Merge branch 'custom-wazuh-monitoring-frequencies' into 'master'

Custom wazuh monitoring frequencies See merge request medina/security-monitoring!11

Merge branch 'custom-wazuh-monitoring-frequencies' into 'master'
5633a6b0 · Zitnik, Anze · 6fa1b60d · 54a60aa9 · 5633a6b0 · 5633a6b0
Commit 5633a6b0 authored 3 years ago by Zitnik, Anze
--- a/README.md
+++ b/README.md
@@ -45,7 +45,15 @@ In addition to Wazuh, ClamAV is also installed on agent machines.

    > Note: neither of these two files has to be changed for `security-monitoring` to work. You can (and should; in case of `.env`) leave them unchanged. 

-4. Create and provision VMs:
+4. Set `evidence-collector` package version inside `/ansible/globals/globals.yml`:
+
+    ```
+    evidence_collector_version: 'latest'
+    ```
+
+    This can be left untouched or changed to a specific version of `evidence-collector`.
+
+5. Create and provision VMs:

    ```
    $ make create provision
@@ -185,6 +193,7 @@ Wazuh manager and Evidence collector should be installed on the same, clean mach
    | ---- | ---- |
    | `elasticsearch_host_ip` | IP of the machine running Elasticsearch (same as Wazuh manager). |
    | `wazuh_manager_ip` | IP of the machine running Wazuh manager. |
+    | `evidence_collector_version` | `evidence-collector` version that will be deployed. Can be left set to `latest`. |

 6. Set custom resource ID mapping scheme used by `evidence-collector`. Change it in `/custom-provision/resource-id-map.json`.


--- a/ansible/custom-integration/tasks/main.yml
+++ b/ansible/custom-integration/tasks/main.yml
@@ -14,6 +14,8 @@
  shell: sed -i 's/\\[Service\\]/\\[Service\\]\nTimeoutStartSec=300/' /usr/lib/systemd/system/wazuh-manager.service
  become: yes
  when: "grep_timeout.rc > 0"
+  args:
+    warn: false
    
 - name: Restart wazuh-manager
  service:

--- a/ansible/globals/globals.yml
+++ b/ansible/globals/globals.yml
@@ -4,4 +4,5 @@ custom_integration_alert_level: 10
 custom_integration_alert_format: 'json'
 elasticsearch_host_ip: '192.168.33.10'
 wazuh_manager_ip: '192.168.33.10'
-wazuh_check_interval: 300
\ No newline at end of file
+wazuh_check_interval: 300   # should be the same as variable inside .env
+evidence_collector_version: 'latest'
\ No newline at end of file
--- a/ansible/provision-evidence-collector.yml
+++ b/ansible/provision-evidence-collector.yml
@@ -4,6 +4,7 @@
    become: yes
    pre_tasks:
      - import_tasks: "{{ ansible_dir }}/docker/credentials/vars.yml"
+      - import_tasks: "{{ ansible_dir }}/globals/vars.yml"
    roles:   
      - docker
    tasks:
@@ -46,7 +47,7 @@
      - name: Run Docker container
        docker_container:
          name: evidence-collector
-          image: "{{ docker_registry }}/medina/evidence-collector:latest"
+          image: "{{ docker_registry }}/medina/evidence-collector:{{ evidence_collector_version }}"
          state: started
          pull: yes
          restart_policy: always

--- a/ansible/provision-managers.yml
+++ b/ansible/provision-managers.yml
@@ -13,18 +13,83 @@
      - role: custom-integration
    vars:
      single_node: true
-      wazuh_manager_integrations:
-        - name: custom-integration
-          hook_url: "{{ custom_integration_hook }}"
-          alert_level: "{{ custom_integration_alert_level }}"
-          alert_format: "{{ custom_integration_alert_format }}"
-      wazuh_manager_config:
-        email_notification: "yes"
      minimum_master_nodes: 1
      elasticsearch_node_master: true
      elasticsearch_network_host: "0.0.0.0"
      filebeat_node_name: node-1
      filebeat_output_elasticsearch_hosts: "{{ elasticsearch_host_ip }}"
+      instances:
+        node1:
+          name: node-1       # Important: must be equal to elasticsearch_node_name.
+          ip: "{{ elasticsearch_host_ip }}"
+      # ossec.conf
+      wazuh_manager_integrations:
+        - name: custom-integration
+          hook_url: "{{ custom_integration_hook }}"
+          alert_level: "{{ custom_integration_alert_level }}"
+          alert_format: "{{ custom_integration_alert_format }}"
+      wazuh_manager_email_notification: "yes"
+      wazuh_manager_rootcheck:
+        frequency: "{{ wazuh_check_interval }}"
+      wazuh_manager_syscollector:
+        disable: 'no'
+        interval: "{{ wazuh_check_interval }}"
+        scan_on_start: 'yes'
+        hardware: 'yes'
+        os: 'yes'
+        network: 'yes'
+        packages: 'yes'
+        ports_no: 'yes'
+        processes: 'yes'
+      wazuh_manager_sca:
+        enabled: 'yes'
+        scan_on_start: 'yes'
+        interval: "{{ wazuh_check_interval }}s"
+        skip_nfs: 'yes'
+        day: ''
+        wday: ''
+        time: ''
+      wazuh_manager_syscheck:
+        disable: 'no'
+        frequency: "{{ wazuh_check_interval }}"
+        scan_on_start: 'yes'
+        auto_ignore: 'no'
+        ignore:
+          - /etc/mtab
+          - /etc/hosts.deny
+          - /etc/mail/statistics
+          - /etc/random-seed
+          - /etc/random.seed
+          - /etc/adjtime
+          - /etc/httpd/logs
+          - /etc/utmpx
+          - /etc/wtmpx
+          - /etc/cups/certs
+          - /etc/dumpdates
+          - /etc/svc/volatile
+        ignore_linux_type:
+          - '.log$|.swp$'
+        no_diff:
+          - /etc/ssl/private.key
+        directories:
+          - dirs: /etc,/usr/bin,/usr/sbin
+            checks: ''
+          - dirs: /bin,/sbin,/boot
+            checks: ''
+        auto_ignore_frequency:
+          frequency: 'frequency="10"'
+          timeframe: 'timeframe="3600"'
+          value: 'no'
+        skip_nfs: 'yes'
+        skip_dev: 'yes'
+        skip_proc: 'yes'
+        skip_sys: 'yes'
+        process_priority: 10
+        max_eps: 100
+        sync_enabled: 'yes'
+        sync_interval: "{{ wazuh_check_interval }}s"
+        sync_max_interval: '1h'
+        sync_max_eps: 10
      wazuh_manager_vulnerability_detector:
        enabled: 'yes'
        interval: "{{ wazuh_check_interval }}"
@@ -54,11 +119,39 @@
            update_from_year: '2010'
            update_interval: "{{ wazuh_check_interval }}"
            name: '"nvd"'
-      instances:
-        node1:
-          name: node-1       # Important: must be equal to elasticsearch_node_name.
-          ip: "{{ elasticsearch_host_ip }}"
    tasks:
+      # agent.conf
+      - name: Install python3.6
+        package:
+          name: python36
+          state: present
+      - name: Install lxml python package
+        pip:
+          name: lxml
+          executable: pip3
+      - name: Edit agent.conf - add attribute to agent_config
+        xml:
+          path: /var/ossec/etc/shared/default/agent.conf
+          xpath: /agent_config
+          attribute: os
+          value: "Linux"
+      - name: Edit agent.conf - add syscheck config
+        xml:
+          path: /var/ossec/etc/shared/default/agent.conf
+          xpath: /agent_config/syscheck/frequency
+          value: "{{ wazuh_check_interval | string }}"
+      - name: Edit agent.conf - add rootcheck config
+        xml:
+          path: /var/ossec/etc/shared/default/agent.conf
+          xpath: /agent_config/rootcheck/frequency
+          value: "{{ wazuh_check_interval | string }}"
+      - name: Edit agent.conf - remove <?xml>
+        lineinfile:
+          dest: /var/ossec/etc/shared/default/agent.conf
+          regexp: "^<[?]xml .*[?]>"
+          state:  absent
+      - name: Verify agent.conf
+        command: /var/ossec/bin/verify-agent-conf
      - name: Install firewalld
        action: yum name=firewalld state=installed
      - name: Enable firewalld on system reboot

--- a/custom-provision/.env
+++ b/custom-provision/.env
@@ -16,3 +16,4 @@ clouditor_oauth2_port=8080
 clouditor_client_id=clouditor
 clouditor_client_secret=clouditor
 wazuh_check_interval=300
+wazuh_rule_level=10
\ No newline at end of file
--- a/environments/full-setup/.env
+++ b/environments/full-setup/.env
@@ -16,3 +16,4 @@ clouditor_oauth2_port=8080
 clouditor_client_id=clouditor
 clouditor_client_secret=clouditor
 wazuh_check_interval=300
+wazuh_rule_level=10
\ No newline at end of file