notify_time }}</notify_time>
<time-reconnect>{{ wazuh_time_reconnect }}</time-reconnect>
{% endif %}
<auto_restart>{{ wazuh_auto_restart }}</auto_restart>
</client>
<logging>

21
ansible-wazuh-manager/.kitchen.yml
View File

@ -1,21 +0,0 @@
---
driver:
name: vagrant
provision_command: sed -i '/tsflags=nodocs/d' /etc/yum.conf
provisioner:
name: ansible_playbook
ansible_yum_repo: "http://mirror.logol.ru/epel/6/x86_64/epel-release-6-8.noarch.rpm"
hosts: localhost
require_chef_for_busser: false
require_ruby_for_busser: true
platforms:
- name: centos-7.2
- name: ubuntu-14.04
verifier:
ruby_bindir: '/usr/bin'
suites:
- name: default

14
ansible-wazuh-manager/defaults/main.yml
View File

@ -6,6 +6,20 @@ wazuh_manager_config:
alerts_log: 'yes'
logall: 'no'
log_format: 'plain'
cluster:
disable: 'no'
name: 'wazuh'
node_name: 'manager_01'
node_type: 'master'
key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa'
interval: '2m'
port: '1516'
bind_addr: '0.0.0.0'
nodes:
- '172.17.0.2'
- '172.17.0.3'
- '172.17.0.4'
hidden: 'no'
connection:
- type: 'secure'
port: '1514'

85
ansible-wazuh-manager/molecule.yml
View File

@ -1,85 +0,0 @@
---
dependency:
name: galaxy
driver:
name: docker
ansible:
group_vars:
ossec:
ossec_server_config:
mail_to:
- me@example.com
mail_smtp_server: localhost
mail_from: ossec@example.com
frequency_check: 72000
ignore_files:
- /etc/mtab
- /etc/mnttab
- /etc/hosts.deny
directories:
- check_all: 'yes'
dirs: /etc,/usr/bin,/usr/sbin
- check_all: 'yes'
dirs: /bin,/sbin
localfiles:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
globals:
- '127.0.0.1'
- '192.168.2.1'
connection: 'secure'
log_level: 1
email_level: 7
commands:
- name: 'host-deny'
executable: 'host-deny.sh'
expect: 'srcip'
timeout_allowed: 'yes'
active_responses:
- command: 'host-deny'
location: 'local'
level: 6
timeout: 600
localfiles:
- format: 'syslog'
location: '/var/log/messages'
ossec_agent_configs:
- type: os
type_value: linux
frequency_check: 79200
ignore_files:
- /etc/mtab
- /etc/mnttab
localfiles:
- format: 'syslog'
location: '/var/log/messages'
directories:
- check_all: yes
dirs: /etc,/usr/bin,/usr/sbin
docker:
containers:
- name: ansible-ossec-server-centos
ansible_groups:
- ossec
image: milcom/centos7-systemd
image_version: latest
privileged: True
- name: ansible-ossec-server-debian
ansible_groups:
- ossec
image: maint/debian-systemd
image_version: latest
privileged: True
# - name: ansible-ossec-server-ubuntu
# ansible_groups:
# - ossec
# image: rastasheep/ubuntu-sshd
# image_version: 16.04
# privileged: True
verifier:
name: testinfra

2
ansible-wazuh-manager/tasks/Debian.yml
View File

@ -10,7 +10,7 @@
- name: Debian/Ubuntu | Add Wazuh repositories
apt_repository:
repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
repo: 'deb https://packages.wazuh.com/3.x/apt/ stable main'
state: present
update_cache: yes

72
ansible-wazuh-manager/tasks/RedHat.yml
View File

@ -6,7 +6,8 @@
baseurl: https://rpm.nodesource.com/pub_6.x/el/{{ansible_distribution_major_version}}/x86_64
gpgkey: https://rpm.nodesource.com/pub/el/NODESOURCE-GPG-SIGNING-KEY-EL
gpgcheck: yes
when: ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat'
when:
- ansible_distribution_major_version|int > 5
- name: Fedora | Install Nodejs repo
yum_repository:
@ -17,49 +18,78 @@
gpgcheck: yes
when: ansible_distribution == 'Fedora'
- name: CentOS | Install Wazuh repo
- name: RedHat/CentOS/Fedora | Install Wazuh repo
yum_repository:
name: wazuh_repo
description: CentOS-$releasever - Wazuh
baseurl: https://packages.wazuh.com/yum/el/$releasever/$basearch
description: Wazuh repository
baseurl: https://packages.wazuh.com/3.x/yum/
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck: yes
when: ansible_distribution == 'CentOS'
when:
- ansible_distribution_major_version|int > 5
- name: Fedora | Install Wazuh repo
- name: RedHat/CentOS 5 | Install Wazuh repo
yum_repository:
name: wazuh_repo
description: Fedora-$releasever - Wazuh
baseurl: https://packages.wazuh.com/yum/fc/$releasever/$basearch
description: Wazuh repository
baseurl: https://packages.wazuh.com/3.x/yum/5/
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck: yes
when: ansible_distribution == 'Fedora'
- name: RedHat | Install Wazuh repo
yum_repository:
name: wazuh_repo
description: CentOS-$releasever - Wazuh
baseurl: https://packages.wazuh.com/yum/rhel/$releasever/$basearch
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck: yes
when: ansible_distribution == 'RedHat'
when:
- ansible_distribution_major_version|int < 6
- name: RedHat/CentOS/Fedora | Install openscap
package: name=openscap-scanner state=present
tags:
- init
- name: CentOS 6 | Install Software Collections (SCL) Repository
package: name=centos-release-scl state=present
when:
- ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: RedHat 6 | Enabling Red Hat Software Collections (RHSCL)
command: yum-config-manager --enable {{ item }}
with_items:
- rhui-REGION-rhel-server-rhscl
- rhel-server-rhscl-6-rpms
when:
- ansible_distribution == 'RedHat' and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: CentOS/RedHat 6 | Install Python 2.7
package: name=python27 state=present
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: CentOS/RedHat 6 | Install python-cryptography module
shell: pip2.7 install cryptography
environment:
PATH: "/opt/rh/python27/root/usr/bin:{{ ansible_env.PATH }}"
LD_LIBRARY_PATH: "/opt/rh/python27/root/usr/lib64:/opt/rh/python27/root/usr/lib"
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: RedHat/CentOS/Fedora | Install python-cryptography module
package: name=python-cryptography state=present
when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat') and ansible_distribution_major_version == '6' )
- wazuh_manager_config.cluster.disable != 'yes'
- name: Set Distribution CIS filename for RHEL5/CentOS-5
set_fact:
cis_distribution_filename: cis_rhel5_linux_rcl.txt
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "5"
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == '5'
- name: Set Distribution CIS filename for RHEL6/CentOS-6
set_fact:
cis_distribution_filename: cis_rhel6_linux_rcl.txt
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "6"
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == '6'
- name: Set Distribution CIS filename for RHEL7/CentOS-7
set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "7"
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == '7'

51
ansible-wazuh-manager/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
- import_tasks: "RedHat.yml"
when: ansible_os_family == "RedHat"
when: ansible_os_family == "RedHat" and ansible_distribution_major_version|int > 5
- import_tasks: "Debian.yml"
when: ansible_os_family == "Debian"
@ -11,6 +11,27 @@
- wazuh-manager
- wazuh-api
- expect
when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 )
tags:
- init
- name: CentOS/RedHat 6 | Enabling python2.7 and sqlite3
replace:
path: /etc/init.d/wazuh-manager
regexp: 'echo -n "Starting Wazuh-manager: "'
replace: 'echo -n "Starting Wazuh-manager (EL6): "; source /opt/rh/python27/enable; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/ossec/framework/lib'
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: Install wazuh-manager and expect (EL5)
package: pkg={{ item }} state=latest
with_items:
- wazuh-manager
- expect
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6
tags:
- init
@ -89,7 +110,7 @@
- name: Configure the shared-agent.conf
template: src=var-ossec-etc-shared-agent.conf.j2
dest=/var/ossec/etc/shared/agent.conf
dest=/var/ossec/etc/shared/default/agent.conf
owner=ossec
group=ossec
mode=0640
@ -108,8 +129,10 @@
tags:
- config
- name: Retrieving Wazuh-api User Credentials
- name: Retrieving Wazuh-API User Credentials
include_vars: wazuh_api_creds.yml
when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 )
tags:
- config
@ -215,7 +238,7 @@
tags:
- config
- name: Wazuh-api User
- name: Wazuh-API User
template:
src: api_user.j2
dest: "/var/ossec/api/configuration/auth/user"
@ -224,7 +247,9 @@
mode: 0750
no_log: true
notify: restart wazuh-api
when: wazuh_api_user is defined
when:
- wazuh_api_user is defined
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 )
tags:
- config
@ -263,7 +288,7 @@
tags:
- config
- name: Ensure Wazuh Manager, wazuh api service is started and enabled
- name: Ensure Wazuh Manager, wazuh API service is started and enabled
service:
name: "{{ item }}"
enabled: yes
@ -273,6 +298,20 @@
- wazuh-api
tags:
- config
environment:
LD_LIBRARY_PATH: "$LD_LIBRARY_PATH:/var/ossec/framework/lib"
when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 )
- name: Ensure Wazuh Manager is started and enabled (EL5)
service:
name: wazuh-manager
enabled: yes
state: started
tags:
- config
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6
- import_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat"

27
ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
View File

@ -22,6 +22,23 @@
<email_from>{{ wazuh_manager_config.mail_from }}</email_from>
</global>
<cluster>
<disabled>{{ wazuh_manager_config.cluster.disable }}</disabled>
<name>{{ wazuh_manager_config.cluster.name }}</name>
<node_name>{{ wazuh_manager_config.cluster.node_name }}</node_name>
<node_type>{{ wazuh_manager_config.cluster.node_type }}</node_type>
<key>{{ wazuh_manager_config.cluster.key }}</key>
<interval>{{ wazuh_manager_config.cluster.interval }}</interval>
<port>{{ wazuh_manager_config.cluster.port }}</port>
<bind_addr>{{ wazuh_manager_config.cluster.bind_addr }}</bind_addr>
<nodes>
{% for node in wazuh_manager_config.cluster.nodes %}
<node>{{ node }}</node>
{% endfor %}
</nodes>
<hidden>{{ wazuh_manager_config.cluster.hidden }}</hidden>
</cluster>
<logging>
<log_format>{{ wazuh_manager_config.log_format }}</log_format>
</logging>
@ -120,12 +137,12 @@
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>{{ wazuh_manager_config.rootcheck.frequency }}</frequency>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
<rootkit_files>/var/ossec/etc/shared/default/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/default/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/default/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/default/system_audit_ssh.txt</system_audit>
{% if cis_distribution_filename is defined %}
<system_audit>/var/ossec/etc/shared/{{ cis_distribution_filename }}</system_audit>
<system_audit>/var/ossec/etc/shared/default/{{ cis_distribution_filename }}</system_audit>
{% endif %}
<skip_nfs>yes</skip_nfs>

2
ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2
View File

@ -69,7 +69,7 @@
<frequency>{{ agent_config.rootcheck.frequency }}</frequency>
{% if agent_config.rootcheck.cis_distribution_filename is not none %}
<system_audit>/var/ossec/etc/shared/{{ agent_config.rootcheck.cis_distribution_filename }}</system_audit>
<system_audit>/var/ossec/etc/shared/default/{{ agent_config.rootcheck.cis_distribution_filename }}</system_audit>
{% endif %}
<skip_nfs>yes</skip_nfs>
</rootcheck>

2
wazuh-elastic.yml
View File

@ -1,3 +1,3 @@
- hosts: elasticsearch
roles:
- { role: ansible-role-elasticsearch, elasticsearch_network_host: '192.168.33.182' }
- { role: ansible-role-elasticsearch, elasticsearch_network_host: '192.168.33.182' }

6
wazuh-elastic_stack.yml
View File

@ -4,6 +4,6 @@
- { role: ansible-role-filebeat, filebeat_output_logstash_hosts: '192.168.212.185:5000' }
- hosts: elastic_stack
roles:
- { role: ansible-role-elasticsearch, elasticsearch_network_host: 'localhost' }
- { role: ansible-role-logstash, logstash_input_beats: true, elasticsearch_network_host: 'localhost' }
- { role: ansible-role-kibana, elasticsearch_network_host: 'localhost' }
- { role: ansible-role-elasticsearch, elasticsearch_network_host: 'localhost' }
- { role: ansible-role-logstash, logstash_input_beats: true, elasticsearch_network_host: 'localhost' }
- { role: ansible-role-kibana, elasticsearch_network_host: 'localhost' }

2
wazuh-kibana.yml
View File

@ -1,3 +1,3 @@
- hosts: kibana
roles:
- { role: ansible-role-kibana, elasticsearch_network_host: '192.168.33.182' }
- { role: ansible-role-kibana, elasticsearch_network_host: '192.168.33.182' }

2
wazuh-logstash.yml
View File

@ -1,3 +1,3 @@
- hosts: logstash
roles:
- { role: ansible-role-logstash, elasticsearch_network_host: 'localhost' }
- { role: ansible-role-logstash, elasticsearch_network_host: 'localhost' }

2
wazuh-manager.yml
View File

@ -1,4 +1,4 @@
- hosts: wazuh-manager
roles:
- role: ansible-wazuh-manager
- { role: ansible-role-filebeat, filebeat_output_logstash_hosts: '192.168.33.169:5000' }
- { role: ansible-role-filebeat, filebeat_output_logstash_hosts: '192.168.33.169:5000' }