-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathwazuh-agent.yml
103 lines (92 loc) · 3.37 KB
/
wazuh-agent.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
---
# - hosts: wazuh_manager
# remote_user: root
# name: Gather facts from manager
# tasks: [ ]
- hosts: linux_agent
become: true
pre_tasks:
- name: Update apt packages
apt:
# upgrade: yes
update_cache: yes
cache_valid_time: 86400 #One day
- name: show ossec conf templating results
debug:
msg: "{{ lookup('template', './roles/wazuh-ansible/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2') }}"
# - debug:
# msg: "{{ groups }}"
# OSQuery
# tasks:
# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $OSQUERY_KEY
# add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'
# apt-get update
# apt-get install osquery
# Once installed, you will need a configuration file for Osquery. If you don’t have any, you can use the following one provided by Osquery:
# cp /usr/share/osquery/osquery.example.conf /etc/osquery/osquery.conf
roles:
- roles/wazuh-ansible/roles/wazuh/ansible-wazuh-agent
- ansible-role-osquery
vars:
# hostvars[inventory_hostname] is sous-entendu
wazuh_manager_ip: "192.168.33.10"
wazuh_managers:
- address: "{{ wazuh_manager_ip }}"
port: 1514
protocol: tcp
api_port: 55000
api_proto: "https"
api_user: ansible
wazuh_agent_authd:
# authd_pass: 'foobar'
registration_address: "{{ wazuh_manager_ip }}"
enable: true
port: 1515
ssl_agent_ca: null
ssl_auto_negotiate: "no"
ssl_agent_cert: null
max_retries: 5
retry_interval: 5
wazuh_agent_config:
syscollector:
disable: "no"
interval: "10m"
os: "yes"
# OSQuery agent
osquery:
disable: "no"
run_daemon: "yes"
log_path: "/var/log/osquery/osqueryd.results.log"
config_path: "/etc/osquery/osquery.conf"
add_labels: "yes"
# debug: msg='{{ hostvars["wazuh_manager"].ansible_default_ipv4.address }} {{ hostvars["wazuh_manager"]["ansible_fqdn"] }} {{ hostvars["wazuh_manager"]["ansible_hostname"] }}'
# osquery role vars (merge)
osquery_config:
options:
config_plugin: filesystem
logger_plugin: filesystem
utc: "true"
schedule:
system_info:
query: SELECT hostname, cpu_brand, physical_memory FROM system_info;
interval: 3600
high_load_average:
query:
SELECT period, average, '70%' AS 'threshold' FROM load_average WHERE period
= '15m' AND average > '0.7';
interval: 900
description: Report if load charge is over 70 percent.
low_free_memory:
query:
SELECT memory_total, memory_free, CAST(memory_free AS real) / memory_total
AS memory_free_perc, '10%' AS threshold FROM memory_info WHERE memory_free_perc
< 0.1;
interval: 1800
description: Free RAM is under 10%.
packs:
osquery-monitoring: "/usr/share/osquery/packs/osquery-monitoring.conf"
incident-response: "/usr/share/osquery/packs/incident-response.conf"
it-compliance: "/usr/share/osquery/packs/it-compliance.conf"
vuln-management: "/usr/share/osquery/packs/vuln-management.conf"
hardware-monitoring: "/usr/share/osquery/packs/hardware-monitoring.conf"
ossec-rootkit: "/usr/share/osquery/packs/ossec-rootkit.conf"