From e6469d505aa8931e8d6fe0e14ab44a2c0adff985 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Fri, 7 Dec 2018 18:13:42 +0000
Subject: [PATCH 1/7] Wazuh - initial init.sls

---
 salt/wazuh/init.sls | 128 ++++++++++++++++----------------------------
 1 file changed, 45 insertions(+), 83 deletions(-)

diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index d034cab5c..1569d9933 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -1,91 +1,53 @@
-# Create a state directory
+vm.max_map_count:
+  sysctl.present:
+    - value: 262144
 
-statedir:
-  file.directory:
-    - name: /opt/so/state
+# Add ossec Group
+ossecgroup:
+  group.present:
+    - name: ossec
+    - gid: 945
 
-salttmp:
-  file.directory:
-    - name: /opt/so/tmp
+# Add ossecm user
+ossecm:
+  user.present:
+    - uid: 943
+    - gid: 945
+    - home: /opt/so/wazuh
+    - createhome: False
 
-# Install packages needed for the sensor
+# Add ossecr user
+ossecr:
+  user.present:
+    - uid: 944
+    - gid: 945
+    - home: /opt/so/wazuh
+    - createhome: False
 
-sensorpkgs:
-  pkg.installed:
-    - skip_suggestions: True
-    - pkgs:
-      - docker-ce
-      - python-docker
+# Add ossec user
+ossec:
+  user.present:
+    - uid: 945
+    - gid: 945
+    - home: /opt/so/wazuh
+    - createhome: False
 
-# Always keep these packages up to date
+# Add wazuh agent
+wazuhpkgs:
+ pkg.installed:
+   - skip_suggestions: False
+   - pkgs:
+     - wazuh-agent
 
-alwaysupdated:
-  pkg.latest:
-    - pkgs:
-      - openssl
-      - openssh-server
-      - bash
-    - skip_suggestions: True
-
-# Set time to UTC
-
-Etc/UTC:
-  timezone.system
-
-# Set up docker network
-dockernet:
-  docker_network.present:
-    - name: so-elastic-net
-    - driver: bridge
-
-# Snag the so-core docker
-toosmooth/so-core:test2:
-  docker_image.present
-
-# Drop the correct nginx config based on role
-
-nginxconfdir:
-  file.directory:
-    - name: /opt/so/conf/nginx
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-nginxconf:
-  file.managed:
-    - name: /opt/so/conf/nginx/nginx.conf
-    - user: 939
-    - group: 939
-    - template: jinja
-    - source: salt://common/nginx/nginx.conf.{{ grains.role }}
-
-nginxlogdir:
-  file.directory:
-    - name: /opt/so/log/nginx/
-    - user: 939
-    - group: 939
-
-nginxtmp:
-  file.directory:
-    - name: /opt/so/tmp/nginx/tmp
-    - user: 939
-    - group: 939
-    - makedirs: True
-
-# Start the core docker
-so-core:
+so-wazuh:
   docker_container.running:
-    - image: toosmooth/so-core:test2
-    - hostname: so-core
-    - user: socore
-    - binds:
-      - /opt/so:/opt/so:rw
-      - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
-      - /opt/so/log/nginx/:/var/log/nginx:rw
-      - /opt/so/tmp/nginx/:/var/lib/nginx:rw
-      - /opt/so/tmp/nginx/:/run:rw
-    - network_mode: so-elastic-net
-    - cap_add: NET_BIND_SERVICE
+    - image: soshybridhunter/so-wazuh:HH1.0.5
+    - hostname: {{ hostname}}-docker
+    - name: so-wazuh
+    - user: ossec
     - port_bindings:
-      - 80:80
-      - 443:443
+      - 0.0.0.0:1514:1514
+      - 0.0.0.0:55000:55000
+    - binds:
+      - /opt/so/wazuh/:/var/ossec/data:rw
+

From 0a332047260d405d3b63b30a1a804c4873937914 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Fri, 7 Dec 2018 18:16:03 +0000
Subject: [PATCH 2/7] Setup - Only add Wazuh repo

---
 so-setup-network.sh | 52 ++++++++++++++++++---------------------------
 1 file changed, 21 insertions(+), 31 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index 240172838..e1e98dce7 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -77,16 +77,17 @@ add_socore_user_notmaster() {
 
 add_wazuh_users() {
   
-  if [ $OS == 'centos' ]; then
-    local ADDUSER=adduser
-  else
-    local ADDUSER=useradd
-  fi
+  # REMARKING FOR NOW -- ADDING VIA init.sls
+  #if [ $OS == 'centos' ]; then
+  #  local ADDUSER=adduser
+  #else
+  #  local ADDUSER=useradd
+  #fi
 
-  groupadd --gid 945 ossec
-  $ADDUSER --uid 943 --gid 945 --home-dir /opt/so/wazuh --no-create-home ossecm
-  $ADDUSER --uid 944 --gid 945 --home-dir /opt/so/wazuh --no-create-home ossecr
-  $ADDUSER --uid 945 --gid 945 --home-dir /opt/so/wazuh --no-create-home ossec
+  #groupadd --gid 945 ossec
+  #$ADDUSER --uid 943 --gid 945 --home-dir /opt/so/wazuh --no-create-home ossecm
+  #$ADDUSER --uid 944 --gid 945 --home-dir /opt/so/wazuh --no-create-home ossecr
+  #$ADDUSER --uid 945 --gid 945 --home-dir /opt/so/wazuh --no-create-home ossec
 
 }
 
@@ -891,7 +892,7 @@ update_sudoers() {
 
 }
 
-wazuh_agent_install() {
+wazuh_repo_install() {
  
  if [ $OS == 'centos' ]; then
    # Add repo
@@ -904,22 +905,11 @@ name=Wazuh repository
 baseurl=https://packages.wazuh.com/3.x/yum/
 protect=1
 EOF
-   # Install agent
-   yum install -y wazuh-agent
-   # Prevent automatic upates
-   sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
  else
    # Get key
    curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
    # Add repo
    echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
-   apt-get update -y
-   # Install
-   apt-get install -y wazuh-agent
-   # Prevent automatic updates
-   sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
-   # Set package state to "hold"
-   echo "wazuh-agent hold" | sudo dpkg --set-selections
  fi
 
 }
@@ -1470,11 +1460,11 @@ if (whiptail_you_sure); then
     echo ""
     add_socore_user_master
 
-    echo "** Adding Wazuh users **"
-    add_wazuh_users
+    #echo "** Adding Wazuh users **"
+    #add_wazuh_users
 
-    echo "** Installing Wazuh agent **"
-    wazuh_agent_install
+    echo "** Installing Wazuh repo **"
+    wazuh_repo_install
 
     # Install salt and dependencies
     echo " ** Installing Salt and Dependencies **"
@@ -1562,8 +1552,8 @@ if (whiptail_you_sure); then
     mkdir -p /nsm
     get_filesystem_root
     get_filesystem_nsm
-    add_wazuh_users
-    wazuh_agent_install
+    #add_wazuh_users
+    wazuh_repo_install
     copy_ssh_key
     set_initial_firewall_policy
     create_bond
@@ -1628,8 +1618,8 @@ if (whiptail_you_sure); then
     echo "**** Please set a password for socore. You will use this password when setting up other Nodes/Sensors"
     echo ""
     add_socore_user_master
-    add_wazuh_users
-    wazuh_agent_install
+    #add_wazuh_users
+    wazuh_repo_install
     create_bond
     saltify
     docker_install
@@ -1691,8 +1681,8 @@ if (whiptail_you_sure); then
     mkdir -p /nsm
     get_filesystem_root
     get_filesystem_nsm
-    add_wazuh_users
-    wazuh_agent_install
+    #add_wazuh_users
+    wazuh_repo_install
     copy_ssh_key
     set_initial_firewall_policy
     saltify

From cb68f502ee3f0925b72e699eda315ae9a71fbaae Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 10 Dec 2018 19:49:14 +0000
Subject: [PATCH 3/7] Wazuh - Changes to init.sls

---
 salt/wazuh/init.sls | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index 1569d9933..a7f06ab33 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -1,6 +1,8 @@
-vm.max_map_count:
-  sysctl.present:
-    - value: 262144
+{%- set HOSTNAME = salt['grains.get']('host', '') %}
+
+#vm.max_map_count:
+#  sysctl.present:
+#    - value: 262144
 
 # Add ossec Group
 ossecgroup:
@@ -42,12 +44,12 @@ wazuhpkgs:
 so-wazuh:
   docker_container.running:
     - image: soshybridhunter/so-wazuh:HH1.0.5
-    - hostname: {{ hostname}}-docker
+    - hostname: {{HOSTNAME}}-wazuh-manager
     - name: so-wazuh
-    - user: ossec
+    - detach: True
     - port_bindings:
       - 0.0.0.0:1514:1514
       - 0.0.0.0:55000:55000
     - binds:
-      - /opt/so/wazuh/:/var/ossec/data:rw
+      - /opt/so/wazuh/:/var/ossec/data/:rw
 

From e70db05a0f044684e87ea3d834e8d81fea3edf49 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 10 Dec 2018 19:50:55 +0000
Subject: [PATCH 4/7] Filebeat - Modify config for Wazuh alerts

---
 salt/filebeat/etc/filebeat.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 7c6e0655b..f0bbe3e11 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -1,6 +1,7 @@
 {%- set MASTER = grains['master'] %}
 {%- set HOSTNAME = salt['grains.get']('host', '') %}
 {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
+{%- set WAZUHENABLED = salt['pillar.get']('static:wazuh_enabled', '1') %}
 
 name: {{ HOSTNAME }}
 
@@ -36,16 +37,16 @@ filebeat.prospectors:
     clean_removed: false
     close_removed: false
 
+{%- if WAZUHENABLED != '1' %}
   - type: log
     paths:
-      - /alerts/alerts.json
+      - /wazuh/alerts/alerts.json
     fields:
       type: ossec
     fields_under_root: true
     clean_removed: false
     close_removed: false
-
-
+{%- endif %}
 
 #----------------------------- Logstash output ---------------------------------
 output.logstash:

From 25449844339bd68c74bfcbc1ca82cd1f2a3da672 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 10 Dec 2018 19:51:57 +0000
Subject: [PATCH 5/7] Wazuh - add to top.sls for Eval Mode

---
 salt/top.sls | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/top.sls b/salt/top.sls
index 05e027a84..413a120f6 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -33,6 +33,7 @@ base:
     - utility
     - schedule
     - fleet
+    - wazuh
 
 
   'G@role:so-master':

From 10d6c0f5a9d4901383dfadef36db67ee237fcac5 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 10 Dec 2018 19:55:53 +0000
Subject: [PATCH 6/7] Setup - Remark Wazuh user section completely

---
 so-setup-network.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index e1e98dce7..6fe2222ae 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -75,7 +75,7 @@ add_socore_user_notmaster() {
 
 }
 
-add_wazuh_users() {
+#add_wazuh_users() {
   
   # REMARKING FOR NOW -- ADDING VIA init.sls
   #if [ $OS == 'centos' ]; then
@@ -89,7 +89,7 @@ add_wazuh_users() {
   #$ADDUSER --uid 944 --gid 945 --home-dir /opt/so/wazuh --no-create-home ossecr
   #$ADDUSER --uid 945 --gid 945 --home-dir /opt/so/wazuh --no-create-home ossec
 
-}
+#}
 
 
 # Enable Bro Logs

From 0f5fbadaf59ca3b2e459a7c5901fbf7fc4dccde4 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 10 Dec 2018 20:17:41 +0000
Subject: [PATCH 7/7] Filebeat - Switch negation to equals

---
 salt/filebeat/etc/filebeat.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index f0bbe3e11..342b925a0 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -37,7 +37,8 @@ filebeat.prospectors:
     clean_removed: false
     close_removed: false
 
-{%- if WAZUHENABLED != '1' %}
+{%- if WAZUHENABLED == '1' %}
+
   - type: log
     paths:
       - /wazuh/alerts/alerts.json