From 81058daf1b3baa517203417a2283eadf59831cf9 Mon Sep 17 00:00:00 2001 From: Pawel Krawczyk Date: Mon, 18 Feb 2019 12:59:48 +0000 Subject: [PATCH 1/4] Replace netstat with ss The `ss` program is now the official replacement for `netstat` which is deprecated in most Linux distributions. Also replace the messy sed rules which do not work on all versions with a clean command-line that just displays the key information that does **not** change on every command run (e.g. PID) resulting in false positives. --- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 2 +- roles/wazuh/ansible-wazuh-manager/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index e08b891d9..8ef9764e0 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -284,7 +284,7 @@ wazuh_agent_config: command: 'df -P' frequency: '360' - format: 'full_command' - command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d + command: ss -nutal | awk '{print $1,$5,$6;}' | sort -b | column -t alias: 'netstat listening ports' frequency: '360' - format: 'full_command' diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index b9817a3a8..96e6346dd 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -186,7 +186,7 @@ wazuh_manager_config: command: 'df -P' frequency: '360' - format: 'full_command' - command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d + command: ss -nutal | awk '{print $1,$5,$6;}' | sort -b | column -t alias: 'netstat listening ports' frequency: '360' - format: 'full_command' From bcd327280ed6a19f29ee03cb3507be1749676bee Mon Sep 17 00:00:00 2001 From: Pawel Krawczyk Date: Mon, 18 Feb 2019 13:01:42 +0000 Subject: [PATCH 2/4] Do not report virtual filesystems in df Tell `df` not to report on virtual filesystems such as `squashfs` (used by `snapd` and always at 100%), `tmpfs` (memory-only) and `devtmpfs` (used by `udev`) --- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 2 +- roles/wazuh/ansible-wazuh-manager/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 8ef9764e0..32c8bdcc0 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -281,7 +281,7 @@ wazuh_agent_config: - format: 'syslog' location: '/var/ossec/logs/active-responses.log' - format: 'command' - command: 'df -P' + command: df -P -x squashfs -x tmpfs -x devtmpfs frequency: '360' - format: 'full_command' command: ss -nutal | awk '{print $1,$5,$6;}' | sort -b | column -t diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index 96e6346dd..71796d9d2 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -183,7 +183,7 @@ wazuh_manager_config: localfiles: common: - format: 'command' - command: 'df -P' + command: df -P -x squashfs -x tmpfs -x devtmpfs frequency: '360' - format: 'full_command' command: ss -nutal | awk '{print $1,$5,$6;}' | sort -b | column -t From f96ab0a317e3c8bac60d50c83465c61527fe2775 Mon Sep 17 00:00:00 2001 From: Pawel Krawczyk Date: Wed, 20 Feb 2019 13:31:24 +0000 Subject: [PATCH 3/4] Add flag to accept remote commands from manager Without this flag the agent will not accept any system check commands (`command` and `full_command`) configured in the Wazuh Manager settings to cascade down to agents. --- .../templates/var-ossec-etc-local-internal-options.conf.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-local-internal-options.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-local-internal-options.conf.j2 index 6e3c86a84..81979e595 100644 --- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-local-internal-options.conf.j2 +++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-local-internal-options.conf.j2 @@ -10,3 +10,7 @@ # This is the template of Ansible for the file local_internal_options.conf # In this file you could include the configuration settings for your agents + +# Logcollector - If it should accept remote commands from the manager +logcollector.remote_commands=1 + From 7381dc8b2bcaa7f8481e35813c5a8586d399b03e Mon Sep 17 00:00:00 2001 From: Pawel Krawczyk Date: Fri, 22 Mar 2019 00:03:42 +0000 Subject: [PATCH 4/4] Fix wazuh_manager_config.email_notification There's no need for a complicated if..then condition here since the value is expected to be yes/no only --- .../templates/var-ossec-etc-ossec-server.conf.j2 | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 index 71201e925..7fa9dad4e 100644 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 @@ -11,11 +11,7 @@ {{ wazuh_manager_config.alerts_log }} {{ wazuh_manager_config.logall }} {{ wazuh_manager_config.logall_json }} - {% if wazuh_manager_config.email_notification | lower == "yes" %} - yes - {% else %} - no - {% endif %} + {{ wazuh_manager_config.email_notification }} {% for to in wazuh_manager_config.mail_to %} {{ to }} {% endfor %}