From 6cdf1ef857a961210f22cd51944e38469bd3c197 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Tue, 11 Dec 2018 19:44:32 +0000
Subject: [PATCH 01/14] Firewall - Add rules for Wazuh Manager

---
 salt/firewall/init.sls | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index 71575e3d6..ef2acd81f 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -1,5 +1,19 @@
 # Firewall Magic for the grid
 
+{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
+
+{%- set ip = salt['pillar.get']('static:masterip', '') %}
+
+{% elif grains['role'] == 'so-node'%}
+
+{%- set ip = salt['pillar.get']('node:mainip', '') %}
+
+{% elif grains['role'] == 'so-sensor'%}
+
+{%- set ip = salt['pillar.get']('node:mainip', '') %}
+
+{% endif %}
+
 # Keep localhost in the game
 iptables_allow_localhost:
   iptables.append:
@@ -86,6 +100,29 @@ enable_docker_user_established:
     - match: conntrack
     - ctstate: 'RELATED,ESTABLISHED'
 
+# Add rule(s) for Wazuh manager
+enable_wazuh_manager_1514_tcp_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 1514
+    - position: 1
+    - save: True
+
+enable_wazuh_manager_1514_udp_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: udp
+    - source: {{ ip }}
+    - dport: 1514
+    - position: 1
+    - save: True
+
 # Rules if you are a Master
 {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
 #This should be more granular

From 223237f8c25a31f0330a352e68fe9a2fe4aaa750 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Tue, 11 Dec 2018 19:45:56 +0000
Subject: [PATCH 02/14] Wazuh - Expose both UDP and TCP ports

---
 salt/wazuh/init.sls | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index a7f06ab33..622ef20e8 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -48,7 +48,8 @@ so-wazuh:
     - name: so-wazuh
     - detach: True
     - port_bindings:
-      - 0.0.0.0:1514:1514
+      - 0.0.0.0:1515:1514/udp
+      - 0.0.0.0:1514:1514/tcp
       - 0.0.0.0:55000:55000
     - binds:
       - /opt/so/wazuh/:/var/ossec/data/:rw

From 9a021164ace4824cfef6976b2caf71d567b2b241 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 12 Dec 2018 01:42:05 +0000
Subject: [PATCH 03/14] Wazuh - Fix port, add agent conf, and agent
 registration script

---
 salt/wazuh/files/agent/ossec.conf           | 195 ++++++++++++++++++++
 salt/wazuh/files/agent/wazuh-register-agent | 131 +++++++++++++
 salt/wazuh/init.sls                         |  11 +-
 3 files changed, 336 insertions(+), 1 deletion(-)
 create mode 100644 salt/wazuh/files/agent/ossec.conf
 create mode 100755 salt/wazuh/files/agent/wazuh-register-agent

diff --git a/salt/wazuh/files/agent/ossec.conf b/salt/wazuh/files/agent/ossec.conf
new file mode 100644
index 000000000..c89b9ce06
--- /dev/null
+++ b/salt/wazuh/files/agent/ossec.conf
@@ -0,0 +1,195 @@
+{%- if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
+{%- set ip = salt['pillar.get']('static:masterip', '') %}
+{%- endif %} 
+<!--
+  Wazuh - Agent - Default configuration for ubuntu 16.04
+  More info at: https://documentation.wazuh.com
+  Mailing list: https://groups.google.com/forum/#!forum/wazuh
+-->
+
+<ossec_config>
+  <client>
+    <server>
+      <address>{{ip}}</address>
+      <port>1514</port>
+      <protocol>udp</protocol>
+    </server>
+    <config-profile>ubuntu, ubuntu16, ubuntu16.04</config-profile>
+    <notify_time>10</notify_time>
+    <time-reconnect>60</time-reconnect>
+    <auto_restart>yes</auto_restart>
+    <crypto_method>aes</crypto_method>
+  </client>
+
+  <client_buffer>
+    <!-- Agent buffer options -->
+    <disabled>no</disabled>
+    <queue_size>5000</queue_size>
+    <events_per_second>500</events_per_second>
+  </client_buffer>
+
+  <!-- Policy monitoring -->
+  <rootcheck>
+    <disabled>no</disabled>
+    <check_unixaudit>yes</check_unixaudit>
+    <check_files>yes</check_files>
+    <check_trojans>yes</check_trojans>
+    <check_dev>yes</check_dev>
+    <check_sys>yes</check_sys>
+    <check_pids>yes</check_pids>
+    <check_ports>yes</check_ports>
+    <check_if>yes</check_if>
+
+    <!-- Frequency that rootcheck is executed - every 12 hours -->
+    <frequency>43200</frequency>
+
+    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
+
+    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
+    <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
+
+    <skip_nfs>yes</skip_nfs>
+  </rootcheck>
+
+  <wodle name="open-scap">
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
+  </wodle>
+
+  <wodle name="cis-cat">
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
+
+    <java_path>wodles/java</java_path>
+    <ciscat_path>wodles/ciscat</ciscat_path>
+  </wodle>
+
+  <!-- Osquery integration -->
+  <wodle name="osquery">
+    <disabled>yes</disabled>
+    <run_daemon>yes</run_daemon>
+    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
+    <config_path>/etc/osquery/osquery.conf</config_path>
+    <add_labels>yes</add_labels>
+  </wodle>
+
+  <!-- System inventory -->
+  <wodle name="syscollector">
+    <disabled>no</disabled>
+    <interval>1h</interval>
+    <scan_on_start>yes</scan_on_start>
+    <hardware>yes</hardware>
+    <os>yes</os>
+    <network>yes</network>
+    <packages>yes</packages>
+    <ports all="no">yes</ports>
+    <processes>yes</processes>
+  </wodle>
+
+  <!-- File integrity monitoring -->
+  <syscheck>
+    <disabled>no</disabled>
+
+    <!-- Frequency that syscheck is executed default every 12 hours -->
+    <frequency>43200</frequency>
+
+    <scan_on_start>yes</scan_on_start>
+
+    <!-- Directories to check  (perform all possible verifications) -->
+    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
+    <directories check_all="yes">/bin,/sbin,/boot</directories>
+
+    <!-- Files/directories to ignore -->
+    <ignore>/etc/mtab</ignore>
+    <ignore>/etc/hosts.deny</ignore>
+    <ignore>/etc/mail/statistics</ignore>
+    <ignore>/etc/random-seed</ignore>
+    <ignore>/etc/random.seed</ignore>
+    <ignore>/etc/adjtime</ignore>
+    <ignore>/etc/httpd/logs</ignore>
+    <ignore>/etc/utmpx</ignore>
+    <ignore>/etc/wtmpx</ignore>
+    <ignore>/etc/cups/certs</ignore>
+    <ignore>/etc/dumpdates</ignore>
+    <ignore>/etc/svc/volatile</ignore>
+    <ignore>/sys/kernel/security</ignore>
+    <ignore>/sys/kernel/debug</ignore>
+
+    <!-- Check the file, but never compute the diff -->
+    <nodiff>/etc/ssl/private.key</nodiff>
+
+    <skip_nfs>yes</skip_nfs>
+
+    <!-- Remove not monitored files -->
+    <remove_old_diff>yes</remove_old_diff>
+
+    <!-- Allow the system to restart Auditd after installing the plugin -->
+    <restart_audit>yes</restart_audit>
+  </syscheck>
+
+  <!-- Log analysis -->
+  <localfile>
+    <log_format>command</log_format>
+    <command>df -P</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
+    <alias>netstat listening ports</alias>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>last -n 20</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <!-- Active response -->
+  <active-response>
+    <disabled>no</disabled>
+    <ca_store>/var/ossec/etc/wpk_root.pem</ca_store>
+    <ca_verification>yes</ca_verification>
+  </active-response>
+
+  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
+  <logging>
+    <log_format>plain</log_format>
+  </logging>
+
+</ossec_config>
+
+<ossec_config>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/ossec/logs/active-responses.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/auth.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/syslog</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/dpkg.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/kern.log</location>
+  </localfile>
+
+</ossec_config>
diff --git a/salt/wazuh/files/agent/wazuh-register-agent b/salt/wazuh/files/agent/wazuh-register-agent
new file mode 100755
index 000000000..e9f9dbeb5
--- /dev/null
+++ b/salt/wazuh/files/agent/wazuh-register-agent
@@ -0,0 +1,131 @@
+#!/bin/bash
+
+###
+#  Shell script for registering agents automatically with the API
+#  Copyright (C) 2017 Wazuh, Inc. All rights reserved.
+#  Wazuh.com
+#
+#  This program is a free software; you can redistribute it
+#  and/or modify it under the terms of the GNU General Public
+#  License (version 2) as published by the FSF - Free Software
+#  Foundation.
+###
+#
+#  12/11/2018
+#  This script has been modified by Security Onion Solutions
+#  - Added Agent IP variable and option
+###
+
+# Connection variables
+API_IP="localhost"
+API_PORT="55000"
+PROTOCOL="https"
+USER="foo"
+PASSWORD="bar"
+AGENT_NAME=$(hostname)
+AGENT_IP=""
+
+display_help() {
+cat <<HELP_USAGE
+
+    $0  [-h] [-f|--force] [-q|--quiet] [agent]
+
+   -h             Show this message.
+   -f|--force     Force agent removal (if already registered)
+                  The agent will be re-regitered with a new ID
+   -s|--silent    Surpress the output while removing the agent
+   agent          Agent name (if missing we will use the output
+                  of the hostname command) 
+HELP_USAGE
+}
+
+register_agent() {
+  # Adding agent and getting Id from manager
+  echo ""
+  echo "Adding agent:"
+  echo "curl -s -u $USER:**** -k -X POST -d 'name=$AGENT_NAME&ip=$AGENT_IP' $PROTOCOL://$API_IP:$API_PORT/agents"
+  API_RESULT=$(curl -s -u $USER:"$PASSWORD" -k -X POST -d 'name='$AGENT_NAME'&ip='$AGENT_IP $PROTOCOL://$API_IP:$API_PORT/agents)
+  echo -e $API_RESULT | grep -q "\"error\":0" 2>&1
+
+  if [ "$?" != "0" ]; then
+    echo -e $API_RESULT | sed -rn 's/.*"message":"(.+)".*/\1/p'
+    exit 1
+  fi
+  # Get agent id and agent key 
+  AGENT_ID=$(echo $API_RESULT | cut -d':' -f 4 | cut -d ',' -f 1)
+  AGENT_KEY=$(echo $API_RESULT | cut -d':' -f 5 | cut -d '}' -f 1)
+
+  echo "Agent '$AGENT_NAME' with ID '$AGENT_ID' added."
+  echo "Key for agent '$AGENT_ID' received."
+
+  # Importing key
+  echo ""
+  echo "Importing authentication key:"
+  echo "y" | /var/ossec/bin/manage_agents -i $AGENT_KEY
+
+  # Restarting agent
+  echo ""
+  echo "Restarting:"
+  echo ""
+  /var/ossec/bin/ossec-control restart
+
+  exit 0
+}
+
+remove_agent() {
+  echo "Found: $AGENT_ID"
+  echo "Removing previous registration for '$AGENT_NAME' using ID: $AGENT_ID ..."
+  # curl -u foo:bar -k -X DELETE "https://127.0.0.1:55000/agents/001
+  REMOVE_AGENT=$(curl -s -u $USER:"$PASSWORD" -k -X DELETE $PROTOCOL://$API_IP:$API_PORT/agents/$AGENT_ID)
+  echo -e $REMOVE_AGENT
+}
+
+get_agent_id() {
+  echo ""
+  echo "Checking for Agent ID..."
+  AGENT_ID=$(curl -s -u $USER:"$PASSWORD" -k -X GET $PROTOCOL://$API_IP:$API_PORT/agents/name/$AGENT_NAME | rev | cut -d: -f1 | rev | grep -o '".*"' | tr -d '"')
+}
+
+# MAIN
+# ENTRY POINT
+
+while getopts ':hfsi:' OPTION; do
+  case "$OPTION" in
+    h)
+      display_help
+      exit 0
+      ;;
+    f|--force)
+      FORCE=true
+      ;;
+    i|--ip)
+      AGENT_IP=${OPTARG}
+      ;;
+    s|--silent)
+      SILENT=true
+      ;;
+  esac
+done
+# reset $1, $2 .... as normal argument after the flag
+shift $(($OPTIND - 1))
+
+# if no arguments are passed in after the flags, we assign the hostname value to the AGENT_NAME 
+#AGENT_NAME=${1:-$(hostname)}
+
+#get_agent_id
+
+# check the return value. If we get an integer back then the agent is already registered. Anything else -> agent is not registered
+#  if ! [ "$AGENT_ID" -eq "$AGENT_ID" ] 2> /dev/null ; then
+#   echo "Starting registration process ..."
+#   :
+#  elif [[ "$FORCE" = true && "$SILENT" = "true" ]] ; then
+#   remove_agent > /dev/null 2>&1
+#  else
+#    if [[ "$FORCE" = true ]] ; then
+#      remove_agent
+#    fi
+#  fi
+
+# Default action -> try to register the agent
+register_agent
+#remove_agent
diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index 622ef20e8..2dace4cac 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -41,6 +41,15 @@ wazuhpkgs:
    - pkgs:
      - wazuh-agent
 
+# Add Wazuh agent conf
+eslog4jfile:
+  file.managed:
+    - name: /var/ossec/etc/ossec.conf
+    - source: salt://wazuh/files/agent/ossec.conf
+    - user: 0
+    - group: 945
+    - template: jinja
+
 so-wazuh:
   docker_container.running:
     - image: soshybridhunter/so-wazuh:HH1.0.5
@@ -48,7 +57,7 @@ so-wazuh:
     - name: so-wazuh
     - detach: True
     - port_bindings:
-      - 0.0.0.0:1515:1514/udp
+      - 0.0.0.0:1514:1514/udp
       - 0.0.0.0:1514:1514/tcp
       - 0.0.0.0:55000:55000
     - binds:

From 634c435ad60d4aab737a7fc652834cc25c3bdd79 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 12 Dec 2018 01:51:30 +0000
Subject: [PATCH 04/14] Setup - Configure Wazuh agent

---
 so-setup-network.sh | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index 0f563a4b3..77d77fbd5 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -220,6 +220,14 @@ configure_minion() {
 
 }
 
+configure_wazuh_agent(){
+
+  # Configure Wazuh agent to talk to manager
+  echo "Configuring Wazuh agent to talk to manager..."
+  /usr/sbin/wazuh-register-agent -i $MAINIP
+
+}
+
 copy_master_config() {
 
   # Copy the master config template to the proper directory
@@ -1660,6 +1668,7 @@ if (whiptail_you_sure); then
     salt_checkin_message
     salt_checkin
     checkin_at_boot
+    configure_wazuh_agent
     whiptail_setup_complete
   fi
 

From 113f03087333fc5d15565f5fb4c8f7d66c0cf9e8 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 12 Dec 2018 02:26:38 +0000
Subject: [PATCH 05/14] Wazuh - Add agent register script to init.sls

---
 salt/wazuh/init.sls | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index 2dace4cac..335f29bc9 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -42,7 +42,7 @@ wazuhpkgs:
      - wazuh-agent
 
 # Add Wazuh agent conf
-eslog4jfile:
+wazuhagentconf:
   file.managed:
     - name: /var/ossec/etc/ossec.conf
     - source: salt://wazuh/files/agent/ossec.conf
@@ -50,6 +50,14 @@ eslog4jfile:
     - group: 945
     - template: jinja
 
+# Add Wazuh agent conf
+wazuhagentregister:
+  file.managed:
+    - name: /usr/sbin/wazuh-agent-register
+    - source: salt://wazuh/files/agent/wazuh-register-agent
+    - user: 0
+    - group: 0
+
 so-wazuh:
   docker_container.running:
     - image: soshybridhunter/so-wazuh:HH1.0.5

From 86a72984c76fe15331bec58caf138a5ab0e9f301 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 12 Dec 2018 02:58:09 +0000
Subject: [PATCH 06/14] Setup - Add auth pillar to eval mode

---
 so-setup-network.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index 77d77fbd5..065847fac 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -1633,6 +1633,7 @@ if (whiptail_you_sure); then
     CURCLOSEDAYS=30
     whiptail_make_changes
     generate_passwords
+    auth_pillar
     clear_master
     mkdir -p /nsm
     get_filesystem_root

From 1a4a7382e254257308344a8d3b07332a84ff402e Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 12 Dec 2018 03:18:55 +0000
Subject: [PATCH 07/14] Wazuh - Fix Wazuh agent registration script name

---
 salt/wazuh/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index 335f29bc9..ff6de8b84 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -53,7 +53,7 @@ wazuhagentconf:
 # Add Wazuh agent conf
 wazuhagentregister:
   file.managed:
-    - name: /usr/sbin/wazuh-agent-register
+    - name: /usr/sbin/wazuh-register-agent
     - source: salt://wazuh/files/agent/wazuh-register-agent
     - user: 0
     - group: 0

From 823a589fae2631388d24bdee461d6bc8c10dba40 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 12 Dec 2018 04:01:13 +0000
Subject: [PATCH 08/14] Wazuh - Set mode for agent registration script

---
 salt/wazuh/init.sls | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index ff6de8b84..1d0b9a99e 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -57,6 +57,7 @@ wazuhagentregister:
     - source: salt://wazuh/files/agent/wazuh-register-agent
     - user: 0
     - group: 0
+    - mode: 755
 
 so-wazuh:
   docker_container.running:

From 8404897fe3cf7fe9dbd66b15552e8a995bbf3b05 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 12 Dec 2018 06:05:13 +0000
Subject: [PATCH 09/14] Wazuh - Move agent config to init.sls

---
 salt/wazuh/files/agent/wazuh-register-agent |  5 +++--
 salt/wazuh/init.sls                         | 13 ++++++++-----
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/salt/wazuh/files/agent/wazuh-register-agent b/salt/wazuh/files/agent/wazuh-register-agent
index e9f9dbeb5..1854f55ff 100755
--- a/salt/wazuh/files/agent/wazuh-register-agent
+++ b/salt/wazuh/files/agent/wazuh-register-agent
@@ -1,3 +1,4 @@
+{%- set ip = salt['pillar.get']('static:masterip', '') %}
 #!/bin/bash
 
 ###
@@ -23,7 +24,7 @@ PROTOCOL="https"
 USER="foo"
 PASSWORD="bar"
 AGENT_NAME=$(hostname)
-AGENT_IP=""
+AGENT_IP="{{ip}}"
 
 display_help() {
 cat <<HELP_USAGE
@@ -49,7 +50,7 @@ register_agent() {
 
   if [ "$?" != "0" ]; then
     echo -e $API_RESULT | sed -rn 's/.*"message":"(.+)".*/\1/p'
-    exit 1
+    exit 0
   fi
   # Get agent id and agent key 
   AGENT_ID=$(echo $API_RESULT | cut -d':' -f 4 | cut -d ',' -f 1)
diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index 1d0b9a99e..ac05f1984 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -1,10 +1,6 @@
 {%- set HOSTNAME = salt['grains.get']('host', '') %}
 
-#vm.max_map_count:
-#  sysctl.present:
-#    - value: 262144
-
-# Add ossec Group
+# Add ossec group
 ossecgroup:
   group.present:
     - name: ossec
@@ -58,6 +54,7 @@ wazuhagentregister:
     - user: 0
     - group: 0
     - mode: 755
+    - template: jinja
 
 so-wazuh:
   docker_container.running:
@@ -72,3 +69,9 @@ so-wazuh:
     - binds:
       - /opt/so/wazuh/:/var/ossec/data/:rw
 
+# Register the agent
+registertheagent:
+  cmd.run:
+    - name: /usr/sbin/wazuh-register-agent
+    - cwd: /
+    #- stateful: True

From a99ec40506c35317cd7b1a7a6d61a6ec974141ef Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 12 Dec 2018 13:10:27 +0000
Subject: [PATCH 10/14] Setup - Remark Wazuh agent config

---
 so-setup-network.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index 065847fac..72496657d 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -1669,7 +1669,7 @@ if (whiptail_you_sure); then
     salt_checkin_message
     salt_checkin
     checkin_at_boot
-    configure_wazuh_agent
+    #configure_wazuh_agent
     whiptail_setup_complete
   fi
 

From 5822842d2e874f5b13b21924e966f7b1523ecfd4 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 12 Dec 2018 13:36:13 +0000
Subject: [PATCH 11/14] Wazuh - Add sleep to wait for API

---
 salt/wazuh/files/agent/wazuh-register-agent | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/wazuh/files/agent/wazuh-register-agent b/salt/wazuh/files/agent/wazuh-register-agent
index 1854f55ff..b6199cf9a 100755
--- a/salt/wazuh/files/agent/wazuh-register-agent
+++ b/salt/wazuh/files/agent/wazuh-register-agent
@@ -128,5 +128,6 @@ shift $(($OPTIND - 1))
 #  fi
 
 # Default action -> try to register the agent
+sleep 10s
 register_agent
 #remove_agent

From e20ab3b4073051febe20d76a843e36b87112434e Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 12 Dec 2018 14:48:17 +0000
Subject: [PATCH 12/14] Filebeat - Config for Wazuh alerts

---
 salt/filebeat/init.sls | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index 251274606..7563ad72a 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -61,6 +61,7 @@ so-filebeat:
       - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
       - /nsm/bro:/nsm/bro:ro
       - /opt/so/log/suricata:/suricata:ro
+      - /opt/so/wazuh/alerts/alerts.json:/wazuh/alerts/alerts.json:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
       - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro

From 9d86744e076dd38ff01bd566afa3bf1ec02df29a Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 12 Dec 2018 15:19:51 +0000
Subject: [PATCH 13/14] Filebeat - Fix Wazuh alerts path

---
 salt/filebeat/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index 7563ad72a..8b0ec3f4c 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -61,7 +61,7 @@ so-filebeat:
       - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
       - /nsm/bro:/nsm/bro:ro
       - /opt/so/log/suricata:/suricata:ro
-      - /opt/so/wazuh/alerts/alerts.json:/wazuh/alerts/alerts.json:ro
+      - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
       - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro

From 8496834f8bc539e3075944fcc09938d1f7c9b768 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Wed, 12 Dec 2018 15:48:59 +0000
Subject: [PATCH 14/14] Wazuh - Re-order top.sls so Filebeat does not overrite
 Wazuh logs

---
 salt/top.sls | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/top.sls b/salt/top.sls
index 413a120f6..03c220047 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -29,11 +29,11 @@ base:
     - bro
     - curator
     - elastalert
+    - fleet
+    - wazuh
     - filebeat
     - utility
     - schedule
-    - fleet
-    - wazuh
 
 
   'G@role:so-master':