Move Wazuh from /opt/so/ to /nsm/wazuh

salt/common/tools/sbin/so-allow

@@ -127,7 +127,7 @@ salt-call state.apply firewall queue=True
 if grep -q -R "wazuh: 1" $local_salt_dir/pillar/*; then
     # If analyst, add to Wazuh AR whitelist
     if [ "$FULLROLE" == "analyst" ]; then
-        WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
+        WAZUH_MGR_CFG="/nsm/wazuh/etc/ossec.conf"
         if ! grep -q "<white_list>$IP</white_list>" $WAZUH_MGR_CFG ; then
             DATE=$(date)
             sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG

salt/filebeat/init.sls

@@ -60,8 +60,8 @@ so-filebeat:
       - /nsm:/nsm:ro
       - /opt/so/log/filebeat:/usr/share/filebeat/logs:rw
       - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
-      - /opt/so/wazuh/logs/alerts:/wazuh/alerts:ro
+      - /nsm/wazuh/logs/alerts:/wazuh/alerts:ro
-      - /opt/so/wazuh/logs/archives:/wazuh/archives:ro
+      - /nsm/wazuh/logs/archives:/wazuh/archives:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
       - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro

salt/logstash/init.sls

@@ -169,8 +169,8 @@ so-logstash:
       {%- if grains['role'] == 'so-eval' %}
       - /nsm/zeek:/nsm/zeek:ro
       - /nsm/suricata:/suricata:ro
-      - /opt/so/wazuh/logs/alerts:/wazuh/alerts:ro
+      - /nsm/wazuh/logs/alerts:/wazuh/alerts:ro
-      - /opt/so/wazuh/logs/archives:/wazuh/archives:ro
+      - /nsm/wazuh/logs/archives:/wazuh/archives:ro
       - /opt/so/log/fleet/:/osquery/logs:ro
       - /opt/so/log/strelka:/strelka:ro
       {%- endif %}
@@ -184,4 +184,4 @@ so-logstash:
 {% endfor %}
 {% for TEMPLATE in TEMPLATES %}
       - file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}
-{% endfor %}
+{% endfor %}

salt/wazuh/files/wazuh-manager-whitelist

@@ -20,7 +20,7 @@ local_salt_dir=/opt/so/saltstack/local
 
 # Check if Wazuh enabled
 if [ {{ WAZUH_ENABLED }} ]; then
-      WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
+      WAZUH_MGR_CFG="/nsm/wazuh/etc/ossec.conf"
       if ! grep -q "<white_list>{{ MANAGERIP }}</white_list>" $WAZUH_MGR_CFG ; then
               DATE=`date`
               sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG

salt/wazuh/init.sls

@@ -13,7 +13,7 @@ ossecm:
   user.present:
     - uid: 943
     - gid: 945
-    - home: /opt/so/conf/wazuh
+    - home: /nsm/wazuh
     - createhome: False
     - allow_uid_change: True
     - allow_gid_change: True
@@ -23,7 +23,7 @@ ossecr:
   user.present:
     - uid: 944
     - gid: 945
-    - home: /opt/so/conf/wazuh
+    - home: /nsm/wazuh
     - createhome: False
     - allow_uid_change: True
     - allow_gid_change: True
@@ -33,7 +33,7 @@ ossec:
   user.present:
     - uid: 945
     - gid: 945
-    - home: /opt/so/conf/wazuh
+    - home: /nsm/wazuh
     - createhome: False
     - allow_uid_change: True
     - allow_gid_change: True
@@ -48,7 +48,7 @@ wazuhpkgs:
 
 wazuhdir:
  file.directory:
-   - name: /opt/so/wazuh
+   - name: /nsm/wazuh
    - user: 945
    - group: 945
    - makedirs: True
@@ -94,7 +94,7 @@ so-wazuh:
       - 0.0.0.0:1515:1515/tcp
       - 0.0.0.0:55000:55000
     - binds:
-      - /opt/so/wazuh:/var/ossec/data:rw
+      - /nsm/wazuh:/var/ossec/data:rw
 
 # Register the agent
 registertheagent: