diff --git a/README.md b/README.md
index f720e31dc4908a6db5675d528464b522ef5d1258..5eebdaa46c5f5b779bce3e6e868a4ca4906e3d42 100644
--- a/README.md
+++ b/README.md
@@ -45,7 +45,15 @@ In addition to Wazuh, ClamAV is also installed on agent machines.
> Note: neither of these two files has to be changed for `security-monitoring` to work. You can (and should; in case of `.env`) leave them unchanged.
-4. Create and provision VMs:
+4. Set `evidence-collector` package version inside `/ansible/globals/globals.yml`:
+
+ ```
+ evidence_collector_version: 'latest'
+ ```
+
+ This can be left untouched or changed to a specific version of `evidence-collector`.
+
+5. Create and provision VMs:
```
$ make create provision
@@ -185,6 +193,7 @@ Wazuh manager and Evidence collector should be installed on the same, clean mach
| ---- | ---- |
| `elasticsearch_host_ip` | IP of the machine running Elasticsearch (same as Wazuh manager). |
| `wazuh_manager_ip` | IP of the machine running Wazuh manager. |
+ | `evidence_collector_version` | `evidence-collector` version that will be deployed. Can be left set to `latest`. |
6. Set custom resource ID mapping scheme used by `evidence-collector`. Change it in `/custom-provision/resource-id-map.json`.
diff --git a/ansible/custom-integration/tasks/main.yml b/ansible/custom-integration/tasks/main.yml
index e8a012072954f8ba8b813c486cf8be29c5fa3e47..85f2f7f547a4351abaaa510884a964eabcf3f624 100644
--- a/ansible/custom-integration/tasks/main.yml
+++ b/ansible/custom-integration/tasks/main.yml
@@ -14,7 +14,9 @@
shell: sed -i 's/\\[Service\\]/\\[Service\\]\nTimeoutStartSec=300/' /usr/lib/systemd/system/wazuh-manager.service
become: yes
when: "grep_timeout.rc > 0"
-
+ args:
+ warn: false
+
- name: Restart wazuh-manager
service:
name: wazuh-manager
diff --git a/ansible/globals/globals.yml b/ansible/globals/globals.yml
index 307fa0a1a354f4b48b3d1d7d13e9aea735f73ea5..e06a4af3449b0bdc195e6bdf0c5457d0e3777b15 100644
--- a/ansible/globals/globals.yml
+++ b/ansible/globals/globals.yml
@@ -4,4 +4,5 @@ custom_integration_alert_level: 10
custom_integration_alert_format: 'json'
elasticsearch_host_ip: '192.168.33.10'
wazuh_manager_ip: '192.168.33.10'
-wazuh_check_interval: 300
\ No newline at end of file
+wazuh_check_interval: 300 # should be the same as variable inside .env
+evidence_collector_version: 'latest'
\ No newline at end of file
diff --git a/ansible/provision-evidence-collector.yml b/ansible/provision-evidence-collector.yml
index f0d5741e07d1d7f559c569f4ea530b5049f941f9..05a09bd72e345e8e8eefbc3cf13043bd2d107075 100644
--- a/ansible/provision-evidence-collector.yml
+++ b/ansible/provision-evidence-collector.yml
@@ -4,6 +4,7 @@
become: yes
pre_tasks:
- import_tasks: "{{ ansible_dir }}/docker/credentials/vars.yml"
+ - import_tasks: "{{ ansible_dir }}/globals/vars.yml"
roles:
- docker
tasks:
@@ -46,7 +47,7 @@
- name: Run Docker container
docker_container:
name: evidence-collector
- image: "{{ docker_registry }}/medina/evidence-collector:latest"
+ image: "{{ docker_registry }}/medina/evidence-collector:{{ evidence_collector_version }}"
state: started
pull: yes
restart_policy: always
diff --git a/ansible/provision-managers.yml b/ansible/provision-managers.yml
index d3295f8beeb1387520fac8d73c73ec86a0cbbb11..0a2faa1f97651578fde392d307fadbbf1749d926 100644
--- a/ansible/provision-managers.yml
+++ b/ansible/provision-managers.yml
@@ -13,18 +13,83 @@
- role: custom-integration
vars:
single_node: true
- wazuh_manager_integrations:
- - name: custom-integration
- hook_url: "{{ custom_integration_hook }}"
- alert_level: "{{ custom_integration_alert_level }}"
- alert_format: "{{ custom_integration_alert_format }}"
- wazuh_manager_config:
- email_notification: "yes"
minimum_master_nodes: 1
elasticsearch_node_master: true
elasticsearch_network_host: "0.0.0.0"
filebeat_node_name: node-1
filebeat_output_elasticsearch_hosts: "{{ elasticsearch_host_ip }}"
+ instances:
+ node1:
+ name: node-1 # Important: must be equal to elasticsearch_node_name.
+ ip: "{{ elasticsearch_host_ip }}"
+ # ossec.conf
+ wazuh_manager_integrations:
+ - name: custom-integration
+ hook_url: "{{ custom_integration_hook }}"
+ alert_level: "{{ custom_integration_alert_level }}"
+ alert_format: "{{ custom_integration_alert_format }}"
+ wazuh_manager_email_notification: "yes"
+ wazuh_manager_rootcheck:
+ frequency: "{{ wazuh_check_interval }}"
+ wazuh_manager_syscollector:
+ disable: 'no'
+ interval: "{{ wazuh_check_interval }}"
+ scan_on_start: 'yes'
+ hardware: 'yes'
+ os: 'yes'
+ network: 'yes'
+ packages: 'yes'
+ ports_no: 'yes'
+ processes: 'yes'
+ wazuh_manager_sca:
+ enabled: 'yes'
+ scan_on_start: 'yes'
+ interval: "{{ wazuh_check_interval }}s"
+ skip_nfs: 'yes'
+ day: ''
+ wday: ''
+ time: ''
+ wazuh_manager_syscheck:
+ disable: 'no'
+ frequency: "{{ wazuh_check_interval }}"
+ scan_on_start: 'yes'
+ auto_ignore: 'no'
+ ignore:
+ - /etc/mtab
+ - /etc/hosts.deny
+ - /etc/mail/statistics
+ - /etc/random-seed
+ - /etc/random.seed
+ - /etc/adjtime
+ - /etc/httpd/logs
+ - /etc/utmpx
+ - /etc/wtmpx
+ - /etc/cups/certs
+ - /etc/dumpdates
+ - /etc/svc/volatile
+ ignore_linux_type:
+ - '.log$|.swp$'
+ no_diff:
+ - /etc/ssl/private.key
+ directories:
+ - dirs: /etc,/usr/bin,/usr/sbin
+ checks: ''
+ - dirs: /bin,/sbin,/boot
+ checks: ''
+ auto_ignore_frequency:
+ frequency: 'frequency="10"'
+ timeframe: 'timeframe="3600"'
+ value: 'no'
+ skip_nfs: 'yes'
+ skip_dev: 'yes'
+ skip_proc: 'yes'
+ skip_sys: 'yes'
+ process_priority: 10
+ max_eps: 100
+ sync_enabled: 'yes'
+ sync_interval: "{{ wazuh_check_interval }}s"
+ sync_max_interval: '1h'
+ sync_max_eps: 10
wazuh_manager_vulnerability_detector:
enabled: 'yes'
interval: "{{ wazuh_check_interval }}"
@@ -54,11 +119,39 @@
update_from_year: '2010'
update_interval: "{{ wazuh_check_interval }}"
name: '"nvd"'
- instances:
- node1:
- name: node-1 # Important: must be equal to elasticsearch_node_name.
- ip: "{{ elasticsearch_host_ip }}"
tasks:
+ # agent.conf
+ - name: Install python3.6
+ package:
+ name: python36
+ state: present
+ - name: Install lxml python package
+ pip:
+ name: lxml
+ executable: pip3
+ - name: Edit agent.conf - add attribute to agent_config
+ xml:
+ path: /var/ossec/etc/shared/default/agent.conf
+ xpath: /agent_config
+ attribute: os
+ value: "Linux"
+ - name: Edit agent.conf - add syscheck config
+ xml:
+ path: /var/ossec/etc/shared/default/agent.conf
+ xpath: /agent_config/syscheck/frequency
+ value: "{{ wazuh_check_interval | string }}"
+ - name: Edit agent.conf - add rootcheck config
+ xml:
+ path: /var/ossec/etc/shared/default/agent.conf
+ xpath: /agent_config/rootcheck/frequency
+ value: "{{ wazuh_check_interval | string }}"
+ - name: Edit agent.conf - remove <?xml>
+ lineinfile:
+ dest: /var/ossec/etc/shared/default/agent.conf
+ regexp: "^<[?]xml .*[?]>"
+ state: absent
+ - name: Verify agent.conf
+ command: /var/ossec/bin/verify-agent-conf
- name: Install firewalld
action: yum name=firewalld state=installed
- name: Enable firewalld on system reboot
diff --git a/custom-provision/.env b/custom-provision/.env
index f4ee6b4aca099d9579db6a2876ceac59f216e8e0..b895fc5826459dddfdcb1909bf6041985134459f 100644
--- a/custom-provision/.env
+++ b/custom-provision/.env
@@ -15,4 +15,5 @@ clouditor_port=9090
clouditor_oauth2_port=8080
clouditor_client_id=clouditor
clouditor_client_secret=clouditor
-wazuh_check_interval=300
\ No newline at end of file
+wazuh_check_interval=300
+wazuh_rule_level=10
\ No newline at end of file
diff --git a/environments/full-setup/.env b/environments/full-setup/.env
index 6807497239268b89548c60c58072abb408cab028..1145270ea8b11e296abffe016b8dbc6baf3b399f 100644
--- a/environments/full-setup/.env
+++ b/environments/full-setup/.env
@@ -15,4 +15,5 @@ clouditor_port=9090
clouditor_oauth2_port=8080
clouditor_client_id=clouditor
clouditor_client_secret=clouditor
-wazuh_check_interval=300
\ No newline at end of file
+wazuh_check_interval=300
+wazuh_rule_level=10
\ No newline at end of file