Add Windows registry keys to syscheck

* Changing agent restart rules id. * Restart Windows agents after receiving agent.conf
2017-08-29 20:56:42 -05:00 · 2017-08-29 20:56:42 -05:00 · fe07c66d24
commit fe07c66d24
parent cab4302c4e
5 changed files with 90 additions and 19 deletions
--- a/ansible-wazuh-agent/defaults/main.yml
+++ b/ansible-wazuh-agent/defaults/main.yml
@ -40,6 +40,10 @@ wazuh_agent_config:
        checks: 'check_all="yes"'
      - dirs: /bin,/sbin
        checks: 'check_all="yes"'
+    windows_registry:
+      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
+        arch: 'both'
+      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
  rootcheck:
    frequency: 43200
  openscap:
--- a/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
+++ b/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
@ -1,4 +1,4 @@
-#jinja2: lstrip_blocks: True
+#jinja2: trim_blocks: False
 <!--
  Wazuh - Agent
  More info at: https://documentation.wazuh.com
@ -29,6 +29,10 @@
    <log_format>{{ wazuh_agent_config.log_format }}</log_format>
  </logging>

+  <active-response>
+    <disabled>no</disabled>
+  </active-response> 
+
  <rootcheck>
    <disabled>no</disabled>
    <check_unixaudit>yes</check_unixaudit>
@ -43,6 +47,13 @@
    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>{{ wazuh_agent_config.rootcheck.frequency }}</frequency>

+    {% if ansible_os_family == "Windows" %}
+    <windows_audit>./shared/win_audit_rcl.txt</windows_audit>
+    <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
+    <windows_malware>./shared/win_malware_rcl.txt</windows_malware>
+    {% endif %}
+
+    {% if ansible_system == "Linux" %}
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
@ -50,11 +61,21 @@
    {% if cis_distribution_filename is defined %}
    <system_audit>/var/ossec/etc/shared/{{ cis_distribution_filename }}</system_audit>
    {% endif %}
+    {% endif %}

    <skip_nfs>yes</skip_nfs>
  </rootcheck>

  <syscheck>
+    <disabled>no</disabled>
+    {% if ansible_os_family == "Windows" %}
+    <directories check_all="yes" realtime="yes" restrict="^C:\wazuh-agent/shared/agent.conf$">C:\wazuh-agent</directories>
+    {% endif %}
+
+    {% if ansible_system == "Linux" %}
+    <directories check_all="yes" realtime="yes" restrict="^/var/ossec/etc/shared/agent.conf$">/var/ossec/etc/shared</directories>
+    {% endif %}
+
    <auto_ignore>{{ wazuh_agent_config.syscheck.auto_ignore }}</auto_ignore>
    <alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files>
    <!-- Frequency that syscheck is executed -- default every 20 hours -->
@ -79,9 +100,19 @@
    {% for no_diff in wazuh_agent_config.syscheck.no_diff %}
    <nodiff>{{ no_diff }}</nodiff>
    {% endfor %}
+
+    {% if ansible_os_family == "Windows" %}
+    {% for registry_key in wazuh_agent_config.syscheck.windows_registry %}
+    {% if registry_key.arch is defined %}
+    <windows_registry arch="{{ registry_key.arch }}">{{ registry_key.key }}</windows_registry>
+    {% else %}
+    <windows_registry>{{ registry_key.key }}</windows_registry>
+    {% endif %}
+    {% endfor %}
+    {% endif %}
  </syscheck>

-  {% if wazuh_agent_config.openscap.disable  == 'no' %}
+  {% if wazuh_agent_config.openscap.disable  == 'no' and ansible_system == "Linux"%}
  <wodle name="open-scap">
    <disabled>no</disabled>
    <timeout>{{ wazuh_agent_config.openscap.timeout }}</timeout>
--- a/ansible-wazuh-manager/defaults/main.yml
+++ b/ansible-wazuh-manager/defaults/main.yml
@ -110,6 +110,10 @@ wazuh_manager_config:
      executable: 'restart-ossec.sh'
      expect: ''
      timeout_allowed: 'no'
+    - name: 'win_restart-ossec'
+      executable: 'restart-ossec.cmd'
+      expect: ''
+      timeout_allowed: 'no'
    - name: 'firewall-drop'
      executable: 'firewall-drop.sh'
      expect: 'srcip'
@ -129,7 +133,10 @@ wazuh_manager_config:
  active_responses:
    - command: 'restart-ossec'
      location: 'local'
-      rules_id: 710001
+      rules_id: '100002'
+    - command: 'win_restart-ossec'
+      location: 'local'
+      rules_id: '100003'
    - command: 'host-deny'
      location: 'local'
      level: 6
@ -176,3 +183,19 @@ wazuh_agent_configs:
        location: '/var/log/httpd/access_log'
      - format: 'apache'
        location: '/var/ossec/logs/active-responses.log'
+  - type: os
+    type_value: Windows
+    syscheck:
+      frequency: 43200
+      scan_on_start: 'yes'
+      auto_ignore: 'no'
+      alert_new_files: 'yes'
+      windows_registry:
+        - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
+          arch: 'both'
+        - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
+    localfiles:
+      - format: 'Security'
+        location: 'eventchannel'
+      - format: 'System'
+        location: 'eventlog'
--- a/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2
+++ b/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2
@ -29,6 +29,16 @@
    <nodiff>{{ no_diff }}</nodiff>
    {% endfor %}
    {% endif %}
+
+    {% if agent_config.syscheck.windows_registry is defined %}
+    {% for registry_key in agent_config.syscheck.windows_registry %}
+    {% if registry_key.arch is defined %}
+    <windows_registry arch="{{ registry_key.arch }}">{{ registry_key.key }}</windows_registry>
+    {% else %}
+    <windows_registry>{{ registry_key.key }}</windows_registry>
+    {% endif %}
+    {% endfor %}
+    {% endif %}
  </syscheck>

  {% for localfile in agent_config.localfiles %}
@ -43,6 +53,7 @@
    </localfile>
  {% endfor %}

+  {% if agent_config.rootcheck is defined %}
  <rootcheck>
    <disabled>no</disabled>
    <check_unixaudit>yes</check_unixaudit>
@ -57,15 +68,12 @@
    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>{{ agent_config.rootcheck.frequency }}</frequency>

-    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
-    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
-    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
-    <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
    {% if agent_config.rootcheck.cis_distribution_filename is not none %}
    <system_audit>/var/ossec/etc/shared/{{ agent_config.rootcheck.cis_distribution_filename }}</system_audit>
    {% endif %}
    <skip_nfs>yes</skip_nfs>
  </rootcheck>
+  {% endif %}
 </agent_config>
 {% endfor %}
 {% endif %}
--- a/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2
+++ b/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2
@ -1,17 +1,5 @@
 <!-- Local rules -->

-<!--
-Used with active-response to restart an agent when agent.conf file
-is successfully retrieved.
-->
-<group name="local,ossec,">
-  <rule id="710001" level="1">
-    <if_group>syscheck</if_group>
-    <match>/var/ossec/etc/shared/agent.conf</match>
-    <description>agent.conf was modified</description>
-  </rule>
-</group>
-
 <!-- Modify it at your will. -->

 <!-- Example -->
@ -28,3 +16,20 @@ is successfully retrieved.
  </rule>

 </group>
+
+<!--
+Used with active-response to restart an agent when agent.conf file
+is successfully retrieved.
+-->
+<group name="local,ossec,">
+  <rule id="100002" level="1">
+    <if_group>syscheck</if_group>
+    <match>/var/ossec/etc/shared/agent.conf</match>
+    <description>Linux | agent.conf was modified</description>
+  </rule>
+  <rule id="100003" level="1">
+    <if_group>syscheck</if_group>
+    <match>C:\wazuh-agent/shared/agent.conf</match>
+    <description>Windows | agent.conf was modified</description>
+  </rule>
+</group>