afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updating to Wazuh 3 and Elastic Stack 6

Browse Source
This commit is contained in:
Miguelangel Freitas 2017-12-19 19:24:52 -05:00 committed by Miguelangel Freitas
parent 15e091e338
commit fb34566fbc
40 changed files with 644 additions and 1193 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ansible-role-elasticsearch/defaults/main.yml
View File

@ -4,6 +4,6 @@ elasticsearch_node_name: node-1
elasticsearch_http_port: 9200 elasticsearch_http_port: 9200
elasticsearch_network_host: 127.0.0.1 elasticsearch_network_host: 127.0.0.1
elasticsearch_jvm_xms: null elasticsearch_jvm_xms: null
elastic_stack_version: 5.6.4 elastic_stack_version: 6.1.0
elasticsearch_shards: 5 elasticsearch_shards: 5
elasticsearch_replicas: 1 elasticsearch_replicas: 1

2
ansible-role-elasticsearch/tasks/Debian.yml
View File

@ -28,7 +28,7 @@
- name: Debian/Ubuntu | Install Elastic repo - name: Debian/Ubuntu | Install Elastic repo
apt_repository: apt_repository:
repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main'
state: present state: present
filename: 'elastic_repo' filename: 'elastic_repo'

4
ansible-role-elasticsearch/tasks/RedHat.yml
View File

@ -15,8 +15,8 @@
- name: RedHat/CentOS/Fedora | Install Elastic repo - name: RedHat/CentOS/Fedora | Install Elastic repo
yum_repository: yum_repository:
name: elastic_repo name: elastic_repo
description: Elastic repository for 5.x packages description: Elastic repository for 6.x packages
baseurl: https://artifacts.elastic.co/packages/5.x/yum baseurl: https://artifacts.elastic.co/packages/6.x/yum
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
gpgcheck: yes gpgcheck: yes

35
ansible-role-elasticsearch/tasks/main.yml
View File

@ -25,6 +25,10 @@
notify: restart elasticsearch notify: restart elasticsearch
tags: configure tags: configure
- name: Reload systemd
systemd: daemon_reload=yes
ignore_errors: yes
- name: Ensure Elasticsearch started and enabled - name: Ensure Elasticsearch started and enabled
service: service:
name: elasticsearch name: elasticsearch
@ -37,31 +41,50 @@
- configure - configure
- init - init
- name: Check for Wazuh template - name: Check for Wazuh Alerts template
uri: uri:
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh" url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh"
method: GET method: GET
status_code: 200, 404 status_code: 200, 404
register: wazuh_template_exits register: wazuh_alerts_template_exits
tags: init tags: init
- name: Installing Wazuh template - name: Installing Wazuh Alerts template
uri: uri:
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh" url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh"
method: PUT method: PUT
status_code: 200 status_code: 200
body_format: json body_format: json
body: "{{ lookup('template','wazuh-elastic5-template.json.j2') }}" body: "{{ lookup('template','wazuh-elastic6-template-alerts.json.j2') }}"
when: wazuh_template_exits.status != 200 when: wazuh_alerts_template_exits.status != 200
tags: init tags: init
- name: Injecting sample alert - name: Injecting sample alert
uri: uri:
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/wazuh-alerts-{{ ansible_date_time.date | regex_replace('-', '.') }}/wazuh/sample" url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/wazuh-alerts-3.x-{{ ansible_date_time.date | regex_replace('-', '.') }}/wazuh/sample"
method: PUT method: PUT
status_code: 200, 201 status_code: 200, 201
body_format: json body_format: json
body: "{{ lookup('template','alert_sample.json.j2') }}" body: "{{ lookup('template','alert_sample.json.j2') }}"
when: wazuh_alerts_template_exits.status != 200
tags: init
- name: Check for Wazuh Monitoring template
uri:
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh-agent"
method: GET
status_code: 200, 404
register: wazuh_monitoring_template_exits
tags: init
- name: Installing Wazuh Monitoring template
uri:
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh-agent"
method: PUT
status_code: 200
body_format: json
body: "{{ lookup('template','wazuh-elastic6-template-monitoring.json.j2') }}"
when: wazuh_monitoring_template_exits.status != 200
tags: init tags: init
- import_tasks: "RMRedHat.yml" - import_tasks: "RMRedHat.yml"

74
ansible-role-elasticsearch/templates/alert_sample.json.j2
View File

@ -1,11 +1,7 @@
{ {
"@timestamp": "2015-03-18T15:55:55.000Z", "@timestamp": "2015-03-18T15:55:55.000Z",
"AlertsFile": "sample", "AlertsFile": "sample",
"title": "sample",
"full_log": "sample", "full_log": "sample",
"id": "sample",
"srcuser": "sample",
"srcip": "sample",
"location": "sample", "location": "sample",
"GeoLocation": { "GeoLocation": {
"country_name": "sample", "country_name": "sample",
@ -14,34 +10,50 @@
"agent": { "agent": {
"name": "sample" "name": "sample"
}, },
"audit": { "data": {
"command": "sample", "title": "sample",
"type": "sample", "protocol": "sample",
"egid": "sample", "action": "sample",
"euid": "sample", "srcip": "sample",
"exe": "sample", "dstip": "sample",
"gid": "sample", "srcport": "sample",
"uid": "sample", "dstport": "sample",
"directory": { "srcuser": "sample",
"name": "sample" "dstuser": "sample",
}, "id": "sample",
"file": { "status": "sample",
"mode": "sample", "data": "sample",
"name": "sample" "system_name": "sample",
} "url": "sample",
}, "audit": {
"oscap": { "command": "sample",
"check": { "type": "sample",
"result": "sample", "egid": "sample",
"severity": "sample", "euid": "sample",
"title": "sample" "exe": "sample",
}, "gid": "sample",
"scan": { "uid": "sample",
"id": "sample", "directory": {
"content": "sample", "name": "sample"
"score": 1.55, },
"profile": { "file": {
"mode": "sample",
"name": "sample"
}
},
"oscap": {
"check": {
"result": "sample",
"severity": "sample",
"title": "sample" "title": "sample"
},
"scan": {
"id": "sample",
"content": "sample",
"score": 1.55,
"profile": {
"title": "sample"
}
} }
} }
}, },

4
ansible-role-elasticsearch/templates/elasticsearch.yml.j2
View File

@ -31,11 +31,11 @@ node.name: {{ elasticsearch_node_name }}
# #
# Path to directory where to store the data (separate multiple locations by comma): # Path to directory where to store the data (separate multiple locations by comma):
# #
#path.data: /path/to/data path.data: /var/lib/elasticsearch
# #
# Path to log files: # Path to log files:
# #
#path.logs: /path/to/logs path.logs: /var/log/elasticsearch
# #
# ----------------------------------- Memory ----------------------------------- # ----------------------------------- Memory -----------------------------------
# #

31
ansible-role-elasticsearch/templates/jvm.options.j2
View File

@ -18,6 +18,9 @@
## ##
################################################################ ################################################################
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
# Xms represents the initial size of total heap space # Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space # Xmx represents the maximum size of total heap space
{% if elasticsearch_jvm_xms is not none %} {% if elasticsearch_jvm_xms is not none %}
@ -50,18 +53,15 @@
## optimizations ## optimizations
# disable calls to System#gc
-XX:+DisableExplicitGC
# pre-touch memory pages used by the JVM during initialization # pre-touch memory pages used by the JVM during initialization
-XX:+AlwaysPreTouch -XX:+AlwaysPreTouch
## basic ## basic
# force the server VM (remove on 32-bit client JVMs) # force the server VM
-server -server
# explicitly set the stack size (reduce to 320k on 32-bit client JVMs) # explicitly set the stack size
-Xss1m -Xss1m
# set to headless, just in case # set to headless, just in case
@ -73,8 +73,9 @@
# use our provided JNA always versus the system one # use our provided JNA always versus the system one
-Djna.nosys=true -Djna.nosys=true
# use old-style file permissions on JDK9 # turn off a JDK optimization that throws away stack traces for common
-Djdk.io.permissionsUseCanonicalPath=true # exceptions because stack traces are important for debugging
-XX:-OmitStackTraceInFastThrow
# flags to configure Netty # flags to configure Netty
-Dio.netty.noUnsafe=true -Dio.netty.noUnsafe=true
@ -84,7 +85,6 @@
# log4j 2 # log4j 2
-Dlog4j.shutdownHookEnabled=false -Dlog4j.shutdownHookEnabled=false
-Dlog4j2.disable.jmx=true -Dlog4j2.disable.jmx=true
-Dlog4j.skipJansi=true
## heap dumps ## heap dumps
@ -94,7 +94,7 @@
# specify an alternative path for heap dumps # specify an alternative path for heap dumps
# ensure the directory exists and has sufficient space # ensure the directory exists and has sufficient space
#-XX:HeapDumpPath=${heap.dump.path} -XX:HeapDumpPath=/var/lib/elasticsearch
## GC logging ## GC logging
@ -109,10 +109,9 @@
# ensure the directory exists # ensure the directory exists
#-Xloggc:${loggc} #-Xloggc:${loggc}
# Elasticsearch 5.0.0 will throw an exception on unquoted field names in JSON. # By default, the GC log file will not rotate.
# If documents were already indexed with unquoted fields in a previous version # By uncommenting the lines below, the GC log file
# of Elasticsearch, some operations may throw errors. # will be rotated every 128MB at most 32 times.
# #-XX:+UseGCLogFileRotation
# WARNING: This option will be removed in Elasticsearch 6.0.0 and is provided #-XX:NumberOfGCLogFiles=32
# only for migration purposes. #-XX:GCLogFileSize=128M
#-Delasticsearch.json.allow_unquoted_field_names=true

597
ansible-role-elasticsearch/templates/wazuh-elastic5-template.json.j2 → ansible-role-elasticsearch/templates/wazuh-elastic6-template-alerts.json.j2
View File

@ -1,6 +1,6 @@
{ {
"order": 0, "order": 0,
"template": "wazuh*", "template": "wazuh-alerts-3.*",
"settings": { "settings": {
"index.refresh_interval": "5s", "index.refresh_interval": "5s",
"number_of_shards": {{ elasticsearch_shards }}, "number_of_shards": {{ elasticsearch_shards }},
@ -51,9 +51,13 @@
} }
} }
}, },
"dstuser": { "cluster": {
"type": "keyword", "properties": {
"doc_values": "true" "name": {
"type": "keyword",
"doc_values": "true"
}
}
}, },
"AlertsFile": { "AlertsFile": {
"type": "keyword", "type": "keyword",
@ -302,319 +306,308 @@
} }
} }
}, },
"srcip": { "data": {
"type": "keyword", "properties": {
"doc_values": "true" "protocol": {
}, "type": "keyword",
"protocol": { "doc_values": "true"
"type": "keyword", },
"doc_values": "true" "action": {
}, "type": "keyword",
"action": { "doc_values": "true"
"type": "keyword", },
"doc_values": "true" "srcip": {
}, "type": "keyword",
"dstip": { "doc_values": "true"
"type": "keyword", },
"doc_values": "true" "dstip": {
}, "type": "keyword",
"dstport": { "doc_values": "true"
"type": "keyword", },
"doc_values": "true" "srcport": {
}, "type": "keyword",
"srcuser": { "doc_values": "true"
"type": "keyword", },
"doc_values": "true" "dstport": {
"type": "keyword",
"doc_values": "true"
},
"srcuser": {
"type": "keyword",
"doc_values": "true"
},
"dstuser": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"status": {
"type": "keyword",
"doc_values": "true"
},
"data": {
"type": "keyword",
"doc_values": "true"
},
"system_name": {
"type": "keyword",
"doc_values": "true"
},
"url": {
"type": "keyword",
"doc_values": "true"
},
"oscap": {
"properties": {
"check.title": {
"type": "keyword",
"doc_values": "true"
},
"check.id": {
"type": "keyword",
"doc_values": "true"
},
"check.result": {
"type": "keyword",
"doc_values": "true"
},
"check.severity": {
"type": "keyword",
"doc_values": "true"
},
"check.description": {
"type": "text"
},
"check.rationale": {
"type": "text"
},
"check.references": {
"type": "text"
},
"check.identifiers": {
"type": "text"
},
"check.oval.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.content": {
"type": "keyword",
"doc_values": "true"
},
"scan.benchmark.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.title": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.score": {
"type": "double",
"doc_values": "true"
},
"scan.return_code": {
"type": "long",
"doc_values": "true"
}
}
},
"audit": {
"properties": {
"type": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"syscall": {
"type": "keyword",
"doc_values": "true"
},
"exit": {
"type": "keyword",
"doc_values": "true"
},
"ppid": {
"type": "keyword",
"doc_values": "true"
},
"pid": {
"type": "keyword",
"doc_values": "true"
},
"auid": {
"type": "keyword",
"doc_values": "true"
},
"uid": {
"type": "keyword",
"doc_values": "true"
},
"gid": {
"type": "keyword",
"doc_values": "true"
},
"euid": {
"type": "keyword",
"doc_values": "true"
},
"suid": {
"type": "keyword",
"doc_values": "true"
},
"fsuid": {
"type": "keyword",
"doc_values": "true"
},
"egid": {
"type": "keyword",
"doc_values": "true"
},
"sgid": {
"type": "keyword",
"doc_values": "true"
},
"fsgid": {
"type": "keyword",
"doc_values": "true"
},
"tty": {
"type": "keyword",
"doc_values": "true"
},
"session": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"exe": {
"type": "keyword",
"doc_values": "true"
},
"key": {
"type": "keyword",
"doc_values": "true"
},
"cwd": {
"type": "keyword",
"doc_values": "true"
},
"directory.name": {
"type": "keyword",
"doc_values": "true"
},
"directory.inode": {
"type": "keyword",
"doc_values": "true"
},
"directory.mode": {
"type": "keyword",
"doc_values": "true"
},
"file.name": {
"type": "keyword",
"doc_values": "true"
},
"file.inode": {
"type": "keyword",
"doc_values": "true"
},
"file.mode": {
"type": "keyword",
"doc_values": "true"
},
"acct": {
"type": "keyword",
"doc_values": "true"
},
"dev": {
"type": "keyword",
"doc_values": "true"
},
"enforcing": {
"type": "keyword",
"doc_values": "true"
},
"list": {
"type": "keyword",
"doc_values": "true"
},
"old-auid": {
"type": "keyword",
"doc_values": "true"
},
"old-ses": {
"type": "keyword",
"doc_values": "true"
},
"old_enforcing": {
"type": "keyword",
"doc_values": "true"
},
"old_prom": {
"type": "keyword",
"doc_values": "true"
},
"op": {
"type": "keyword",
"doc_values": "true"
},
"prom": {
"type": "keyword",
"doc_values": "true"
},
"res": {
"type": "keyword",
"doc_values": "true"
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"subj": {
"type": "keyword",
"doc_values": "true"
},
"success": {
"type": "keyword",
"doc_values": "true"
}
}
}
}
}, },
"program_name": { "program_name": {
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
}, },
"id": {
"type": "keyword",
"doc_values": "true"
},
"status": {
"type": "keyword",
"doc_values": "true"
},
"command": { "command": {
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
}, },
"url": {
"type": "keyword",
"doc_values": "true"
},
"data": {
"type": "keyword",
"doc_values": "true"
},
"system_name": {
"type": "keyword",
"doc_values": "true"
},
"type": { "type": {
"type": "text" "type": "text"
}, },
"title": { "title": {
"type": "keyword", "type": "keyword",
"doc_values": "true" "doc_values": "true"
},
"oscap": {
"properties": {
"check.title": {
"type": "keyword",
"doc_values": "true"
},
"check.id": {
"type": "keyword",
"doc_values": "true"
},
"check.result": {
"type": "keyword",
"doc_values": "true"
},
"check.severity": {
"type": "keyword",
"doc_values": "true"
},
"check.description": {
"type": "text"
},
"check.rationale": {
"type": "text"
},
"check.references": {
"type": "text"
},
"check.identifiers": {
"type": "text"
},
"check.oval.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.content": {
"type": "keyword",
"doc_values": "true"
},
"scan.benchmark.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.title": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.score": {
"type": "double",
"doc_values": "true"
},
"scan.return_code": {
"type": "long",
"doc_values": "true"
}
}
},
"audit": {
"properties": {
"type": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"syscall": {
"type": "keyword",
"doc_values": "true"
},
"exit": {
"type": "keyword",
"doc_values": "true"
},
"ppid": {
"type": "keyword",
"doc_values": "true"
},
"pid": {
"type": "keyword",
"doc_values": "true"
},
"auid": {
"type": "keyword",
"doc_values": "true"
},
"uid": {
"type": "keyword",
"doc_values": "true"
},
"gid": {
"type": "keyword",
"doc_values": "true"
},
"euid": {
"type": "keyword",
"doc_values": "true"
},
"suid": {
"type": "keyword",
"doc_values": "true"
},
"fsuid": {
"type": "keyword",
"doc_values": "true"
},
"egid": {
"type": "keyword",
"doc_values": "true"
},
"sgid": {
"type": "keyword",
"doc_values": "true"
},
"fsgid": {
"type": "keyword",
"doc_values": "true"
},
"tty": {
"type": "keyword",
"doc_values": "true"
},
"session": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"exe": {
"type": "keyword",
"doc_values": "true"
},
"key": {
"type": "keyword",
"doc_values": "true"
},
"cwd": {
"type": "keyword",
"doc_values": "true"
},
"directory.name": {
"type": "keyword",
"doc_values": "true"
},
"directory.inode": {
"type": "keyword",
"doc_values": "true"
},
"directory.mode": {
"type": "keyword",
"doc_values": "true"
},
"file.name": {
"type": "keyword",
"doc_values": "true"
},
"file.inode": {
"type": "keyword",
"doc_values": "true"
},
"file.mode": {
"type": "keyword",
"doc_values": "true"
},
"acct": {
"type": "keyword",
"doc_values": "true"
},
"dev": {
"type": "keyword",
"doc_values": "true"
},
"enforcing": {
"type": "keyword",
"doc_values": "true"
},
"list": {
"type": "keyword",
"doc_values": "true"
},
"old-auid": {
"type": "keyword",
"doc_values": "true"
},
"old-ses": {
"type": "keyword",
"doc_values": "true"
},
"old_enforcing": {
"type": "keyword",
"doc_values": "true"
},
"old_prom": {
"type": "keyword",
"doc_values": "true"
},
"op": {
"type": "keyword",
"doc_values": "true"
},
"prom": {
"type": "keyword",
"doc_values": "true"
},
"res": {
"type": "keyword",
"doc_values": "true"
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"subj": {
"type": "keyword",
"doc_values": "true"
},
"success": {
"type": "keyword",
"doc_values": "true"
}
}
}
}
},
"agent": {
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"status": {
"type": "keyword"
},
"ip": {
"type": "keyword"
},
"host": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"id": {
"type": "keyword"
} }
} }
} }

34
ansible-role-elasticsearch/templates/wazuh-elastic6-template-monitoring.json.j2 Normal file
View File

@ -0,0 +1,34 @@
{
"order": 0,
"template": "wazuh-monitoring*",
"settings": {
"index.refresh_interval": "5s",
"number_of_shards": {{ elasticsearch_shards }},
"number_of_replicas": {{ elasticsearch_replicas }}
},
"mappings": {
"wazuh-agent": {
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"status": {
"type": "keyword"
},
"ip": {
"type": "keyword"
},
"host": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
}
}
}
}

2
ansible-role-filebeat/tasks/Debian.yml
View File

@ -12,6 +12,6 @@
- name: Debian/Ubuntu | Add Filebeat repository. - name: Debian/Ubuntu | Add Filebeat repository.
apt_repository: apt_repository:
repo: 'deb https://artifacts.elastic.co/packages/5.x/apt stable main' repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main'
state: present state: present
update_cache: yes update_cache: yes

4
ansible-role-filebeat/tasks/RedHat.yml
View File

@ -2,7 +2,7 @@
- name: RedHat/CentOS/Fedora | Install Filebeats repo - name: RedHat/CentOS/Fedora | Install Filebeats repo
yum_repository: yum_repository:
name: elastic_repo name: elastic_repo
description: Elastic repository for 5.x packages description: Elastic repository for 6.x packages
baseurl: https://artifacts.elastic.co/packages/5.x/yum baseurl: https://artifacts.elastic.co/packages/6.x/yum
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
gpgcheck: yes gpgcheck: yes

4
ansible-role-filebeat/tasks/main.yml
View File

@ -13,6 +13,10 @@
- import_tasks: config.yml - import_tasks: config.yml
when: filebeat_create_config when: filebeat_create_config
- name: Reload systemd
systemd: daemon_reload=yes
ignore_errors: yes
- name: Ensure Filebeat is started and enabled at boot. - name: Ensure Filebeat is started and enabled at boot.
service: service:
name: filebeat name: filebeat

2
ansible-role-kibana/defaults/main.yml
View File

@ -3,4 +3,4 @@ elasticsearch_http_port: "9200"
elasticsearch_network_host: "127.0.0.1" elasticsearch_network_host: "127.0.0.1"
kibana_server_host: "0.0.0.0" kibana_server_host: "0.0.0.0"
kibana_server_port: "5601" kibana_server_port: "5601"
elastic_stack_version: 5.6.4 elastic_stack_version: 6.1.0

2
ansible-role-kibana/tasks/Debian.yml
View File

@ -12,7 +12,7 @@
- name: Debian/Ubuntu | Install Elastic repo - name: Debian/Ubuntu | Install Elastic repo
apt_repository: apt_repository:
repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main'
state: present state: present
filename: 'elastic_repo' filename: 'elastic_repo'

4
ansible-role-kibana/tasks/RedHat.yml
View File

@ -2,8 +2,8 @@
- name: RedHat/CentOS/Fedora | Install Elastic repo - name: RedHat/CentOS/Fedora | Install Elastic repo
yum_repository: yum_repository:
name: elastic_repo name: elastic_repo
description: Elastic repository for 5.x packages description: Elastic repository for 6.x packages
baseurl: https://artifacts.elastic.co/packages/5.x/yum baseurl: https://artifacts.elastic.co/packages/6.x/yum
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
gpgcheck: yes gpgcheck: yes

21
ansible-role-kibana/tasks/main.yml
View File

@ -9,6 +9,10 @@
wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=300 wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=300
tags: configure tags: configure
- name: Reload systemd
systemd: daemon_reload=yes
ignore_errors: yes
- name: Kibana configuration - name: Kibana configuration
template: template:
src: kibana.yml.j2 src: kibana.yml.j2
@ -26,18 +30,23 @@
register: wazuh_app_verify register: wazuh_app_verify
tags: install tags: install
- name: Upgrading Wazuh-APP - name: Removing old Wazuh-APP
shell: "{{ item }}" command: /usr/share/kibana/bin/kibana-plugin remove wazuh
when: wazuh_app_verify.stdout == "0"
tags: install
- name: Removing bundles
file: path=/usr/share/kibana/optimize/bundles state=absent
when: wazuh_app_verify.stdout == "0" when: wazuh_app_verify.stdout == "0"
with_items:
- /usr/share/kibana/bin/kibana-plugin remove wazuh
- rm -rf /usr/share/kibana/optimize/bundles
tags: install tags: install
- name: Install Wazuh-APP (can take a while) - name: Install Wazuh-APP (can take a while)
shell: "/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-2.1.1_{{ elastic_stack_version }}.zip" shell: "/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.0.0_{{ elastic_stack_version }}.zip"
environment:
NODE_OPTIONS: "--max-old-space-size=3072"
args: args:
creates: /usr/share/kibana/plugins/wazuh/package.json creates: /usr/share/kibana/plugins/wazuh/package.json
when: wazuh_app_verify.stdout == "0"
notify: restart kibana notify: restart kibana
tags: install tags: install

2
ansible-role-logstash/defaults/main.yml
View File

@ -6,7 +6,7 @@ elasticsearch_network_host: "127.0.0.1"
elasticsearch_http_port: "9200" elasticsearch_http_port: "9200"
elasticsearch_shards: 5 elasticsearch_shards: 5
elasticsearch_replicas: 1 elasticsearch_replicas: 1
elastic_stack_version: 5.6.4 elastic_stack_version: 6.1.0
logstash_ssl: false logstash_ssl: false
logstash_ssl_dir: /etc/pki/logstash logstash_ssl_dir: /etc/pki/logstash

2
ansible-role-logstash/tasks/Debian.yml
View File

@ -31,7 +31,7 @@
- name: Debian/Ubuntu | Install Elasticsearch repo - name: Debian/Ubuntu | Install Elasticsearch repo
apt_repository: apt_repository:
repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main'
state: present state: present
filename: 'elastic_repo' filename: 'elastic_repo'

4
ansible-role-logstash/tasks/RedHat.yml
View File

@ -15,8 +15,8 @@
- name: RedHat/CentOS/Fedora | Install Logstash repo - name: RedHat/CentOS/Fedora | Install Logstash repo
yum_repository: yum_repository:
name: elastic_repo name: elastic_repo
description: Elastic repository for 5.x packages description: Elastic repository for 6.x packages
baseurl: https://artifacts.elastic.co/packages/5.x/yum baseurl: https://artifacts.elastic.co/packages/6.x/yum
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
gpgcheck: yes gpgcheck: yes

8
ansible-role-logstash/tasks/config.yml
View File

@ -1,12 +1,4 @@
--- ---
- name: Logstash template
template:
src: wazuh-elastic5-template.json.j2
dest: /etc/logstash/wazuh-elastic5-template.json
owner: root
group: root
tags: configure
- name: Ensure Logstash SSL key pair directory exists. - name: Ensure Logstash SSL key pair directory exists.
file: file:
path: "{{ logstash_ssl_dir }}" path: "{{ logstash_ssl_dir }}"

4
ansible-role-logstash/tasks/main.yml
View File

@ -8,6 +8,10 @@
- import_tasks: config.yml - import_tasks: config.yml
when: logstash_create_config when: logstash_create_config
- name: Reload systemd
systemd: daemon_reload=yes
ignore_errors: yes
- name: Ensure Logstash started and enabled - name: Ensure Logstash started and enabled
service: service:
name: logstash name: logstash

20
ansible-role-logstash/templates/01-wazuh.conf.j2
View File

@ -25,10 +25,21 @@ input {
} }
} }
{% endif %} {% endif %}
filter {
if [data][srcip] {
mutate {
add_field => [ "@src_ip", "%{[data][srcip]}" ]
}
}
if [data][aws][sourceIPAddress] {
mutate {
add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
}
}
}
filter { filter {
geoip { geoip {
source => "srcip" source => "@src_ip"
target => "GeoLocation" target => "GeoLocation"
fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"] fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"]
} }
@ -37,7 +48,7 @@ filter {
target => "@timestamp" target => "@timestamp"
} }
mutate { mutate {
remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count", "@version", "log", "offset", "type"] remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type","@src_ip"]
} }
} }
output { output {
@ -46,8 +57,5 @@ output {
hosts => ["{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"] hosts => ["{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"]
index => "wazuh-alerts-%{+YYYY.MM.dd}" index => "wazuh-alerts-%{+YYYY.MM.dd}"
document_type => "wazuh" document_type => "wazuh"
template => "/etc/logstash/wazuh-elastic5-template.json"
template_name => "wazuh"
template_overwrite => true
} }
} }

622
ansible-role-logstash/templates/wazuh-elastic5-template.json.j2
View File

@ -1,622 +0,0 @@
{
"order": 0,
"template": "wazuh*",
"settings": {
"index.refresh_interval": "5s",
"number_of_shards": {{ elasticsearch_shards }},
"number_of_replicas": {{ elasticsearch_replicas }}
},
"mappings": {
"wazuh": {
"dynamic_templates": [
{
"string_as_keyword": {
"match_mapping_type": "string",
"mapping": {
"type": "keyword",
"doc_values": "true"
}
}
}
],
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"@version": {
"type": "text"
},
"agent": {
"properties": {
"ip": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"name": {
"type": "keyword",
"doc_values": "true"
}
}
},
"manager": {
"properties": {
"name": {
"type": "keyword",
"doc_values": "true"
}
}
},
"dstuser": {
"type": "keyword",
"doc_values": "true"
},
"AlertsFile": {
"type": "keyword",
"doc_values": "true"
},
"full_log": {
"type": "text"
},
"previous_log": {
"type": "text"
},
"GeoLocation": {
"properties": {
"area_code": {
"type": "long"
},
"city_name": {
"type": "keyword",
"doc_values": "true"
},
"continent_code": {
"type": "text"
},
"coordinates": {
"type": "double"
},
"country_code2": {
"type": "text"
},
"country_code3": {
"type": "text"
},
"country_name": {
"type": "keyword",
"doc_values": "true"
},
"dma_code": {
"type": "long"
},
"ip": {
"type": "keyword",
"doc_values": "true"
},
"latitude": {
"type": "double"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "double"
},
"postal_code": {
"type": "keyword"
},
"real_region_name": {
"type": "keyword",
"doc_values": "true"
},
"region_name": {
"type": "keyword",
"doc_values": "true"
},
"timezone": {
"type": "text"
}
}
},
"host": {
"type": "keyword",
"doc_values": "true"
},
"syscheck": {
"properties": {
"path": {
"type": "keyword",
"doc_values": "true"
},
"sha1_before": {
"type": "keyword",
"doc_values": "true"
},
"sha1_after": {
"type": "keyword",
"doc_values": "true"
},
"uid_before": {
"type": "keyword",
"doc_values": "true"
},
"uid_after": {
"type": "keyword",
"doc_values": "true"
},
"gid_before": {
"type": "keyword",
"doc_values": "true"
},
"gid_after": {
"type": "keyword",
"doc_values": "true"
},
"perm_before": {
"type": "keyword",
"doc_values": "true"
},
"perm_after": {
"type": "keyword",
"doc_values": "true"
},
"md5_after": {
"type": "keyword",
"doc_values": "true"
},
"md5_before": {
"type": "keyword",
"doc_values": "true"
},
"gname_after": {
"type": "keyword",
"doc_values": "true"
},
"gname_before": {
"type": "keyword",
"doc_values": "true"
},
"inode_after": {
"type": "keyword",
"doc_values": "true"
},
"inode_before": {
"type": "keyword",
"doc_values": "true"
},
"mtime_after": {
"type": "date",
"format": "dateOptionalTime",
"doc_values": "true"
},
"mtime_before": {
"type": "date",
"format": "dateOptionalTime",
"doc_values": "true"
},
"uname_after": {
"type": "keyword",
"doc_values": "true"
},
"uname_before": {
"type": "keyword",
"doc_values": "true"
},
"size_before": {
"type": "long",
"doc_values": "true"
},
"size_after": {
"type": "long",
"doc_values": "true"
},
"diff": {
"type": "keyword",
"doc_values": "true"
},
"event": {
"type": "keyword",
"doc_values": "true"
}
}
},
"location": {
"type": "keyword",
"doc_values": "true"
},
"message": {
"type": "text"
},
"offset": {
"type": "keyword"
},
"rule": {
"properties": {
"description": {
"type": "keyword",
"doc_values": "true"
},
"groups": {
"type": "keyword",
"doc_values": "true"
},
"level": {
"type": "long",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"cve": {
"type": "keyword",
"doc_values": "true"
},
"info": {
"type": "keyword",
"doc_values": "true"
},
"frequency": {
"type": "long",
"doc_values": "true"
},
"firedtimes": {
"type": "long",
"doc_values": "true"
},
"cis": {
"type": "keyword",
"doc_values": "true"
},
"pci_dss": {
"type": "keyword",
"doc_values": "true"
}
}
},
"decoder": {
"properties": {
"parent": {
"type": "keyword",
"doc_values": "true"
},
"name": {
"type": "keyword",
"doc_values": "true"
},
"ftscomment": {
"type": "keyword",
"doc_values": "true"
},
"fts": {
"type": "long",
"doc_values": "true"
},
"accumulate": {
"type": "long",
"doc_values": "true"
}
}
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"protocol": {
"type": "keyword",
"doc_values": "true"
},
"action": {
"type": "keyword",
"doc_values": "true"
},
"dstip": {
"type": "keyword",
"doc_values": "true"
},
"dstport": {
"type": "keyword",
"doc_values": "true"
},
"srcuser": {
"type": "keyword",
"doc_values": "true"
},
"program_name": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"status": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"url": {
"type": "keyword",
"doc_values": "true"
},
"data": {
"type": "keyword",
"doc_values": "true"
},
"system_name": {
"type": "keyword",
"doc_values": "true"
},
"type": {
"type": "text"
},
"title": {
"type": "keyword",
"doc_values": "true"
},
"oscap": {
"properties": {
"check.title": {
"type": "keyword",
"doc_values": "true"
},
"check.id": {
"type": "keyword",
"doc_values": "true"
},
"check.result": {
"type": "keyword",
"doc_values": "true"
},
"check.severity": {
"type": "keyword",
"doc_values": "true"
},
"check.description": {
"type": "text"
},
"check.rationale": {
"type": "text"
},
"check.references": {
"type": "text"
},
"check.identifiers": {
"type": "text"
},
"check.oval.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.content": {
"type": "keyword",
"doc_values": "true"
},
"scan.benchmark.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.title": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.score": {
"type": "double",
"doc_values": "true"
},
"scan.return_code": {
"type": "long",
"doc_values": "true"
}
}
},
"audit": {
"properties": {
"type": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"syscall": {
"type": "keyword",
"doc_values": "true"
},
"exit": {
"type": "keyword",
"doc_values": "true"
},
"ppid": {
"type": "keyword",
"doc_values": "true"
},
"pid": {
"type": "keyword",
"doc_values": "true"
},
"auid": {
"type": "keyword",
"doc_values": "true"
},
"uid": {
"type": "keyword",
"doc_values": "true"
},
"gid": {
"type": "keyword",
"doc_values": "true"
},
"euid": {
"type": "keyword",
"doc_values": "true"
},
"suid": {
"type": "keyword",
"doc_values": "true"
},
"fsuid": {
"type": "keyword",
"doc_values": "true"
},
"egid": {
"type": "keyword",
"doc_values": "true"
},
"sgid": {
"type": "keyword",
"doc_values": "true"
},
"fsgid": {
"type": "keyword",
"doc_values": "true"
},
"tty": {
"type": "keyword",
"doc_values": "true"
},
"session": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"exe": {
"type": "keyword",
"doc_values": "true"
},
"key": {
"type": "keyword",
"doc_values": "true"
},
"cwd": {
"type": "keyword",
"doc_values": "true"
},
"directory.name": {
"type": "keyword",
"doc_values": "true"
},
"directory.inode": {
"type": "keyword",
"doc_values": "true"
},
"directory.mode": {
"type": "keyword",
"doc_values": "true"
},
"file.name": {
"type": "keyword",
"doc_values": "true"
},
"file.inode": {
"type": "keyword",
"doc_values": "true"
},
"file.mode": {
"type": "keyword",
"doc_values": "true"
},
"acct": {
"type": "keyword",
"doc_values": "true"
},
"dev": {
"type": "keyword",
"doc_values": "true"
},
"enforcing": {
"type": "keyword",
"doc_values": "true"
},
"list": {
"type": "keyword",
"doc_values": "true"
},
"old-auid": {
"type": "keyword",
"doc_values": "true"
},
"old-ses": {
"type": "keyword",
"doc_values": "true"
},
"old_enforcing": {
"type": "keyword",
"doc_values": "true"
},
"old_prom": {
"type": "keyword",
"doc_values": "true"
},
"op": {
"type": "keyword",
"doc_values": "true"
},
"prom": {
"type": "keyword",
"doc_values": "true"
},
"res": {
"type": "keyword",
"doc_values": "true"
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"subj": {
"type": "keyword",
"doc_values": "true"
},
"success": {
"type": "keyword",
"doc_values": "true"
}
}
}
}
},
"agent": {
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"status": {
"type": "keyword"
},
"ip": {
"type": "keyword"
},
"host": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
}
}
}
}

13
ansible-wazuh-agent/defaults/main.yml
View File

@ -1,7 +1,10 @@
--- ---
wazuh_manager_ip: null wazuh_managers:
- address: 127.0.0.1
port: 1514
protocol: tcp
wazuh_profile: null wazuh_profile: null
wazuh_manager_proto: tcp wazuh_auto_restart: 'yes'
wazuh_agent_authd: wazuh_agent_authd:
enable: false enable: false
port: 1515 port: 1515
@ -13,10 +16,10 @@ wazuh_notify_time: null
wazuh_time_reconnect: null wazuh_time_reconnect: null
wazuh_winagent_config: wazuh_winagent_config:
install_dir: 'C:\wazuh-agent\' install_dir: 'C:\wazuh-agent\'
version: '2.1.1' version: '3.0.0'
revision: '1' revision: '1'
repo: https://packages.wazuh.com/windows/ repo: https://packages.wazuh.com/3.x/windows/
md5: fd9a3ce30cd6f9f553a1bc71e74a6c9f md5: 896dcc5b786fda30db9649dd7a6043c0
wazuh_agent_config: wazuh_agent_config:
log_format: 'plain' log_format: 'plain'
syscheck: syscheck:

2
ansible-wazuh-agent/tasks/Debian.yml
View File

@ -10,7 +10,7 @@
- name: Debian/Ubuntu | Add Wazuh repositories - name: Debian/Ubuntu | Add Wazuh repositories
apt_repository: apt_repository:
repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main repo: 'deb https://packages.wazuh.com/3.x/apt/ stable main'
state: present state: present
update_cache: yes update_cache: yes

27
ansible-wazuh-agent/tasks/RedHat.yml
View File

@ -1,30 +1,23 @@
--- ---
- name: CentOS | Install Wazuh repository - name: RedHat/CentOS/Fedora | Install Wazuh repo
yum_repository: yum_repository:
name: wazuh_repo name: wazuh_repo
description: CentOS-$releasever - Wazuh description: Wazuh repository
baseurl: https://packages.wazuh.com/yum/el/$releasever/$basearch baseurl: https://packages.wazuh.com/3.x/yum/
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck: yes gpgcheck: yes
when: ansible_distribution == 'CentOS' when:
- ansible_distribution_major_version|int > 5
- name: Fedora | Install Wazuh repository - name: RedHat/CentOS 5 | Install Wazuh repo
yum_repository: yum_repository:
name: wazuh_repo name: wazuh_repo
description: Fedora-$releasever - Wazuh description: Wazuh repository
baseurl: https://packages.wazuh.com/yum/fc/$releasever/$basearch baseurl: https://packages.wazuh.com/3.x/yum/5/
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck: yes gpgcheck: yes
when: ansible_distribution == 'Fedora' when:
- ansible_distribution_major_version|int < 5
- name: RedHat | Install Wazuh repository
yum_repository:
name: wazuh_repo
description: CentOS-$releasever - Wazuh
baseurl: https://packages.wazuh.com/yum/rhel/$releasever/$basearch
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck: yes
when: ansible_distribution == 'RedHat'
- name: Set Distribution CIS filename for RHEL5 - name: Set Distribution CIS filename for RHEL5
set_fact: set_fact:

23
ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
View File

@ -7,22 +7,27 @@
<ossec_config> <ossec_config>
<client> <client>
{% if wazuh_manager_ip is not none %}
<server-ip>{{ wazuh_manager_ip }}</server-ip> {% for manager in wazuh_managers %}
{% else %} <server>
<server-ip>SERVER-IP</server-ip> <address>{{ manager.address }}</address>
{% endif %} {% if manager.port is defined %}
<port>{{ manager.port }}</port>
{% endif %}
{% if manager.protocol is defined %}
<protocol>{{ manager.protocol }}</protocol>
{% endif %}
</server>
{% endfor %}
{% if wazuh_profile is not none %} {% if wazuh_profile is not none %}
<config-profile>{{ wazuh_profile }}</config-profile> <config-profile>{{ wazuh_profile }}</config-profile>
{% endif %} {% endif %}
<protocol>{{ wazuh_manager_proto }}</protocol>
{% if wazuh_manager_port is defined %}
<port>{{ wazuh_manager_port }}</port>
{% endif %}
{% if wazuh_notify_time is not none and wazuh_time_reconnect is not none %} {% if wazuh_notify_time is not none and wazuh_time_reconnect is not none %}
<notify_time>{{ wazuh_notify_time }}</notify_time> <notify_time>{{ wazuh_notify_time }}</notify_time>
<time-reconnect>{{ wazuh_time_reconnect }}</time-reconnect> <time-reconnect>{{ wazuh_time_reconnect }}</time-reconnect>
{% endif %} {% endif %}
<auto_restart>{{ wazuh_auto_restart }}</auto_restart>
</client> </client>
<logging> <logging>

21
ansible-wazuh-manager/.kitchen.yml
View File

@ -1,21 +0,0 @@
---
driver:
name: vagrant
provision_command: sed -i '/tsflags=nodocs/d' /etc/yum.conf
provisioner:
name: ansible_playbook
ansible_yum_repo: "http://mirror.logol.ru/epel/6/x86_64/epel-release-6-8.noarch.rpm"
hosts: localhost
require_chef_for_busser: false
require_ruby_for_busser: true
platforms:
- name: centos-7.2
- name: ubuntu-14.04
verifier:
ruby_bindir: '/usr/bin'
suites:
- name: default

14
ansible-wazuh-manager/defaults/main.yml
View File

@ -6,6 +6,20 @@ wazuh_manager_config:
alerts_log: 'yes' alerts_log: 'yes'
logall: 'no' logall: 'no'
log_format: 'plain' log_format: 'plain'
cluster:
disable: 'no'
name: 'wazuh'
node_name: 'manager_01'
node_type: 'master'
key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa'
interval: '2m'
port: '1516'
bind_addr: '0.0.0.0'
nodes:
- '172.17.0.2'
- '172.17.0.3'
- '172.17.0.4'
hidden: 'no'
connection: connection:
- type: 'secure' - type: 'secure'
port: '1514' port: '1514'

85
ansible-wazuh-manager/molecule.yml
View File

@ -1,85 +0,0 @@
---
dependency:
name: galaxy
driver:
name: docker
ansible:
group_vars:
ossec:
ossec_server_config:
mail_to:
- me@example.com
mail_smtp_server: localhost
mail_from: ossec@example.com
frequency_check: 72000
ignore_files:
- /etc/mtab
- /etc/mnttab
- /etc/hosts.deny
directories:
- check_all: 'yes'
dirs: /etc,/usr/bin,/usr/sbin
- check_all: 'yes'
dirs: /bin,/sbin
localfiles:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
globals:
- '127.0.0.1'
- '192.168.2.1'
connection: 'secure'
log_level: 1
email_level: 7
commands:
- name: 'host-deny'
executable: 'host-deny.sh'
expect: 'srcip'
timeout_allowed: 'yes'
active_responses:
- command: 'host-deny'
location: 'local'
level: 6
timeout: 600
localfiles:
- format: 'syslog'
location: '/var/log/messages'
ossec_agent_configs:
- type: os
type_value: linux
frequency_check: 79200
ignore_files:
- /etc/mtab
- /etc/mnttab
localfiles:
- format: 'syslog'
location: '/var/log/messages'
directories:
- check_all: yes
dirs: /etc,/usr/bin,/usr/sbin
docker:
containers:
- name: ansible-ossec-server-centos
ansible_groups:
- ossec
image: milcom/centos7-systemd
image_version: latest
privileged: True
- name: ansible-ossec-server-debian
ansible_groups:
- ossec
image: maint/debian-systemd
image_version: latest
privileged: True
# - name: ansible-ossec-server-ubuntu
# ansible_groups:
# - ossec
# image: rastasheep/ubuntu-sshd
# image_version: 16.04
# privileged: True
verifier:
name: testinfra

2
ansible-wazuh-manager/tasks/Debian.yml
View File

@ -10,7 +10,7 @@
- name: Debian/Ubuntu | Add Wazuh repositories - name: Debian/Ubuntu | Add Wazuh repositories
apt_repository: apt_repository:
repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main repo: 'deb https://packages.wazuh.com/3.x/apt/ stable main'
state: present state: present
update_cache: yes update_cache: yes

72
ansible-wazuh-manager/tasks/RedHat.yml
View File

@ -6,7 +6,8 @@
baseurl: https://rpm.nodesource.com/pub_6.x/el/{{ansible_distribution_major_version}}/x86_64 baseurl: https://rpm.nodesource.com/pub_6.x/el/{{ansible_distribution_major_version}}/x86_64
gpgkey: https://rpm.nodesource.com/pub/el/NODESOURCE-GPG-SIGNING-KEY-EL gpgkey: https://rpm.nodesource.com/pub/el/NODESOURCE-GPG-SIGNING-KEY-EL
gpgcheck: yes gpgcheck: yes
when: ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' when:
- ansible_distribution_major_version|int > 5
- name: Fedora | Install Nodejs repo - name: Fedora | Install Nodejs repo
yum_repository: yum_repository:
@ -17,49 +18,78 @@
gpgcheck: yes gpgcheck: yes
when: ansible_distribution == 'Fedora' when: ansible_distribution == 'Fedora'
- name: CentOS | Install Wazuh repo - name: RedHat/CentOS/Fedora | Install Wazuh repo
yum_repository: yum_repository:
name: wazuh_repo name: wazuh_repo
description: CentOS-$releasever - Wazuh description: Wazuh repository
baseurl: https://packages.wazuh.com/yum/el/$releasever/$basearch baseurl: https://packages.wazuh.com/3.x/yum/
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck: yes gpgcheck: yes
when: ansible_distribution == 'CentOS' when:
- ansible_distribution_major_version|int > 5
- name: Fedora | Install Wazuh repo - name: RedHat/CentOS 5 | Install Wazuh repo
yum_repository: yum_repository:
name: wazuh_repo name: wazuh_repo
description: Fedora-$releasever - Wazuh description: Wazuh repository
baseurl: https://packages.wazuh.com/yum/fc/$releasever/$basearch baseurl: https://packages.wazuh.com/3.x/yum/5/
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck: yes gpgcheck: yes
when: ansible_distribution == 'Fedora' when:
- ansible_distribution_major_version|int < 6
- name: RedHat | Install Wazuh repo
yum_repository:
name: wazuh_repo
description: CentOS-$releasever - Wazuh
baseurl: https://packages.wazuh.com/yum/rhel/$releasever/$basearch
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck: yes
when: ansible_distribution == 'RedHat'
- name: RedHat/CentOS/Fedora | Install openscap - name: RedHat/CentOS/Fedora | Install openscap
package: name=openscap-scanner state=present package: name=openscap-scanner state=present
tags: tags:
- init - init
- name: CentOS 6 | Install Software Collections (SCL) Repository
package: name=centos-release-scl state=present
when:
- ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: RedHat 6 | Enabling Red Hat Software Collections (RHSCL)
command: yum-config-manager --enable {{ item }}
with_items:
- rhui-REGION-rhel-server-rhscl
- rhel-server-rhscl-6-rpms
when:
- ansible_distribution == 'RedHat' and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: CentOS/RedHat 6 | Install Python 2.7
package: name=python27 state=present
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: CentOS/RedHat 6 | Install python-cryptography module
shell: pip2.7 install cryptography
environment:
PATH: "/opt/rh/python27/root/usr/bin:{{ ansible_env.PATH }}"
LD_LIBRARY_PATH: "/opt/rh/python27/root/usr/lib64:/opt/rh/python27/root/usr/lib"
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: RedHat/CentOS/Fedora | Install python-cryptography module
package: name=python-cryptography state=present
when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat') and ansible_distribution_major_version == '6' )
- wazuh_manager_config.cluster.disable != 'yes'
- name: Set Distribution CIS filename for RHEL5/CentOS-5 - name: Set Distribution CIS filename for RHEL5/CentOS-5
set_fact: set_fact:
cis_distribution_filename: cis_rhel5_linux_rcl.txt cis_distribution_filename: cis_rhel5_linux_rcl.txt
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "5" when: ansible_os_family == "RedHat" and ansible_distribution_major_version == '5'
- name: Set Distribution CIS filename for RHEL6/CentOS-6 - name: Set Distribution CIS filename for RHEL6/CentOS-6
set_fact: set_fact:
cis_distribution_filename: cis_rhel6_linux_rcl.txt cis_distribution_filename: cis_rhel6_linux_rcl.txt
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "6" when: ansible_os_family == "RedHat" and ansible_distribution_major_version == '6'
- name: Set Distribution CIS filename for RHEL7/CentOS-7 - name: Set Distribution CIS filename for RHEL7/CentOS-7
set_fact: set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt cis_distribution_filename: cis_rhel7_linux_rcl.txt
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "7" when: ansible_os_family == "RedHat" and ansible_distribution_major_version == '7'

51
ansible-wazuh-manager/tasks/main.yml
View File

@ -1,6 +1,6 @@
--- ---
- import_tasks: "RedHat.yml" - import_tasks: "RedHat.yml"
when: ansible_os_family == "RedHat" when: ansible_os_family == "RedHat" and ansible_distribution_major_version|int > 5
- import_tasks: "Debian.yml" - import_tasks: "Debian.yml"
when: ansible_os_family == "Debian" when: ansible_os_family == "Debian"
@ -11,6 +11,27 @@
- wazuh-manager - wazuh-manager
- wazuh-api - wazuh-api
- expect - expect
when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 )
tags:
- init
- name: CentOS/RedHat 6 | Enabling python2.7 and sqlite3
replace:
path: /etc/init.d/wazuh-manager
regexp: 'echo -n "Starting Wazuh-manager: "'
replace: 'echo -n "Starting Wazuh-manager (EL6): "; source /opt/rh/python27/enable; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/ossec/framework/lib'
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: Install wazuh-manager and expect (EL5)
package: pkg={{ item }} state=latest
with_items:
- wazuh-manager
- expect
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6
tags: tags:
- init - init
@ -89,7 +110,7 @@
- name: Configure the shared-agent.conf - name: Configure the shared-agent.conf
template: src=var-ossec-etc-shared-agent.conf.j2 template: src=var-ossec-etc-shared-agent.conf.j2
dest=/var/ossec/etc/shared/agent.conf dest=/var/ossec/etc/shared/default/agent.conf
owner=ossec owner=ossec
group=ossec group=ossec
mode=0640 mode=0640
@ -108,8 +129,10 @@
tags: tags:
- config - config
- name: Retrieving Wazuh-api User Credentials - name: Retrieving Wazuh-API User Credentials
include_vars: wazuh_api_creds.yml include_vars: wazuh_api_creds.yml
when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 )
tags: tags:
- config - config
@ -215,7 +238,7 @@
tags: tags:
- config - config
- name: Wazuh-api User - name: Wazuh-API User
template: template:
src: api_user.j2 src: api_user.j2
dest: "/var/ossec/api/configuration/auth/user" dest: "/var/ossec/api/configuration/auth/user"
@ -224,7 +247,9 @@
mode: 0750 mode: 0750
no_log: true no_log: true
notify: restart wazuh-api notify: restart wazuh-api
when: wazuh_api_user is defined when:
- wazuh_api_user is defined
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 )
tags: tags:
- config - config
@ -263,7 +288,7 @@
tags: tags:
- config - config
- name: Ensure Wazuh Manager, wazuh api service is started and enabled - name: Ensure Wazuh Manager, wazuh API service is started and enabled
service: service:
name: "{{ item }}" name: "{{ item }}"
enabled: yes enabled: yes
@ -273,6 +298,20 @@
- wazuh-api - wazuh-api
tags: tags:
- config - config
environment:
LD_LIBRARY_PATH: "$LD_LIBRARY_PATH:/var/ossec/framework/lib"
when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 )
- name: Ensure Wazuh Manager is started and enabled (EL5)
service:
name: wazuh-manager
enabled: yes
state: started
tags:
- config
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6
- import_tasks: "RMRedHat.yml" - import_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat" when: ansible_os_family == "RedHat"

27
ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
View File

@ -22,6 +22,23 @@
<email_from>{{ wazuh_manager_config.mail_from }}</email_from> <email_from>{{ wazuh_manager_config.mail_from }}</email_from>
</global> </global>
<cluster>
<disabled>{{ wazuh_manager_config.cluster.disable }}</disabled>
<name>{{ wazuh_manager_config.cluster.name }}</name>
<node_name>{{ wazuh_manager_config.cluster.node_name }}</node_name>
<node_type>{{ wazuh_manager_config.cluster.node_type }}</node_type>
<key>{{ wazuh_manager_config.cluster.key }}</key>
<interval>{{ wazuh_manager_config.cluster.interval }}</interval>
<port>{{ wazuh_manager_config.cluster.port }}</port>
<bind_addr>{{ wazuh_manager_config.cluster.bind_addr }}</bind_addr>
<nodes>
{% for node in wazuh_manager_config.cluster.nodes %}
<node>{{ node }}</node>
{% endfor %}
</nodes>
<hidden>{{ wazuh_manager_config.cluster.hidden }}</hidden>
</cluster>
<logging> <logging>
<log_format>{{ wazuh_manager_config.log_format }}</log_format> <log_format>{{ wazuh_manager_config.log_format }}</log_format>
</logging> </logging>
@ -120,12 +137,12 @@
<!-- Frequency that rootcheck is executed - every 12 hours --> <!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>{{ wazuh_manager_config.rootcheck.frequency }}</frequency> <frequency>{{ wazuh_manager_config.rootcheck.frequency }}</frequency>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_files>/var/ossec/etc/shared/default/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> <rootkit_trojans>/var/ossec/etc/shared/default/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/default/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit> <system_audit>/var/ossec/etc/shared/default/system_audit_ssh.txt</system_audit>
{% if cis_distribution_filename is defined %} {% if cis_distribution_filename is defined %}
<system_audit>/var/ossec/etc/shared/{{ cis_distribution_filename }}</system_audit> <system_audit>/var/ossec/etc/shared/default/{{ cis_distribution_filename }}</system_audit>
{% endif %} {% endif %}
<skip_nfs>yes</skip_nfs> <skip_nfs>yes</skip_nfs>

2
ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2
View File

@ -69,7 +69,7 @@
<frequency>{{ agent_config.rootcheck.frequency }}</frequency> <frequency>{{ agent_config.rootcheck.frequency }}</frequency>
{% if agent_config.rootcheck.cis_distribution_filename is not none %} {% if agent_config.rootcheck.cis_distribution_filename is not none %}
<system_audit>/var/ossec/etc/shared/{{ agent_config.rootcheck.cis_distribution_filename }}</system_audit> <system_audit>/var/ossec/etc/shared/default/{{ agent_config.rootcheck.cis_distribution_filename }}</system_audit>
{% endif %} {% endif %}
<skip_nfs>yes</skip_nfs> <skip_nfs>yes</skip_nfs>
</rootcheck> </rootcheck>