Merge branch 'ansible-docker-deploy-ammend' into 'main'

Ansible docker deploy ammend See merge request piacere/sma-playbook!1

Merge branch 'ansible-docker-deploy-ammend' into 'main'
b7b77584 · Cernivec, Ales · 5d7597f9 · c2ad5eae · b7b77584 · b7b77584
Commit b7b77584 authored 2 years ago by Cernivec, Ales
--- a/README.md
+++ b/README.md
 # sma-playbook

 Security Monitoring Agent (Wazuh agent) deployment as a docker
+
+## Usage
+
+To build the agent's docker image on `docker` host from the `inventory`, run this command:
+
+```
+ansible-playbook build-wazuh-agent.yml -i inventory.txt
+```
+
+You could also build the image manually and push it to some other docker registry. In this case you should change the variable for the image name within `vars.yml`.
+
+To start the deployment, run this command:
+
+```
+ansible-playbook deploy-wazuh-agent.yml -i inventory.txt
+```
+
+Example of the configuration (`vars.yml`):
+
+```
+---
+service_config_dir: "{{ ansible_env.HOME }}/piacere-wazuh-agent"
+docker_image_build_dir: "{{ ansible_env.HOME }}/piacere-wazuh-agent/image"
+wazuh_manager_hostname: "wazuh-manager"
+wazuh_manager_port: "1514"
+
+wazuh_agent_network: "security-monitoring-deployment_default"
+wazuh_agent_name: "wazuh-agent-container-2"
+wazuh_agent_group: "default"
+wazuh_agent_config_volume: "{{ service_config_dir }}/ossec.conf:/var/ossec/etc/ossec.conf"
+wazuh_agent_image_name: "wazuh-agent-image"
+
+piacere_deployment_id: "123e4567-e89b-12d3-a456-426614174002"
+```
+
+All these variables can be overriden via environemnt. 
+
+### `Build Wazuh Agent` playbook
+
+It uses `community.docker.docker_image` module. It copies `docker-deploy` dir to the target and then it builds the agent's image with the name from the `vars.yml` on the target machine from the inventory. 
+
+### `Deploy Wazuh Agent` playbook
+
+It uses `community.docker.docker_container` module.  The module runs the image with a name of `wazuh-agent-deploy:latest` by default (configurable within `vars.yml`), using the network `security-monitoring-deployment_default`, on the target machine. It is very important that the Wazuh Manager runs on the same network, otherwise the agent will not be able to contact the manager. `hostname` of the Agent will be set accordingly and visible in the Manager. ENV variable `WAZUH_MANAGER` sets the hostname of the Manager running on the network mentioned above. `WAZUH_AGENT_GROUP` will also to be taken into account by the Agent deployment. `ossec.conf` from the `docker-deploy` directory will be copied to the container's `/var/ossec/` directory. 
+
+## Run the agent as a docker instance manually, not advisable
+
+Consider this section as a backup in the case you can not use the playbooks above. 
+
+Build the image
+
+```
+cd docker-deploy
+docker build -t docker-wazuh-agent:latest .
+```
+
+Run the agent attached to network `security-monitoring-deployment_default` where Wazuh Manager should be already running.
+
+```
+docker run -d --name wazuh-agent --network=security-monitoring-deployment_default --hostname localhost -e WAZUH_MANAGER=wazuh-manager -e WAZUH_AGENT_GROUP=default -v ${PWD}/ossec.conf:/var/ossec/etc/ossec.conf docker-wazuh-agent:latest
+```
\ No newline at end of file
--- a/build-wazuh-agent.yml
+++ b/build-wazuh-agent.yml
+---
+- hosts: docker
+  tasks:
+
+  - name: include vars
+    include_vars: vars.yml
+
+  - name: Copy build dir to dest
+    copy:
+      src: "./docker-deploy"
+      dest: "{{ docker_image_build_dir }}"
+      mode: 0644
+
+  - name: Build docker image
+    community.docker.docker_image:
+      build:
+        path: "{{ docker_image_build_dir }}/docker-deploy"
+      name: "{{ wazuh_agent_image_name }}"
+      tag: latest
+      source: build
\ No newline at end of file
--- a/config/ossec.conf.j2
+++ b/config/ossec.conf.j2
+<ossec_config>
+  <client>
+    <server>
+      <address>{{ wazuh_manager_hostname }}</address>
+      <port>{{ wazuh_manager_port }}</port>
+      <protocol>tcp</protocol>
+    </server>
+    <config-profile>ubuntu, ubuntu20, ubuntu20.04</config-profile>
+    <notify_time>60</notify_time>
+    <time-reconnect>120</time-reconnect>
+    <auto_restart>yes</auto_restart>
+    <crypto_method>aes</crypto_method>
+  </client>
+
+
+  <client_buffer>
+    <!-- Agent buffer options -->
+    <disabled>no</disabled>
+    <queue_size>5000</queue_size>
+    <events_per_second>500</events_per_second>
+  </client_buffer>
+
+  <!-- Policy monitoring -->
+  <rootcheck>
+    <disabled>no</disabled>
+    <check_files>yes</check_files>
+    <check_trojans>yes</check_trojans>
+    <check_dev>yes</check_dev>
+    <check_sys>yes</check_sys>
+    <check_pids>yes</check_pids>
+    <check_ports>yes</check_ports>
+    <check_if>yes</check_if>
+
+    <!-- Frequency that rootcheck is executed - every 12 hours -->
+    <frequency>43200</frequency>
+
+    <rootkit_files>etc/shared/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>etc/shared/rootkit_trojans.txt</rootkit_trojans>
+
+    <skip_nfs>yes</skip_nfs>
+  </rootcheck>
+
+  <wodle name="cis-cat">
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
+
+    <java_path>wodles/java</java_path>
+    <ciscat_path>wodles/ciscat</ciscat_path>
+  </wodle>
+
+  <!-- Osquery integration -->
+  <wodle name="osquery">
+    <disabled>yes</disabled>
+    <run_daemon>yes</run_daemon>
+    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
+    <config_path>/etc/osquery/osquery.conf</config_path>
+    <add_labels>yes</add_labels>
+  </wodle>
+
+  <!-- System inventory -->
+  <wodle name="syscollector">
+    <disabled>no</disabled>
+    <interval>1h</interval>
+    <scan_on_start>yes</scan_on_start>
+    <hardware>yes</hardware>
+    <os>yes</os>
+    <network>yes</network>
+    <packages>yes</packages>
+    <ports all="no">yes</ports>
+    <processes>yes</processes>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </wodle>
+
+  <sca>
+    <enabled>yes</enabled>
+    <scan_on_start>yes</scan_on_start>
+    <interval>12h</interval>
+    <skip_nfs>yes</skip_nfs>
+  </sca>
+
+  <!-- File integrity monitoring -->
+  <syscheck>
+    <disabled>no</disabled>
+
+    <!-- Frequency that syscheck is executed default every 12 hours -->
+    <frequency>43200</frequency>
+
+    <scan_on_start>yes</scan_on_start>
+
+    <!-- Directories to check  (perform all possible verifications) -->
+    <directories>/etc,/usr/bin,/usr/sbin</directories>
+    <directories>/bin,/sbin,/boot</directories>
+
+    <!-- Files/directories to ignore -->
+    <ignore>/etc/mtab</ignore>
+    <ignore>/etc/hosts.deny</ignore>
+    <ignore>/etc/mail/statistics</ignore>
+    <ignore>/etc/random-seed</ignore>
+    <ignore>/etc/random.seed</ignore>
+    <ignore>/etc/adjtime</ignore>
+    <ignore>/etc/httpd/logs</ignore>
+    <ignore>/etc/utmpx</ignore>
+    <ignore>/etc/wtmpx</ignore>
+    <ignore>/etc/cups/certs</ignore>
+    <ignore>/etc/dumpdates</ignore>
+    <ignore>/etc/svc/volatile</ignore>
+
+    <!-- File types to ignore -->
+    <ignore type="sregex">.log$|.swp$</ignore>
+
+    <!-- Check the file, but never compute the diff -->
+    <nodiff>/etc/ssl/private.key</nodiff>
+
+    <skip_nfs>yes</skip_nfs>
+    <skip_dev>yes</skip_dev>
+    <skip_proc>yes</skip_proc>
+    <skip_sys>yes</skip_sys>
+
+    <!-- Nice value for Syscheck process -->
+    <process_priority>10</process_priority>
+
+    <!-- Maximum output throughput -->
+    <max_eps>100</max_eps>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
+      <max_interval>1h</max_interval>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </syscheck>
+
+  <!-- Log analysis -->
+  <localfile>
+    <log_format>command</log_format>
+    <command>df -P</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
+    <alias>netstat listening ports</alias>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>last -n 20</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <!-- Active response -->
+  <active-response>
+    <disabled>no</disabled>
+    <ca_store>etc/wpk_root.pem</ca_store>
+    <ca_verification>yes</ca_verification>
+  </active-response>
+
+  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
+  <logging>
+    <log_format>plain</log_format>
+  </logging>
+
+  <labels>
+    <label key="piacere-deployment-id">{{ piacere_deployment_id }}</label>
+  </labels>
+</ossec_config>
+
+<ossec_config>
+  <localfile>
+    <log_format>audit</log_format>
+    <location>/var/log/audit/audit.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/ossec/logs/active-responses.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/messages</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/secure</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/maillog</location>
+  </localfile>
+
+</ossec_config>
\ No newline at end of file
--- a/deploy-wazuh-agent.yml
+++ b/deploy-wazuh-agent.yml
+---
+- hosts: docker
+  tasks:
+
+  - name: include vars
+    include_vars: vars.yml
+
+  - name: Create config path
+    file:
+      path: "{{ service_config_dir }}"
+      state: directory
+      mode: 0755
+
+  - name: Copy config template to remote host
+    template:
+      src: "{{ playbook_dir }}/config/ossec.conf.j2"
+      dest: "{{ service_config_dir }}/ossec.conf"
+      mode: 0644
+    register: config_changed
+
+  - name: Run docker image
+    docker_container:
+      name: wazuh-agent-container
+      networks: 
+       - name: "{{ wazuh_agent_network }}"
+      image: "{{ wazuh_agent_image_name }}"
+      state: started
+      hostname: "{{ wazuh_agent_name }}"
+      auto_remove: false
+      env:
+       WAZUH_MANAGER: "{{ wazuh_manager_hostname }}"
+       WAZUH_AGENT_GROUP: "{{ wazuh_agent_group }}"
+      volumes:
+        - "{{ wazuh_agent_config_volume }}"
\ No newline at end of file
--- a/docker-deploy/Dockerfile
+++ b/docker-deploy/Dockerfile
+FROM debian:10.12-slim
+
+RUN apt-get update && apt-get install -y \
+  procps curl apt-transport-https gnupg2 inotify-tools python-docker && \
+  curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - && \
+  echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list && \
+  apt-get update &&  \
+  apt-get install -y lsb-release && \
+  rm -rf /var/lib/apt/lists/*
+
+RUN curl -so wazuh-agent-4.2.5.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.2.5-1_amd64.deb && dpkg -i ./wazuh-agent-4.2.5.deb
+
+COPY entrypoint.sh /entrypoint.sh
+COPY ossec.conf /var/ossec/etc/
+
+ENTRYPOINT ["bash","entrypoint.sh"]
\ No newline at end of file
--- a/docker-deploy/entrypoint.sh
+++ b/docker-deploy/entrypoint.sh
+#!/bin/bash
+
+# !
+# !CONVERT THIS CODE INTO ANSIBLE PLAYBOOK IF POSSIBLE
+# !
+
+# Start the agent
+
+/var/ossec/bin/wazuh-control start
+status=$?
+if [ $status -ne 0 ]; then
+  echo "Failed to start agent: $status"
+  exit $status
+fi
+
+echo "background jobs running, listening for changes"
+
+while sleep 60; do
+  /var/ossec/bin/wazuh-control status > /dev/null 2>&1
+  status=$?
+  if [ $status -ne 0 ]; then
+    echo "looks like the agent died."
+    exit 1
+  fi
+done
--- a/docker-deploy/ossec.conf
+++ b/docker-deploy/ossec.conf
+<ossec_config>
+  <client>
+    <server>
+      <address>wazuh-manager</address>
+      <port>1514</port>
+      <protocol>tcp</protocol>
+    </server>
+    <config-profile>ubuntu, ubuntu20, ubuntu20.04</config-profile>
+    <notify_time>60</notify_time>
+    <time-reconnect>120</time-reconnect>
+    <auto_restart>yes</auto_restart>
+    <crypto_method>aes</crypto_method>
+  </client>
+
+
+  <client_buffer>
+    <!-- Agent buffer options -->
+    <disabled>no</disabled>
+    <queue_size>5000</queue_size>
+    <events_per_second>500</events_per_second>
+  </client_buffer>
+
+  <!-- Policy monitoring -->
+  <rootcheck>
+    <disabled>no</disabled>
+    <check_files>yes</check_files>
+    <check_trojans>yes</check_trojans>
+    <check_dev>yes</check_dev>
+    <check_sys>yes</check_sys>
+    <check_pids>yes</check_pids>
+    <check_ports>yes</check_ports>
+    <check_if>yes</check_if>
+
+    <!-- Frequency that rootcheck is executed - every 12 hours -->
+    <frequency>43200</frequency>
+
+    <rootkit_files>etc/shared/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>etc/shared/rootkit_trojans.txt</rootkit_trojans>
+
+    <skip_nfs>yes</skip_nfs>
+  </rootcheck>
+
+  <wodle name="cis-cat">
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
+
+    <java_path>wodles/java</java_path>
+    <ciscat_path>wodles/ciscat</ciscat_path>
+  </wodle>
+
+  <!-- Osquery integration -->
+  <wodle name="osquery">
+    <disabled>yes</disabled>
+    <run_daemon>yes</run_daemon>
+    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
+    <config_path>/etc/osquery/osquery.conf</config_path>
+    <add_labels>yes</add_labels>
+  </wodle>
+
+  <!-- System inventory -->
+  <wodle name="syscollector">
+    <disabled>no</disabled>
+    <interval>1h</interval>
+    <scan_on_start>yes</scan_on_start>
+    <hardware>yes</hardware>
+    <os>yes</os>
+    <network>yes</network>
+    <packages>yes</packages>
+    <ports all="no">yes</ports>
+    <processes>yes</processes>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </wodle>
+
+  <sca>
+    <enabled>yes</enabled>
+    <scan_on_start>yes</scan_on_start>
+    <interval>12h</interval>
+    <skip_nfs>yes</skip_nfs>
+  </sca>
+
+  <!-- File integrity monitoring -->
+  <syscheck>
+    <disabled>no</disabled>
+
+    <!-- Frequency that syscheck is executed default every 12 hours -->
+    <frequency>43200</frequency>
+
+    <scan_on_start>yes</scan_on_start>
+
+    <!-- Directories to check  (perform all possible verifications) -->
+    <directories>/etc,/usr/bin,/usr/sbin</directories>
+    <directories>/bin,/sbin,/boot</directories>
+
+    <!-- Files/directories to ignore -->
+    <ignore>/etc/mtab</ignore>
+    <ignore>/etc/hosts.deny</ignore>
+    <ignore>/etc/mail/statistics</ignore>
+    <ignore>/etc/random-seed</ignore>
+    <ignore>/etc/random.seed</ignore>
+    <ignore>/etc/adjtime</ignore>
+    <ignore>/etc/httpd/logs</ignore>
+    <ignore>/etc/utmpx</ignore>
+    <ignore>/etc/wtmpx</ignore>
+    <ignore>/etc/cups/certs</ignore>
+    <ignore>/etc/dumpdates</ignore>
+    <ignore>/etc/svc/volatile</ignore>
+
+    <!-- File types to ignore -->
+    <ignore type="sregex">.log$|.swp$</ignore>
+
+    <!-- Check the file, but never compute the diff -->
+    <nodiff>/etc/ssl/private.key</nodiff>
+
+    <skip_nfs>yes</skip_nfs>
+    <skip_dev>yes</skip_dev>
+    <skip_proc>yes</skip_proc>
+    <skip_sys>yes</skip_sys>
+
+    <!-- Nice value for Syscheck process -->
+    <process_priority>10</process_priority>
+
+    <!-- Maximum output throughput -->
+    <max_eps>100</max_eps>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
+      <max_interval>1h</max_interval>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </syscheck>
+
+  <!-- Log analysis -->
+  <localfile>
+    <log_format>command</log_format>
+    <command>df -P</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
+    <alias>netstat listening ports</alias>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>last -n 20</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <!-- Active response -->
+  <active-response>
+    <disabled>no</disabled>
+    <ca_store>etc/wpk_root.pem</ca_store>
+    <ca_verification>yes</ca_verification>
+  </active-response>
+
+  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
+  <logging>
+    <log_format>plain</log_format>
+  </logging>
+
+  <labels>
+    <label key="piacere-deployment-id">123e4567-e89b-12d3-a456-426614174001</label>
+  </labels>
+</ossec_config>
+
+<ossec_config>
+  <localfile>
+    <log_format>audit</log_format>
+    <location>/var/log/audit/audit.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/ossec/logs/active-responses.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/messages</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/secure</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/maillog</location>
+  </localfile>
+
+</ossec_config>
\ No newline at end of file
--- a/inventory.txt
+++ b/inventory.txt
+[docker]
+localhost
\ No newline at end of file
--- a/vars.yml
+++ b/vars.yml
+---
+service_config_dir: "{{ ansible_env.HOME }}/piacere-wazuh-agent"
+docker_image_build_dir: "{{ ansible_env.HOME }}/piacere-wazuh-agent/image"
+wazuh_manager_hostname: "wazuh-manager"
+wazuh_manager_port: "1514"
+
+wazuh_agent_network: "security-monitoring-deployment_default"
+wazuh_agent_name: "wazuh-agent-container-2"
+wazuh_agent_group: "default"
+wazuh_agent_config_volume: "{{ service_config_dir }}/ossec.conf:/var/ossec/etc/ossec.conf"
+wazuh_agent_image_name: "wazuh-agent-image"
+
+piacere_deployment_id: "123e4567-e89b-12d3-a456-426614174002"
\ No newline at end of file