From fe07c66d24ec3a2f40d33964b79389d82a77a55b Mon Sep 17 00:00:00 2001
From: Miguelangel Freitas <miguelangel@wazuh.com>
Date: Tue, 29 Aug 2017 20:56:42 -0500
Subject: [PATCH] Add Windows registry keys to syscheck

* Changing agent restart rules id.
* Restart Windows agents after receiving agent.conf
---
 ansible-wazuh-agent/defaults/main.yml         |  4 +++
 .../var-ossec-etc-ossec-agent.conf.j2         | 35 +++++++++++++++++--
 ansible-wazuh-manager/defaults/main.yml       | 25 ++++++++++++-
 .../var-ossec-etc-shared-agent.conf.j2        | 16 ++++++---
 .../var-ossec-rules-local_rules.xml.j2        | 29 ++++++++-------
 5 files changed, 90 insertions(+), 19 deletions(-)

diff --git a/ansible-wazuh-agent/defaults/main.yml b/ansible-wazuh-agent/defaults/main.yml
index 79bd3c55..153f1633 100644
--- a/ansible-wazuh-agent/defaults/main.yml
+++ b/ansible-wazuh-agent/defaults/main.yml
@@ -40,6 +40,10 @@ wazuh_agent_config:
         checks: 'check_all="yes"'
       - dirs: /bin,/sbin
         checks: 'check_all="yes"'
+    windows_registry:
+      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
+        arch: 'both'
+      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
   rootcheck:
     frequency: 43200
   openscap:
diff --git a/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
index dd07aa6b..d50fd470 100644
--- a/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
+++ b/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
@@ -1,4 +1,4 @@
-#jinja2: lstrip_blocks: True
+#jinja2: trim_blocks: False
 <!--
   Wazuh - Agent
   More info at: https://documentation.wazuh.com
@@ -29,6 +29,10 @@
     <log_format>{{ wazuh_agent_config.log_format }}</log_format>
   </logging>
 
+  <active-response>
+    <disabled>no</disabled>
+  </active-response> 
+
   <rootcheck>
     <disabled>no</disabled>
     <check_unixaudit>yes</check_unixaudit>
@@ -43,6 +47,13 @@
     <!-- Frequency that rootcheck is executed - every 12 hours -->
     <frequency>{{ wazuh_agent_config.rootcheck.frequency }}</frequency>
 
+    {% if ansible_os_family == "Windows" %}
+    <windows_audit>./shared/win_audit_rcl.txt</windows_audit>
+    <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
+    <windows_malware>./shared/win_malware_rcl.txt</windows_malware>
+    {% endif %}
+
+    {% if ansible_system == "Linux" %}
     <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
     <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
     <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
@@ -50,11 +61,21 @@
     {% if cis_distribution_filename is defined %}
     <system_audit>/var/ossec/etc/shared/{{ cis_distribution_filename }}</system_audit>
     {% endif %}
+    {% endif %}
 
     <skip_nfs>yes</skip_nfs>
   </rootcheck>
 
   <syscheck>
+    <disabled>no</disabled>
+    {% if ansible_os_family == "Windows" %}
+    <directories check_all="yes" realtime="yes" restrict="^C:\wazuh-agent/shared/agent.conf$">C:\wazuh-agent</directories>
+    {% endif %}
+
+    {% if ansible_system == "Linux" %}
+    <directories check_all="yes" realtime="yes" restrict="^/var/ossec/etc/shared/agent.conf$">/var/ossec/etc/shared</directories>
+    {% endif %}
+
     <auto_ignore>{{ wazuh_agent_config.syscheck.auto_ignore }}</auto_ignore>
     <alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files>
     <!-- Frequency that syscheck is executed -- default every 20 hours -->
@@ -79,9 +100,19 @@
     {% for no_diff in wazuh_agent_config.syscheck.no_diff %}
     <nodiff>{{ no_diff }}</nodiff>
     {% endfor %}
+
+    {% if ansible_os_family == "Windows" %}
+    {% for registry_key in wazuh_agent_config.syscheck.windows_registry %}
+    {% if registry_key.arch is defined %}
+    <windows_registry arch="{{ registry_key.arch }}">{{ registry_key.key }}</windows_registry>
+    {% else %}
+    <windows_registry>{{ registry_key.key }}</windows_registry>
+    {% endif %}
+    {% endfor %}
+    {% endif %}
   </syscheck>
 
-  {% if wazuh_agent_config.openscap.disable  == 'no' %}
+  {% if wazuh_agent_config.openscap.disable  == 'no' and ansible_system == "Linux"%}
   <wodle name="open-scap">
     <disabled>no</disabled>
     <timeout>{{ wazuh_agent_config.openscap.timeout }}</timeout>
diff --git a/ansible-wazuh-manager/defaults/main.yml b/ansible-wazuh-manager/defaults/main.yml
index 37eb0e04..28fbee8c 100644
--- a/ansible-wazuh-manager/defaults/main.yml
+++ b/ansible-wazuh-manager/defaults/main.yml
@@ -110,6 +110,10 @@ wazuh_manager_config:
       executable: 'restart-ossec.sh'
       expect: ''
       timeout_allowed: 'no'
+    - name: 'win_restart-ossec'
+      executable: 'restart-ossec.cmd'
+      expect: ''
+      timeout_allowed: 'no'
     - name: 'firewall-drop'
       executable: 'firewall-drop.sh'
       expect: 'srcip'
@@ -129,7 +133,10 @@ wazuh_manager_config:
   active_responses:
     - command: 'restart-ossec'
       location: 'local'
-      rules_id: 710001
+      rules_id: '100002'
+    - command: 'win_restart-ossec'
+      location: 'local'
+      rules_id: '100003'
     - command: 'host-deny'
       location: 'local'
       level: 6
@@ -176,3 +183,19 @@ wazuh_agent_configs:
         location: '/var/log/httpd/access_log'
       - format: 'apache'
         location: '/var/ossec/logs/active-responses.log'
+  - type: os
+    type_value: Windows
+    syscheck:
+      frequency: 43200
+      scan_on_start: 'yes'
+      auto_ignore: 'no'
+      alert_new_files: 'yes'
+      windows_registry:
+        - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
+          arch: 'both'
+        - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
+    localfiles:
+      - format: 'Security'
+        location: 'eventchannel'
+      - format: 'System'
+        location: 'eventlog'
diff --git a/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 b/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2
index a45a95d8..9d52c8e2 100644
--- a/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2
+++ b/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2
@@ -29,6 +29,16 @@
     <nodiff>{{ no_diff }}</nodiff>
     {% endfor %}
     {% endif %}
+
+    {% if agent_config.syscheck.windows_registry is defined %}
+    {% for registry_key in agent_config.syscheck.windows_registry %}
+    {% if registry_key.arch is defined %}
+    <windows_registry arch="{{ registry_key.arch }}">{{ registry_key.key }}</windows_registry>
+    {% else %}
+    <windows_registry>{{ registry_key.key }}</windows_registry>
+    {% endif %}
+    {% endfor %}
+    {% endif %}
   </syscheck>
 
   {% for localfile in agent_config.localfiles %}
@@ -43,6 +53,7 @@
     </localfile>
   {% endfor %}
 
+  {% if agent_config.rootcheck is defined %}
   <rootcheck>
     <disabled>no</disabled>
     <check_unixaudit>yes</check_unixaudit>
@@ -57,15 +68,12 @@
     <!-- Frequency that rootcheck is executed - every 12 hours -->
     <frequency>{{ agent_config.rootcheck.frequency }}</frequency>
 
-    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
-    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
-    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
-    <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
     {% if agent_config.rootcheck.cis_distribution_filename is not none %}
     <system_audit>/var/ossec/etc/shared/{{ agent_config.rootcheck.cis_distribution_filename }}</system_audit>
     {% endif %}
     <skip_nfs>yes</skip_nfs>
   </rootcheck>
+  {% endif %}
 </agent_config>
 {% endfor %}
 {% endif %}
diff --git a/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 b/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2
index db0b000a..5cbe7670 100644
--- a/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2
+++ b/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2
@@ -1,17 +1,5 @@
 <!-- Local rules -->
 
-<!--
-Used with active-response to restart an agent when agent.conf file
-is successfully retrieved.
--->
-<group name="local,ossec,">
-  <rule id="710001" level="1">
-    <if_group>syscheck</if_group>
-    <match>/var/ossec/etc/shared/agent.conf</match>
-    <description>agent.conf was modified</description>
-  </rule>
-</group>
-
 <!-- Modify it at your will. -->
 
 <!-- Example -->
@@ -28,3 +16,20 @@ is successfully retrieved.
   </rule>
 
 </group>
+
+<!--
+Used with active-response to restart an agent when agent.conf file
+is successfully retrieved.
+-->
+<group name="local,ossec,">
+  <rule id="100002" level="1">
+    <if_group>syscheck</if_group>
+    <match>/var/ossec/etc/shared/agent.conf</match>
+    <description>Linux | agent.conf was modified</description>
+  </rule>
+  <rule id="100003" level="1">
+    <if_group>syscheck</if_group>
+    <match>C:\wazuh-agent/shared/agent.conf</match>
+    <description>Windows | agent.conf was modified</description>
+  </rule>
+</group>