From f597b9f4e5b8c4482d0b4f2be0d7804d6040a992 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Mon, 30 Dec 2019 19:04:54 +0000
Subject: [PATCH] add AR whitelist for Wazuh

---
 salt/common/tools/sbin/so-allow | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow
index 1685e386a..5802427fe 100644
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -40,3 +40,21 @@ fi
 
 echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
 /opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP
+
+# Check if Wazuh enabled
+if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
+    # If analyst, add to Wazuh AR whitelist
+    if [ "$FULLROLE" == "analyst" ]; then
+          WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
+          if ! grep -q "<white_list>$IP</white_list>" $WAZUH_MGR_CFG ; then
+                  DATE=`date`
+                  sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG
+                  sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG
+                  echo -e "<!--Address $IP added by /usr/sbin/so-allow on "$DATE"-->\n  <global>\n    <white_list>$IP</white_list>\n  </global>\n</ossec_config>" >> $WAZUH_MGR_CFG
+                  echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG."
+                  echo
+                  echo "Restarting OSSEC Server..."
+                  /usr/sbin/so-wazuh-restart
+          fi
+     fi
+fi