Skip to content
Snippets Groups Projects
Commit 54a60aa9 authored by Matevz Erzen's avatar Matevz Erzen Committed by Zitnik, Anze
Browse files

Custom wazuh monitoring frequencies

parent 6fa1b60d
No related branches found
No related tags found
No related merge requests found
......@@ -45,7 +45,15 @@ In addition to Wazuh, ClamAV is also installed on agent machines.
> Note: neither of these two files has to be changed for `security-monitoring` to work. You can (and should; in case of `.env`) leave them unchanged.
4. Create and provision VMs:
4. Set `evidence-collector` package version inside `/ansible/globals/globals.yml`:
```
evidence_collector_version: 'latest'
```
This can be left untouched or changed to a specific version of `evidence-collector`.
5. Create and provision VMs:
```
$ make create provision
......@@ -185,6 +193,7 @@ Wazuh manager and Evidence collector should be installed on the same, clean mach
| ---- | ---- |
| `elasticsearch_host_ip` | IP of the machine running Elasticsearch (same as Wazuh manager). |
| `wazuh_manager_ip` | IP of the machine running Wazuh manager. |
| `evidence_collector_version` | `evidence-collector` version that will be deployed. Can be left set to `latest`. |
6. Set custom resource ID mapping scheme used by `evidence-collector`. Change it in `/custom-provision/resource-id-map.json`.
......
......@@ -14,6 +14,8 @@
shell: sed -i 's/\\[Service\\]/\\[Service\\]\nTimeoutStartSec=300/' /usr/lib/systemd/system/wazuh-manager.service
become: yes
when: "grep_timeout.rc > 0"
args:
warn: false
- name: Restart wazuh-manager
service:
......
......@@ -4,4 +4,5 @@ custom_integration_alert_level: 10
custom_integration_alert_format: 'json'
elasticsearch_host_ip: '192.168.33.10'
wazuh_manager_ip: '192.168.33.10'
wazuh_check_interval: 300
\ No newline at end of file
wazuh_check_interval: 300 # should be the same as variable inside .env
evidence_collector_version: 'latest'
\ No newline at end of file
......@@ -4,6 +4,7 @@
become: yes
pre_tasks:
- import_tasks: "{{ ansible_dir }}/docker/credentials/vars.yml"
- import_tasks: "{{ ansible_dir }}/globals/vars.yml"
roles:
- docker
tasks:
......@@ -46,7 +47,7 @@
- name: Run Docker container
docker_container:
name: evidence-collector
image: "{{ docker_registry }}/medina/evidence-collector:latest"
image: "{{ docker_registry }}/medina/evidence-collector:{{ evidence_collector_version }}"
state: started
pull: yes
restart_policy: always
......
......@@ -13,18 +13,83 @@
- role: custom-integration
vars:
single_node: true
wazuh_manager_integrations:
- name: custom-integration
hook_url: "{{ custom_integration_hook }}"
alert_level: "{{ custom_integration_alert_level }}"
alert_format: "{{ custom_integration_alert_format }}"
wazuh_manager_config:
email_notification: "yes"
minimum_master_nodes: 1
elasticsearch_node_master: true
elasticsearch_network_host: "0.0.0.0"
filebeat_node_name: node-1
filebeat_output_elasticsearch_hosts: "{{ elasticsearch_host_ip }}"
instances:
node1:
name: node-1 # Important: must be equal to elasticsearch_node_name.
ip: "{{ elasticsearch_host_ip }}"
# ossec.conf
wazuh_manager_integrations:
- name: custom-integration
hook_url: "{{ custom_integration_hook }}"
alert_level: "{{ custom_integration_alert_level }}"
alert_format: "{{ custom_integration_alert_format }}"
wazuh_manager_email_notification: "yes"
wazuh_manager_rootcheck:
frequency: "{{ wazuh_check_interval }}"
wazuh_manager_syscollector:
disable: 'no'
interval: "{{ wazuh_check_interval }}"
scan_on_start: 'yes'
hardware: 'yes'
os: 'yes'
network: 'yes'
packages: 'yes'
ports_no: 'yes'
processes: 'yes'
wazuh_manager_sca:
enabled: 'yes'
scan_on_start: 'yes'
interval: "{{ wazuh_check_interval }}s"
skip_nfs: 'yes'
day: ''
wday: ''
time: ''
wazuh_manager_syscheck:
disable: 'no'
frequency: "{{ wazuh_check_interval }}"
scan_on_start: 'yes'
auto_ignore: 'no'
ignore:
- /etc/mtab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
ignore_linux_type:
- '.log$|.swp$'
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: ''
- dirs: /bin,/sbin,/boot
checks: ''
auto_ignore_frequency:
frequency: 'frequency="10"'
timeframe: 'timeframe="3600"'
value: 'no'
skip_nfs: 'yes'
skip_dev: 'yes'
skip_proc: 'yes'
skip_sys: 'yes'
process_priority: 10
max_eps: 100
sync_enabled: 'yes'
sync_interval: "{{ wazuh_check_interval }}s"
sync_max_interval: '1h'
sync_max_eps: 10
wazuh_manager_vulnerability_detector:
enabled: 'yes'
interval: "{{ wazuh_check_interval }}"
......@@ -54,11 +119,39 @@
update_from_year: '2010'
update_interval: "{{ wazuh_check_interval }}"
name: '"nvd"'
instances:
node1:
name: node-1 # Important: must be equal to elasticsearch_node_name.
ip: "{{ elasticsearch_host_ip }}"
tasks:
# agent.conf
- name: Install python3.6
package:
name: python36
state: present
- name: Install lxml python package
pip:
name: lxml
executable: pip3
- name: Edit agent.conf - add attribute to agent_config
xml:
path: /var/ossec/etc/shared/default/agent.conf
xpath: /agent_config
attribute: os
value: "Linux"
- name: Edit agent.conf - add syscheck config
xml:
path: /var/ossec/etc/shared/default/agent.conf
xpath: /agent_config/syscheck/frequency
value: "{{ wazuh_check_interval | string }}"
- name: Edit agent.conf - add rootcheck config
xml:
path: /var/ossec/etc/shared/default/agent.conf
xpath: /agent_config/rootcheck/frequency
value: "{{ wazuh_check_interval | string }}"
- name: Edit agent.conf - remove <?xml>
lineinfile:
dest: /var/ossec/etc/shared/default/agent.conf
regexp: "^<[?]xml .*[?]>"
state: absent
- name: Verify agent.conf
command: /var/ossec/bin/verify-agent-conf
- name: Install firewalld
action: yum name=firewalld state=installed
- name: Enable firewalld on system reboot
......
......@@ -16,3 +16,4 @@ clouditor_oauth2_port=8080
clouditor_client_id=clouditor
clouditor_client_secret=clouditor
wazuh_check_interval=300
wazuh_rule_level=10
\ No newline at end of file
......@@ -16,3 +16,4 @@ clouditor_oauth2_port=8080
clouditor_client_id=clouditor
clouditor_client_secret=clouditor
wazuh_check_interval=300
wazuh_rule_level=10
\ No newline at end of file
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment