Browse Source

Merge branch 'disable-oscap' into 'master'

disable oscap

Closes #77

See merge request main/infrastructure!81
keep-around/808f122731b2af88273ca10d8ea754ffec5877c3
Loïc Dachary 3 years ago
parent
commit
808f122731
  1. 123
      molecule/wazuh/agent.yml
  2. 2
      molecule/wazuh/wazuh-agent-playbook.yml

123
molecule/wazuh/agent.yml

@ -0,0 +1,123 @@
---
wazuh_agent_config:
active_response:
ar_disabled: 'no'
ca_store: '/var/ossec/etc/wpk_root.pem'
ca_verification: 'yes'
log_format: 'plain'
client_buffer:
disable: 'no'
queue_size: '5000'
events_per_sec: '500'
syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
remove_old_diff: 'yes'
restart_audit: 'yes'
skip_nfs: 'yes'
ignore:
- /etc/mtab
#- /etc/mnttab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
- /sys/kernel/security
- /sys/kernel/debug
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: 'check_all="yes"'
- dirs: /bin,/sbin
checks: 'check_all="yes"'
windows_registry:
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
arch: 'both'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
rootcheck:
frequency: 43200
openscap:
disable: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
osquery:
disable: 'yes'
run_daemon: 'yes'
log_path: '/var/log/osquery/osqueryd.results.log'
config_path: '/etc/osquery/osquery.conf'
ad_labels: 'yes'
syscollector:
disable: 'no'
interval: '1h'
scan_on_start: 'yes'
hardware: 'yes'
os: 'yes'
network: 'yes'
packages: 'yes'
ports_no: 'yes'
processes: 'yes'
cis_cat:
disable: 'yes'
install_java: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
ciscat_path: '/var/ossec/wodles/ciscat'
content:
- type: 'xccdf'
path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
vuls:
disable: 'yes'
interval: '1d'
run_on_start: 'yes'
args:
- 'mincvss 5'
- 'antiquity-limit 20'
- 'updatenvd'
- 'nvd-year 2016'
- 'autoupdate'
localfiles:
debian:
- format: 'syslog'
location: '/var/log/auth.log'
- format: 'syslog'
location: '/var/log/syslog'
- format: 'syslog'
location: '/var/log/dpkg.log'
- format: 'syslog'
location: '/var/log/kern.log'
centos:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'audit'
location: '/var/log/audit/audit.log'
common:
- format: 'syslog'
location: '/var/ossec/logs/active-responses.log'
- format: 'command'
command: 'df -P'
frequency: '360'
- format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'

2
molecule/wazuh/wazuh-agent-playbook.yml

@ -2,6 +2,8 @@
- name: install wazuh-agent
hosts: wazuh_agent
become: true
vars_files:
- agent.yml
roles:
- role: ansible-wazuh-agent

Loading…
Cancel
Save