Merge pull request #52 from weslambert/master

Wazuh updates

salt/filebeat/init.sls

@@ -61,6 +61,7 @@ so-filebeat:
       - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
       - /nsm/bro:/nsm/bro:ro
       - /opt/so/log/suricata:/suricata:ro
+      - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
       - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
       - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro

salt/firewall/init.sls

@@ -1,5 +1,19 @@
 # Firewall Magic for the grid
 
+{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
+
+{%- set ip = salt['pillar.get']('static:masterip', '') %}
+
+{% elif grains['role'] == 'so-node'%}
+
+{%- set ip = salt['pillar.get']('node:mainip', '') %}
+
+{% elif grains['role'] == 'so-sensor'%}
+
+{%- set ip = salt['pillar.get']('node:mainip', '') %}
+
+{% endif %}
+
 # Keep localhost in the game
 iptables_allow_localhost:
   iptables.append:
@@ -86,6 +100,29 @@ enable_docker_user_established:
     - match: conntrack
     - ctstate: 'RELATED,ESTABLISHED'
 
+# Add rule(s) for Wazuh manager
+enable_wazuh_manager_1514_tcp_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 1514
+    - position: 1
+    - save: True
+
+enable_wazuh_manager_1514_udp_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: udp
+    - source: {{ ip }}
+    - dport: 1514
+    - position: 1
+    - save: True
+
 # Rules if you are a Master
 {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
 #This should be more granular

salt/top.sls

@@ -29,11 +29,11 @@ base:
     - bro
     - curator
     - elastalert
+    - fleet
+    - wazuh
     - filebeat
     - utility
     - schedule
-    - fleet
-    - wazuh
 
 
   'G@role:so-master':

salt/wazuh/files/agent/ossec.conf

@@ -0,0 +1,195 @@
+{%- if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
+{%- set ip = salt['pillar.get']('static:masterip', '') %}
+{%- endif %} 
+<!--
+  Wazuh - Agent - Default configuration for ubuntu 16.04
+  More info at: https://documentation.wazuh.com
+  Mailing list: https://groups.google.com/forum/#!forum/wazuh
+-->
+
+<ossec_config>
+  <client>
+    <server>
+      <address>{{ip}}</address>
+      <port>1514</port>
+      <protocol>udp</protocol>
+    </server>
+    <config-profile>ubuntu, ubuntu16, ubuntu16.04</config-profile>
+    <notify_time>10</notify_time>
+    <time-reconnect>60</time-reconnect>
+    <auto_restart>yes</auto_restart>
+    <crypto_method>aes</crypto_method>
+  </client>
+
+  <client_buffer>
+    <!-- Agent buffer options -->
+    <disabled>no</disabled>
+    <queue_size>5000</queue_size>
+    <events_per_second>500</events_per_second>
+  </client_buffer>
+
+  <!-- Policy monitoring -->
+  <rootcheck>
+    <disabled>no</disabled>
+    <check_unixaudit>yes</check_unixaudit>
+    <check_files>yes</check_files>
+    <check_trojans>yes</check_trojans>
+    <check_dev>yes</check_dev>
+    <check_sys>yes</check_sys>
+    <check_pids>yes</check_pids>
+    <check_ports>yes</check_ports>
+    <check_if>yes</check_if>
+
+    <!-- Frequency that rootcheck is executed - every 12 hours -->
+    <frequency>43200</frequency>
+
+    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
+
+    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
+    <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
+
+    <skip_nfs>yes</skip_nfs>
+  </rootcheck>
+
+  <wodle name="open-scap">
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
+  </wodle>
+
+  <wodle name="cis-cat">
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
+
+    <java_path>wodles/java</java_path>
+    <ciscat_path>wodles/ciscat</ciscat_path>
+  </wodle>
+
+  <!-- Osquery integration -->
+  <wodle name="osquery">
+    <disabled>yes</disabled>
+    <run_daemon>yes</run_daemon>
+    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
+    <config_path>/etc/osquery/osquery.conf</config_path>
+    <add_labels>yes</add_labels>
+  </wodle>
+
+  <!-- System inventory -->
+  <wodle name="syscollector">
+    <disabled>no</disabled>
+    <interval>1h</interval>
+    <scan_on_start>yes</scan_on_start>
+    <hardware>yes</hardware>
+    <os>yes</os>
+    <network>yes</network>
+    <packages>yes</packages>
+    <ports all="no">yes</ports>
+    <processes>yes</processes>
+  </wodle>
+
+  <!-- File integrity monitoring -->
+  <syscheck>
+    <disabled>no</disabled>
+
+    <!-- Frequency that syscheck is executed default every 12 hours -->
+    <frequency>43200</frequency>
+
+    <scan_on_start>yes</scan_on_start>
+
+    <!-- Directories to check  (perform all possible verifications) -->
+    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
+    <directories check_all="yes">/bin,/sbin,/boot</directories>
+
+    <!-- Files/directories to ignore -->
+    <ignore>/etc/mtab</ignore>
+    <ignore>/etc/hosts.deny</ignore>
+    <ignore>/etc/mail/statistics</ignore>
+    <ignore>/etc/random-seed</ignore>
+    <ignore>/etc/random.seed</ignore>
+    <ignore>/etc/adjtime</ignore>
+    <ignore>/etc/httpd/logs</ignore>
+    <ignore>/etc/utmpx</ignore>
+    <ignore>/etc/wtmpx</ignore>
+    <ignore>/etc/cups/certs</ignore>
+    <ignore>/etc/dumpdates</ignore>
+    <ignore>/etc/svc/volatile</ignore>
+    <ignore>/sys/kernel/security</ignore>
+    <ignore>/sys/kernel/debug</ignore>
+
+    <!-- Check the file, but never compute the diff -->
+    <nodiff>/etc/ssl/private.key</nodiff>
+
+    <skip_nfs>yes</skip_nfs>
+
+    <!-- Remove not monitored files -->
+    <remove_old_diff>yes</remove_old_diff>
+
+    <!-- Allow the system to restart Auditd after installing the plugin -->
+    <restart_audit>yes</restart_audit>
+  </syscheck>
+
+  <!-- Log analysis -->
+  <localfile>
+    <log_format>command</log_format>
+    <command>df -P</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
+    <alias>netstat listening ports</alias>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>last -n 20</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <!-- Active response -->
+  <active-response>
+    <disabled>no</disabled>
+    <ca_store>/var/ossec/etc/wpk_root.pem</ca_store>
+    <ca_verification>yes</ca_verification>
+  </active-response>
+
+  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
+  <logging>
+    <log_format>plain</log_format>
+  </logging>
+
+</ossec_config>
+
+<ossec_config>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/ossec/logs/active-responses.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/auth.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/syslog</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/dpkg.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/kern.log</location>
+  </localfile>
+
+</ossec_config>

salt/wazuh/files/agent/wazuh-register-agent

@@ -0,0 +1,133 @@
+{%- set ip = salt['pillar.get']('static:masterip', '') %}
+#!/bin/bash
+
+###
+#  Shell script for registering agents automatically with the API
+#  Copyright (C) 2017 Wazuh, Inc. All rights reserved.
+#  Wazuh.com
+#
+#  This program is a free software; you can redistribute it
+#  and/or modify it under the terms of the GNU General Public
+#  License (version 2) as published by the FSF - Free Software
+#  Foundation.
+###
+#
+#  12/11/2018
+#  This script has been modified by Security Onion Solutions
+#  - Added Agent IP variable and option
+###
+
+# Connection variables
+API_IP="localhost"
+API_PORT="55000"
+PROTOCOL="https"
+USER="foo"
+PASSWORD="bar"
+AGENT_NAME=$(hostname)
+AGENT_IP="{{ip}}"
+
+display_help() {
+cat <<HELP_USAGE
+
+    $0  [-h] [-f|--force] [-q|--quiet] [agent]
+
+   -h             Show this message.
+   -f|--force     Force agent removal (if already registered)
+                  The agent will be re-regitered with a new ID
+   -s|--silent    Surpress the output while removing the agent
+   agent          Agent name (if missing we will use the output
+                  of the hostname command) 
+HELP_USAGE
+}
+
+register_agent() {
+  # Adding agent and getting Id from manager
+  echo ""
+  echo "Adding agent:"
+  echo "curl -s -u $USER:**** -k -X POST -d 'name=$AGENT_NAME&ip=$AGENT_IP' $PROTOCOL://$API_IP:$API_PORT/agents"
+  API_RESULT=$(curl -s -u $USER:"$PASSWORD" -k -X POST -d 'name='$AGENT_NAME'&ip='$AGENT_IP $PROTOCOL://$API_IP:$API_PORT/agents)
+  echo -e $API_RESULT | grep -q "\"error\":0" 2>&1
+
+  if [ "$?" != "0" ]; then
+    echo -e $API_RESULT | sed -rn 's/.*"message":"(.+)".*/\1/p'
+    exit 0
+  fi
+  # Get agent id and agent key 
+  AGENT_ID=$(echo $API_RESULT | cut -d':' -f 4 | cut -d ',' -f 1)
+  AGENT_KEY=$(echo $API_RESULT | cut -d':' -f 5 | cut -d '}' -f 1)
+
+  echo "Agent '$AGENT_NAME' with ID '$AGENT_ID' added."
+  echo "Key for agent '$AGENT_ID' received."
+
+  # Importing key
+  echo ""
+  echo "Importing authentication key:"
+  echo "y" | /var/ossec/bin/manage_agents -i $AGENT_KEY
+
+  # Restarting agent
+  echo ""
+  echo "Restarting:"
+  echo ""
+  /var/ossec/bin/ossec-control restart
+
+  exit 0
+}
+
+remove_agent() {
+  echo "Found: $AGENT_ID"
+  echo "Removing previous registration for '$AGENT_NAME' using ID: $AGENT_ID ..."
+  # curl -u foo:bar -k -X DELETE "https://127.0.0.1:55000/agents/001
+  REMOVE_AGENT=$(curl -s -u $USER:"$PASSWORD" -k -X DELETE $PROTOCOL://$API_IP:$API_PORT/agents/$AGENT_ID)
+  echo -e $REMOVE_AGENT
+}
+
+get_agent_id() {
+  echo ""
+  echo "Checking for Agent ID..."
+  AGENT_ID=$(curl -s -u $USER:"$PASSWORD" -k -X GET $PROTOCOL://$API_IP:$API_PORT/agents/name/$AGENT_NAME | rev | cut -d: -f1 | rev | grep -o '".*"' | tr -d '"')
+}
+
+# MAIN
+# ENTRY POINT
+
+while getopts ':hfsi:' OPTION; do
+  case "$OPTION" in
+    h)
+      display_help
+      exit 0
+      ;;
+    f|--force)
+      FORCE=true
+      ;;
+    i|--ip)
+      AGENT_IP=${OPTARG}
+      ;;
+    s|--silent)
+      SILENT=true
+      ;;
+  esac
+done
+# reset $1, $2 .... as normal argument after the flag
+shift $(($OPTIND - 1))
+
+# if no arguments are passed in after the flags, we assign the hostname value to the AGENT_NAME 
+#AGENT_NAME=${1:-$(hostname)}
+
+#get_agent_id
+
+# check the return value. If we get an integer back then the agent is already registered. Anything else -> agent is not registered
+#  if ! [ "$AGENT_ID" -eq "$AGENT_ID" ] 2> /dev/null ; then
+#   echo "Starting registration process ..."
+#   :
+#  elif [[ "$FORCE" = true && "$SILENT" = "true" ]] ; then
+#   remove_agent > /dev/null 2>&1
+#  else
+#    if [[ "$FORCE" = true ]] ; then
+#      remove_agent
+#    fi
+#  fi
+
+# Default action -> try to register the agent
+sleep 10s
+register_agent
+#remove_agent

salt/wazuh/init.sls

@@ -1,10 +1,6 @@
 {%- set HOSTNAME = salt['grains.get']('host', '') %}
 
-#vm.max_map_count:
-#  sysctl.present:
-#    - value: 262144
-
-# Add ossec Group
+# Add ossec group
 ossecgroup:
   group.present:
     - name: ossec
@@ -41,6 +37,25 @@ wazuhpkgs:
    - pkgs:
      - wazuh-agent
 
+# Add Wazuh agent conf
+wazuhagentconf:
+  file.managed:
+    - name: /var/ossec/etc/ossec.conf
+    - source: salt://wazuh/files/agent/ossec.conf
+    - user: 0
+    - group: 945
+    - template: jinja
+
+# Add Wazuh agent conf
+wazuhagentregister:
+  file.managed:
+    - name: /usr/sbin/wazuh-register-agent
+    - source: salt://wazuh/files/agent/wazuh-register-agent
+    - user: 0
+    - group: 0
+    - mode: 755
+    - template: jinja
+
 so-wazuh:
   docker_container.running:
     - image: soshybridhunter/so-wazuh:HH1.0.5
@@ -48,8 +63,15 @@ so-wazuh:
     - name: so-wazuh
     - detach: True
     - port_bindings:
-      - 0.0.0.0:1514:1514
+      - 0.0.0.0:1514:1514/udp
+      - 0.0.0.0:1514:1514/tcp
       - 0.0.0.0:55000:55000
     - binds:
       - /opt/so/wazuh/:/var/ossec/data/:rw
 
+# Register the agent
+registertheagent:
+  cmd.run:
+    - name: /usr/sbin/wazuh-register-agent
+    - cwd: /
+    #- stateful: True

so-setup-network.sh

@@ -220,6 +220,14 @@ configure_minion() {
 
 }
 
+configure_wazuh_agent(){
+
+  # Configure Wazuh agent to talk to manager
+  echo "Configuring Wazuh agent to talk to manager..."
+  /usr/sbin/wazuh-register-agent -i $MAINIP
+
+}
+
 copy_master_config() {
 
   # Copy the master config template to the proper directory
@@ -1625,6 +1633,7 @@ if (whiptail_you_sure); then
     CURCLOSEDAYS=30
     whiptail_make_changes
     generate_passwords
+    auth_pillar
     clear_master
     mkdir -p /nsm
     get_filesystem_root
@@ -1660,6 +1669,7 @@ if (whiptail_you_sure); then
     salt_checkin_message
     salt_checkin
     checkin_at_boot
+    #configure_wazuh_agent
     whiptail_setup_complete
   fi