Skip to content
Snippets Groups Projects
Commit 5633a6b0 authored by Zitnik, Anze's avatar Zitnik, Anze
Browse files

Merge branch 'custom-wazuh-monitoring-frequencies' into 'master'

Custom wazuh monitoring frequencies

See merge request medina/security-monitoring!11
parents 6fa1b60d 54a60aa9
Branches
No related tags found
No related merge requests found
......@@ -45,7 +45,15 @@ In addition to Wazuh, ClamAV is also installed on agent machines.
> Note: neither of these two files has to be changed for `security-monitoring` to work. You can (and should; in case of `.env`) leave them unchanged.
4. Create and provision VMs:
4. Set `evidence-collector` package version inside `/ansible/globals/globals.yml`:
```
evidence_collector_version: 'latest'
```
This can be left untouched or changed to a specific version of `evidence-collector`.
5. Create and provision VMs:
```
$ make create provision
......@@ -185,6 +193,7 @@ Wazuh manager and Evidence collector should be installed on the same, clean mach
| ---- | ---- |
| `elasticsearch_host_ip` | IP of the machine running Elasticsearch (same as Wazuh manager). |
| `wazuh_manager_ip` | IP of the machine running Wazuh manager. |
| `evidence_collector_version` | `evidence-collector` version that will be deployed. Can be left set to `latest`. |
6. Set custom resource ID mapping scheme used by `evidence-collector`. Change it in `/custom-provision/resource-id-map.json`.
......
......@@ -14,6 +14,8 @@
shell: sed -i 's/\\[Service\\]/\\[Service\\]\nTimeoutStartSec=300/' /usr/lib/systemd/system/wazuh-manager.service
become: yes
when: "grep_timeout.rc > 0"
args:
warn: false
- name: Restart wazuh-manager
service:
......
......@@ -4,4 +4,5 @@ custom_integration_alert_level: 10
custom_integration_alert_format: 'json'
elasticsearch_host_ip: '192.168.33.10'
wazuh_manager_ip: '192.168.33.10'
wazuh_check_interval: 300
\ No newline at end of file
wazuh_check_interval: 300 # should be the same as variable inside .env
evidence_collector_version: 'latest'
\ No newline at end of file
......@@ -4,6 +4,7 @@
become: yes
pre_tasks:
- import_tasks: "{{ ansible_dir }}/docker/credentials/vars.yml"
- import_tasks: "{{ ansible_dir }}/globals/vars.yml"
roles:
- docker
tasks:
......@@ -46,7 +47,7 @@
- name: Run Docker container
docker_container:
name: evidence-collector
image: "{{ docker_registry }}/medina/evidence-collector:latest"
image: "{{ docker_registry }}/medina/evidence-collector:{{ evidence_collector_version }}"
state: started
pull: yes
restart_policy: always
......
......@@ -13,18 +13,83 @@
- role: custom-integration
vars:
single_node: true
wazuh_manager_integrations:
- name: custom-integration
hook_url: "{{ custom_integration_hook }}"
alert_level: "{{ custom_integration_alert_level }}"
alert_format: "{{ custom_integration_alert_format }}"
wazuh_manager_config:
email_notification: "yes"
minimum_master_nodes: 1
elasticsearch_node_master: true
elasticsearch_network_host: "0.0.0.0"
filebeat_node_name: node-1
filebeat_output_elasticsearch_hosts: "{{ elasticsearch_host_ip }}"
instances:
node1:
name: node-1 # Important: must be equal to elasticsearch_node_name.
ip: "{{ elasticsearch_host_ip }}"
# ossec.conf
wazuh_manager_integrations:
- name: custom-integration
hook_url: "{{ custom_integration_hook }}"
alert_level: "{{ custom_integration_alert_level }}"
alert_format: "{{ custom_integration_alert_format }}"
wazuh_manager_email_notification: "yes"
wazuh_manager_rootcheck:
frequency: "{{ wazuh_check_interval }}"
wazuh_manager_syscollector:
disable: 'no'
interval: "{{ wazuh_check_interval }}"
scan_on_start: 'yes'
hardware: 'yes'
os: 'yes'
network: 'yes'
packages: 'yes'
ports_no: 'yes'
processes: 'yes'
wazuh_manager_sca:
enabled: 'yes'
scan_on_start: 'yes'
interval: "{{ wazuh_check_interval }}s"
skip_nfs: 'yes'
day: ''
wday: ''
time: ''
wazuh_manager_syscheck:
disable: 'no'
frequency: "{{ wazuh_check_interval }}"
scan_on_start: 'yes'
auto_ignore: 'no'
ignore:
- /etc/mtab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
ignore_linux_type:
- '.log$|.swp$'
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: ''
- dirs: /bin,/sbin,/boot
checks: ''
auto_ignore_frequency:
frequency: 'frequency="10"'
timeframe: 'timeframe="3600"'
value: 'no'
skip_nfs: 'yes'
skip_dev: 'yes'
skip_proc: 'yes'
skip_sys: 'yes'
process_priority: 10
max_eps: 100
sync_enabled: 'yes'
sync_interval: "{{ wazuh_check_interval }}s"
sync_max_interval: '1h'
sync_max_eps: 10
wazuh_manager_vulnerability_detector:
enabled: 'yes'
interval: "{{ wazuh_check_interval }}"
......@@ -54,11 +119,39 @@
update_from_year: '2010'
update_interval: "{{ wazuh_check_interval }}"
name: '"nvd"'
instances:
node1:
name: node-1 # Important: must be equal to elasticsearch_node_name.
ip: "{{ elasticsearch_host_ip }}"
tasks:
# agent.conf
- name: Install python3.6
package:
name: python36
state: present
- name: Install lxml python package
pip:
name: lxml
executable: pip3
- name: Edit agent.conf - add attribute to agent_config
xml:
path: /var/ossec/etc/shared/default/agent.conf
xpath: /agent_config
attribute: os
value: "Linux"
- name: Edit agent.conf - add syscheck config
xml:
path: /var/ossec/etc/shared/default/agent.conf
xpath: /agent_config/syscheck/frequency
value: "{{ wazuh_check_interval | string }}"
- name: Edit agent.conf - add rootcheck config
xml:
path: /var/ossec/etc/shared/default/agent.conf
xpath: /agent_config/rootcheck/frequency
value: "{{ wazuh_check_interval | string }}"
- name: Edit agent.conf - remove <?xml>
lineinfile:
dest: /var/ossec/etc/shared/default/agent.conf
regexp: "^<[?]xml .*[?]>"
state: absent
- name: Verify agent.conf
command: /var/ossec/bin/verify-agent-conf
- name: Install firewalld
action: yum name=firewalld state=installed
- name: Enable firewalld on system reboot
......
......@@ -16,3 +16,4 @@ clouditor_oauth2_port=8080
clouditor_client_id=clouditor
clouditor_client_secret=clouditor
wazuh_check_interval=300
wazuh_rule_level=10
\ No newline at end of file
......@@ -16,3 +16,4 @@ clouditor_oauth2_port=8080
clouditor_client_id=clouditor
clouditor_client_secret=clouditor
wazuh_check_interval=300
wazuh_rule_level=10
\ No newline at end of file
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment