From 958ee25f6db4c11124b2b2d3629b9ad4e3a9bded Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Mon, 27 Jul 2020 11:58:12 +0000 Subject: [PATCH] Move Wazuh from /opt/so/ to /nsm/wazuh --- salt/common/tools/sbin/so-allow | 2 +- salt/filebeat/init.sls | 4 ++-- salt/logstash/init.sls | 6 +++--- salt/wazuh/files/wazuh-manager-whitelist | 2 +- salt/wazuh/init.sls | 10 +++++----- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow index c6d3d6bf0..f902d659c 100755 --- a/salt/common/tools/sbin/so-allow +++ b/salt/common/tools/sbin/so-allow @@ -127,7 +127,7 @@ salt-call state.apply firewall queue=True if grep -q -R "wazuh: 1" $local_salt_dir/pillar/*; then # If analyst, add to Wazuh AR whitelist if [ "$FULLROLE" == "analyst" ]; then - WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf" + WAZUH_MGR_CFG="/nsm/wazuh/etc/ossec.conf" if ! grep -q "$IP" $WAZUH_MGR_CFG ; then DATE=$(date) sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 6889b892f..0d1f521e3 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -60,8 +60,8 @@ so-filebeat: - /nsm:/nsm:ro - /opt/so/log/filebeat:/usr/share/filebeat/logs:rw - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro - - /opt/so/wazuh/logs/alerts:/wazuh/alerts:ro - - /opt/so/wazuh/logs/archives:/wazuh/archives:ro + - /nsm/wazuh/logs/alerts:/wazuh/alerts:ro + - /nsm/wazuh/logs/archives:/wazuh/archives:ro - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 61d6aecc1..8a3b539a2 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -169,8 +169,8 @@ so-logstash: {%- if grains['role'] == 'so-eval' %} - /nsm/zeek:/nsm/zeek:ro - /nsm/suricata:/suricata:ro - - /opt/so/wazuh/logs/alerts:/wazuh/alerts:ro - - /opt/so/wazuh/logs/archives:/wazuh/archives:ro + - /nsm/wazuh/logs/alerts:/wazuh/alerts:ro + - /nsm/wazuh/logs/archives:/wazuh/archives:ro - /opt/so/log/fleet/:/osquery/logs:ro - /opt/so/log/strelka:/strelka:ro {%- endif %} @@ -184,4 +184,4 @@ so-logstash: {% endfor %} {% for TEMPLATE in TEMPLATES %} - file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }} -{% endfor %} \ No newline at end of file +{% endfor %} diff --git a/salt/wazuh/files/wazuh-manager-whitelist b/salt/wazuh/files/wazuh-manager-whitelist index d39d68e36..8a8bc9832 100755 --- a/salt/wazuh/files/wazuh-manager-whitelist +++ b/salt/wazuh/files/wazuh-manager-whitelist @@ -20,7 +20,7 @@ local_salt_dir=/opt/so/saltstack/local # Check if Wazuh enabled if [ {{ WAZUH_ENABLED }} ]; then - WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf" + WAZUH_MGR_CFG="/nsm/wazuh/etc/ossec.conf" if ! grep -q "{{ MANAGERIP }}" $WAZUH_MGR_CFG ; then DATE=`date` sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 2ae4ea715..22ba0940e 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -13,7 +13,7 @@ ossecm: user.present: - uid: 943 - gid: 945 - - home: /opt/so/conf/wazuh + - home: /nsm/wazuh - createhome: False - allow_uid_change: True - allow_gid_change: True @@ -23,7 +23,7 @@ ossecr: user.present: - uid: 944 - gid: 945 - - home: /opt/so/conf/wazuh + - home: /nsm/wazuh - createhome: False - allow_uid_change: True - allow_gid_change: True @@ -33,7 +33,7 @@ ossec: user.present: - uid: 945 - gid: 945 - - home: /opt/so/conf/wazuh + - home: /nsm/wazuh - createhome: False - allow_uid_change: True - allow_gid_change: True @@ -48,7 +48,7 @@ wazuhpkgs: wazuhdir: file.directory: - - name: /opt/so/wazuh + - name: /nsm/wazuh - user: 945 - group: 945 - makedirs: True @@ -94,7 +94,7 @@ so-wazuh: - 0.0.0.0:1515:1515/tcp - 0.0.0.0:55000:55000 - binds: - - /opt/so/wazuh:/var/ossec/data:rw + - /nsm/wazuh:/var/ossec/data:rw # Register the agent registertheagent: