CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #51 from weslambert/master

Browse Source 
Wazuh updates
This commit is contained in:
Mike Reeves
2018-12-10 15:23:22 -05:00
committed by GitHub
parent cdc8b577bd 0f5fbadaf5
commit 4c88f89835
4 changed files with 75 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
salt/filebeat/etc/filebeat.yml
View File

@@ -1,6 +1,7 @@
{%- set MASTER = grains['master'] %} {%- set MASTER = grains['master'] %}
{%- set HOSTNAME = salt['grains.get']('host', '') %} {%- set HOSTNAME = salt['grains.get']('host', '') %}
{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %} {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
{%- set WAZUHENABLED = salt['pillar.get']('static:wazuh_enabled', '1') %}
name: {{ HOSTNAME }} name: {{ HOSTNAME }}
@@ -36,16 +37,17 @@ filebeat.prospectors:
clean_removed: false clean_removed: false
close_removed: false close_removed: false
{%- if WAZUHENABLED == '1' %}
- type: log - type: log
paths: paths:
- /alerts/alerts.json - /wazuh/alerts/alerts.json
fields: fields:
type: ossec type: ossec
fields_under_root: true fields_under_root: true
clean_removed: false clean_removed: false
close_removed: false close_removed: false
{%- endif %}
#----------------------------- Logstash output --------------------------------- #----------------------------- Logstash output ---------------------------------
output.logstash: output.logstash:

1
salt/top.sls
View File

@@ -33,6 +33,7 @@ base:
- utility - utility
- schedule - schedule
- fleet - fleet
- wazuh
'G@role:so-master': 'G@role:so-master':

128
salt/wazuh/init.sls
View File

@@ -1,91 +1,55 @@
# Create a state directory {%- set HOSTNAME = salt['grains.get']('host', '') %}
statedir: #vm.max_map_count:
file.directory: # sysctl.present:
- name: /opt/so/state # - value: 262144
salttmp: # Add ossec Group
file.directory: ossecgroup:
- name: /opt/so/tmp group.present:
- name: ossec
- gid: 945
# Install packages needed for the sensor # Add ossecm user
ossecm:
user.present:
- uid: 943
- gid: 945
- home: /opt/so/wazuh
- createhome: False
sensorpkgs: # Add ossecr user
pkg.installed: ossecr:
- skip_suggestions: True user.present:
- pkgs: - uid: 944
- docker-ce - gid: 945
- python-docker - home: /opt/so/wazuh
- createhome: False
# Always keep these packages up to date # Add ossec user
ossec:
user.present:
- uid: 945
- gid: 945
- home: /opt/so/wazuh
- createhome: False
alwaysupdated: # Add wazuh agent
pkg.latest: wazuhpkgs:
- pkgs: pkg.installed:
- openssl - skip_suggestions: False
- openssh-server - pkgs:
- bash - wazuh-agent
- skip_suggestions: True
# Set time to UTC so-wazuh:
Etc/UTC:
timezone.system
# Set up docker network
dockernet:
docker_network.present:
- name: so-elastic-net
- driver: bridge
# Snag the so-core docker
toosmooth/so-core:test2:
docker_image.present
# Drop the correct nginx config based on role
nginxconfdir:
file.directory:
- name: /opt/so/conf/nginx
- user: 939
- group: 939
- makedirs: True
nginxconf:
file.managed:
- name: /opt/so/conf/nginx/nginx.conf
- user: 939
- group: 939
- template: jinja
- source: salt://common/nginx/nginx.conf.{{ grains.role }}
nginxlogdir:
file.directory:
- name: /opt/so/log/nginx/
- user: 939
- group: 939
nginxtmp:
file.directory:
- name: /opt/so/tmp/nginx/tmp
- user: 939
- group: 939
- makedirs: True
# Start the core docker
so-core:
docker_container.running: docker_container.running:
- image: toosmooth/so-core:test2 - image: soshybridhunter/so-wazuh:HH1.0.5
- hostname: so-core - hostname: {{HOSTNAME}}-wazuh-manager
- user: socore - name: so-wazuh
- binds: - detach: True
- /opt/so:/opt/so:rw
- /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- /opt/so/log/nginx/:/var/log/nginx:rw
- /opt/so/tmp/nginx/:/var/lib/nginx:rw
- /opt/so/tmp/nginx/:/run:rw
- network_mode: so-elastic-net
- cap_add: NET_BIND_SERVICE
- port_bindings: - port_bindings:
- 80:80 - 0.0.0.0:1514:1514
- 443:443 - 0.0.0.0:55000:55000
- binds:
- /opt/so/wazuh/:/var/ossec/data/:rw

56
so-setup-network.sh
View File

@@ -75,20 +75,21 @@ add_socore_user_notmaster() {
} }
add_wazuh_users() { #add_wazuh_users() {
if [ $OS == 'centos' ]; then # REMARKING FOR NOW -- ADDING VIA init.sls
local ADDUSER=adduser #if [ $OS == 'centos' ]; then
else # local ADDUSER=adduser
local ADDUSER=useradd #else
fi # local ADDUSER=useradd
#fi
groupadd --gid 945 ossec #groupadd --gid 945 ossec
$ADDUSER --uid 943 --gid 945 --home-dir /opt/so/wazuh --no-create-home ossecm #$ADDUSER --uid 943 --gid 945 --home-dir /opt/so/wazuh --no-create-home ossecm
$ADDUSER --uid 944 --gid 945 --home-dir /opt/so/wazuh --no-create-home ossecr #$ADDUSER --uid 944 --gid 945 --home-dir /opt/so/wazuh --no-create-home ossecr
$ADDUSER --uid 945 --gid 945 --home-dir /opt/so/wazuh --no-create-home ossec #$ADDUSER --uid 945 --gid 945 --home-dir /opt/so/wazuh --no-create-home ossec
} #}
# Enable Bro Logs # Enable Bro Logs
@@ -891,7 +892,7 @@ update_sudoers() {
} }
wazuh_agent_install() { wazuh_repo_install() {
if [ $OS == 'centos' ]; then if [ $OS == 'centos' ]; then
# Add repo # Add repo
@@ -904,22 +905,11 @@ name=Wazuh repository
baseurl=https://packages.wazuh.com/3.x/yum/ baseurl=https://packages.wazuh.com/3.x/yum/
protect=1 protect=1
EOF EOF
# Install agent
yum install -y wazuh-agent
# Prevent automatic upates
sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
else else
# Get key # Get key
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
# Add repo # Add repo
echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
apt-get update -y
# Install
apt-get install -y wazuh-agent
# Prevent automatic updates
sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
# Set package state to "hold"
echo "wazuh-agent hold" | sudo dpkg --set-selections
fi fi
} }
@@ -1470,11 +1460,11 @@ if (whiptail_you_sure); then
echo "" echo ""
add_socore_user_master add_socore_user_master
echo "** Adding Wazuh users **" #echo "** Adding Wazuh users **"
add_wazuh_users #add_wazuh_users
echo "** Installing Wazuh agent **" echo "** Installing Wazuh repo **"
wazuh_agent_install wazuh_repo_install
# Install salt and dependencies # Install salt and dependencies
echo " ** Installing Salt and Dependencies **" echo " ** Installing Salt and Dependencies **"
@@ -1562,8 +1552,8 @@ if (whiptail_you_sure); then
mkdir -p /nsm mkdir -p /nsm
get_filesystem_root get_filesystem_root
get_filesystem_nsm get_filesystem_nsm
add_wazuh_users #add_wazuh_users
wazuh_agent_install wazuh_repo_install
copy_ssh_key copy_ssh_key
set_initial_firewall_policy set_initial_firewall_policy
create_bond create_bond
@@ -1628,8 +1618,8 @@ if (whiptail_you_sure); then
echo "**** Please set a password for socore. You will use this password when setting up other Nodes/Sensors" echo "**** Please set a password for socore. You will use this password when setting up other Nodes/Sensors"
echo "" echo ""
add_socore_user_master add_socore_user_master
add_wazuh_users #add_wazuh_users
wazuh_agent_install wazuh_repo_install
create_bond create_bond
saltify saltify
docker_install docker_install
@@ -1691,8 +1681,8 @@ if (whiptail_you_sure); then
mkdir -p /nsm mkdir -p /nsm
get_filesystem_root get_filesystem_root
get_filesystem_nsm get_filesystem_nsm
add_wazuh_users #add_wazuh_users
wazuh_agent_install wazuh_repo_install
copy_ssh_key copy_ssh_key
set_initial_firewall_policy set_initial_firewall_policy
saltify saltify