From 0344ea78788b0229550009431fb6af537dc8fa95 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 12 Feb 2020 03:34:12 +0000 Subject: [PATCH 1/3] update Wazuh path --- salt/common/tools/sbin/so-allow | 4 ++-- salt/wazuh/files/wazuh-manager-whitelist | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow index 6e0cd1763..61df47fd0 100755 --- a/salt/common/tools/sbin/so-allow +++ b/salt/common/tools/sbin/so-allow @@ -86,14 +86,14 @@ echo "Adding $IP to the $FULLROLE role. This can take a few seconds" if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then # If analyst, add to Wazuh AR whitelist if [ "$FULLROLE" == "analyst" ]; then - WAZUH_MGR_CFG="/opt/so/conf/wazuh/etc/ossec.conf" + WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf" if ! grep -q "$IP" $WAZUH_MGR_CFG ; then DATE=`date` sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG echo -e "\n \n $IP\n \n" >> $WAZUH_MGR_CFG echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG." - echo + echo echo "Restarting OSSEC Server..." /usr/sbin/so-wazuh-restart fi diff --git a/salt/wazuh/files/wazuh-manager-whitelist b/salt/wazuh/files/wazuh-manager-whitelist index ac804e447..ab4b15fd0 100755 --- a/salt/wazuh/files/wazuh-manager-whitelist +++ b/salt/wazuh/files/wazuh-manager-whitelist @@ -18,7 +18,7 @@ # Check if Wazuh enabled if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then - WAZUH_MGR_CFG="/opt/so/conf/wazuh/etc/ossec.conf" + WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf" if ! grep -q "{{ MASTERIP }}" $WAZUH_MGR_CFG ; then DATE=`date` sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG From 718dacf29a35d3cbdd247a110f3ea6e393c87ba3 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 12 Feb 2020 03:37:56 +0000 Subject: [PATCH 2/3] update Wazuh order --- salt/top.sls | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/salt/top.sls b/salt/top.sls index 6f7763c62..4af085ae1 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -56,6 +56,9 @@ base: {%- if OSQUERY != 0 %} - mysql {%- endif %} + {%- if WAZUH != 0 %} + - wazuh + {%- endif %} - elasticsearch - logstash - kibana @@ -69,9 +72,6 @@ base: - redis - launcher {%- endif %} - {%- if WAZUH != 0 %} - - wazuh - {%- endif %} - utility - schedule - soctopus @@ -103,13 +103,13 @@ base: {%- if OSQUERY != 0 %} - mysql {%- endif %} + {%- if WAZUH != 0 %} + - wazuh + {%- endif %} - elasticsearch - logstash - kibana - elastalert - {%- if WAZUH != 0 %} - - wazuh - {%- endif %} - filebeat - utility - schedule @@ -171,12 +171,12 @@ base: - ssl - common - firewall - - logstash - - elasticsearch - - curator {%- if WAZUH != 0 %} - wazuh {%- endif %} + - logstash + - elasticsearch + - curator - filebeat {%- if OSQUERY != 0 %} - launcher @@ -209,14 +209,14 @@ base: {%- if OSQUERY != 0 %} - mysql {%- endif %} + {%- if WAZUH != 0 %} + - wazuh + {%- endif %} - logstash - elasticsearch - curator - kibana - elastalert - {%- if WAZUH != 0 %} - - wazuh - {%- endif %} - filebeat - utility - schedule @@ -244,12 +244,12 @@ base: - common - firewall - redis - - logstash - - elasticsearch - - curator {%- if WAZUH != 0 %} - wazuh {%- endif %} + - logstash + - elasticsearch + - curator - filebeat {%- if OSQUERY != 0 %} - launcher From e76dc73ea62d7335266e4ac6a93f244621e2d9dc Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 12 Feb 2020 03:44:20 +0000 Subject: [PATCH 3/3] change Wazuh install order --- setup/so-setup | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 4fd81629e..6d86a0b7a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -382,15 +382,15 @@ if (whiptail_you_sure) ; then echo -e "XXX\n41\nInstalling MySQL... \nXXX" salt-call state.apply mysql >> $SETUPLOG 2>&1 fi + if [[ $WAZUH == '1' ]]; then + echo -e "XXX\n68\nInstalling Wazuh... \nXXX" + salt-call state.apply wazuh >> $SETUPLOG 2>&1 + fi echo -e "XXX\n45\nInstalling Elastic Components... \nXXX" salt-call state.apply elasticsearch >> $SETUPLOG 2>&1 salt-call state.apply logstash >> $SETUPLOG 2>&1 salt-call state.apply kibana >> $SETUPLOG 2>&1 salt-call state.apply elastalert >> $SETUPLOG 2>&1 - if [[ $WAZUH == '1' ]]; then - echo -e "XXX\n68\nInstalling Wazuh... \nXXX" - salt-call state.apply wazuh >> $SETUPLOG 2>&1 - fi echo -e "XXX\n75\nInstalling Filebeat... \nXXX" salt-call state.apply filebeat >> $SETUPLOG 2>&1 salt-call state.apply utility >> $SETUPLOG 2>&1 @@ -649,6 +649,10 @@ if (whiptail_you_sure) ; then if [[ $OSQUERY == '1' ]]; then salt-call state.apply mysql >> $SETUPLOG 2>&1 fi + if [[ $WAZUH == '1' ]]; then + echo -e "XXX\n65\nInstalling Wazuh components... \nXXX" + salt-call state.apply wazuh >> $SETUPLOG 2>&1 + fi echo -e "XXX\n35\nInstalling ElasticSearch... \nXXX" salt-call state.apply elasticsearch >> $SETUPLOG 2>&1 echo -e "XXX\n40\nInstalling Logstash... \nXXX" @@ -674,10 +678,6 @@ if (whiptail_you_sure) ; then salt-call state.apply fleet >> $SETUPLOG 2>&1 salt-call state.apply redis >> $SETUPLOG 2>&1 fi - if [[ $WAZUH == '1' ]]; then - echo -e "XXX\n65\nInstalling Wazuh components... \nXXX" - salt-call state.apply wazuh >> $SETUPLOG 2>&1 - fi echo -e "XXX\n85\nInstalling filebeat... \nXXX" salt-call state.apply filebeat >> $SETUPLOG 2>&1 salt-call state.apply utility >> $SETUPLOG 2>&1