Last active
February 27, 2020 11:17
-
-
Save cbluth/f5c6b14005f2529de8352f610a9543a5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
apt remove --purge wazuh-agent -y ; curl -so /tmp/wazuh-agent.deb \ | |
'https://packages.wazuh.com/3.x/apt/pool/main/w/wazuh-agent/wazuh-agent_3.11.3-1_amd64.deb' | |
sudo WAZUH_MANAGER_IP='wazuh.example.org' dpkg -i /tmp/wazuh-agent.deb | |
sed -i \ | |
's#<protocol>udp</protocol>#<protocol>tcp</protocol>#' \ | |
/var/ossec/etc/ossec.conf | |
systemctl restart wazuh-agent.service |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# elasticsearch | |
--- | |
apiVersion: v1 | |
kind: Service | |
spec: | |
clusterIP: None | |
selector: | |
app: elasticsearch | |
ports: | |
- name: es-nodes | |
port: 9300 | |
targetPort: 9300 | |
- name: es-rest | |
port: 9200 | |
targetPort: 9200 | |
metadata: | |
name: statefulset-elasticsearch | |
namespace: wazuh | |
labels: | |
app: elasticsearch | |
--- | |
apiVersion: v1 | |
kind: Service | |
spec: | |
selector: | |
app: elasticsearch | |
ports: | |
- name: es-nodes | |
port: 9300 | |
targetPort: 9300 | |
- name: es-rest | |
port: 9200 | |
targetPort: 9200 | |
metadata: | |
name: elasticsearch | |
namespace: wazuh | |
labels: | |
app: elasticsearch | |
--- | |
apiVersion: apps/v1 | |
kind: StatefulSet | |
metadata: | |
name: elasticsearch | |
namespace: wazuh | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: elasticsearch | |
serviceName: statefulset-elasticsearch | |
template: | |
metadata: | |
labels: | |
app: elasticsearch | |
name: elasticsearch | |
spec: | |
initContainers: | |
- name: chown | |
image: busybox | |
resources: | |
requests: | |
cpu: 50m | |
memory: 128Mi | |
limits: | |
cpu: 100m | |
memory: 256Mi | |
command: | |
- sh | |
- '-c' | |
- 'chown -R 1000:1000 /usr/share/elasticsearch/data' | |
volumeMounts: | |
- name: data | |
mountPath: /usr/share/elasticsearch/data | |
- name: vm-max-map-count | |
image: busybox | |
command: | |
- sysctl | |
- -w | |
- vm.max_map_count=262144 | |
securityContext: | |
privileged: true | |
containers: | |
- name: elasticsearch | |
image: 'wazuh/wazuh-elasticsearch:3.11.3_7.5.2' | |
resources: | |
requests: | |
cpu: 500m | |
memory: 1Gi | |
limits: | |
cpu: 1 | |
memory: 2Gi | |
env: | |
- name: ES_JAVA_OPTS | |
value: '-Xms1024m -Xmx1024m' | |
- name: bootstrap.memory_lock | |
value: 'false' | |
- name: cluster.name | |
value: wazuh | |
- name: network.host | |
value: 0.0.0.0 | |
- name: node.name | |
value: node-1 | |
volumeMounts: | |
- name: data | |
mountPath: /usr/share/elasticsearch/data | |
ports: | |
- containerPort: 9200 | |
name: es-rest | |
- containerPort: 9300 | |
name: es-nodes | |
volumes: | |
- name: data | |
glusterfs: | |
endpoints: gluster | |
path: wazuh-elasticsearch-data | |
# kibana | |
--- | |
apiVersion: v1 | |
kind: Service | |
spec: | |
selector: | |
app: kibana | |
ports: | |
- name: kibana | |
port: 5601 | |
targetPort: 5601 | |
- name: kibana-alt | |
port: 80 | |
targetPort: 5601 | |
metadata: | |
name: kibana | |
namespace: wazuh | |
labels: | |
app: kibana | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: kibana | |
namespace: wazuh | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: kibana | |
template: | |
metadata: | |
labels: | |
app: kibana | |
name: kibana | |
spec: | |
containers: | |
- name: kibana | |
image: 'wazuh/wazuh-kibana:3.11.3_7.5.2' | |
ports: | |
- containerPort: 5601 | |
name: kibana | |
env: | |
- name: ELASTICSEARCH_URL | |
value: 'http://elasticsearch.wazuh.svc:9200' | |
- name: NODE_OPTIONS | |
value: '--max-old-space-size=512' | |
resources: | |
requests: | |
cpu: 200m | |
memory: 512Mi | |
limits: | |
cpu: 400m | |
memory: 1024Mi | |
# wazuh master | |
--- | |
apiVersion: v1 | |
kind: Service | |
spec: | |
type: ClusterIP | |
selector: | |
app: wazuh-manager | |
node-type: master | |
ports: | |
- name: agent-tcp | |
port: 1514 | |
targetPort: 1514 | |
protocol: TCP | |
- name: agent-udp | |
port: 1514 | |
targetPort: 1514 | |
protocol: UDP | |
- name: registration | |
port: 1515 | |
targetPort: 1515 | |
- name: api | |
port: 55000 | |
targetPort: 55000 | |
metadata: | |
name: wazuh # Don't change, unless you update the Wazuh Kibana app config | |
namespace: wazuh | |
labels: | |
app: wazuh-manager | |
--- | |
apiVersion: v1 | |
kind: Service | |
spec: | |
clusterIP: None | |
selector: | |
app: wazuh-manager | |
ports: | |
- name: cluster | |
port: 1516 | |
targetPort: 1516 | |
metadata: | |
name: wazuh-cluster | |
namespace: wazuh | |
labels: | |
app: wazuh-manager | |
--- | |
apiVersion: v1 | |
kind: ConfigMap | |
data: | |
# /var/ossec/etc-template/ossec.conf | |
ossec.conf: |- | |
<!-- | |
Wazuh - Manager - Default configuration for ubuntu 16.04 | |
More info at: https://documentation.wazuh.com | |
Mailing list: https://groups.google.com/forum/#!forum/wazuh | |
Customization: TCP on port 1514 | |
Customization: Cluster mode enabled, master node | |
--> | |
<ossec_config> | |
<global> | |
<jsonout_output>yes</jsonout_output> | |
<alerts_log>yes</alerts_log> | |
<logall>no</logall> | |
<logall_json>no</logall_json> | |
<email_notification>no</email_notification> | |
<smtp_server>smtp.example.wazuh.com</smtp_server> | |
<email_from>ossecm@example.wazuh.com</email_from> | |
<email_to>recipient@example.wazuh.com</email_to> | |
<email_maxperhour>12</email_maxperhour> | |
<queue_size>131072</queue_size> | |
</global> | |
<alerts> | |
<log_alert_level>3</log_alert_level> | |
<email_alert_level>12</email_alert_level> | |
</alerts> | |
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs --> | |
<logging> | |
<log_format>plain</log_format> | |
</logging> | |
<remote> | |
<connection>secure</connection> | |
<port>1514</port> | |
<protocol>tcp</protocol> | |
<queue_size>131072</queue_size> | |
</remote> | |
<!-- Policy monitoring --> | |
<rootcheck> | |
<disabled>no</disabled> | |
<check_unixaudit>yes</check_unixaudit> | |
<check_files>yes</check_files> | |
<check_trojans>yes</check_trojans> | |
<check_dev>yes</check_dev> | |
<check_sys>yes</check_sys> | |
<check_pids>yes</check_pids> | |
<check_ports>yes</check_ports> | |
<check_if>yes</check_if> | |
<!-- Frequency that rootcheck is executed - every 12 hours --> | |
<frequency>43200</frequency> | |
<rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files> | |
<rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans> | |
<system_audit>/var/ossec/etc/rootcheck/system_audit_rcl.txt</system_audit> | |
<system_audit>/var/ossec/etc/rootcheck/system_audit_ssh.txt</system_audit> | |
<skip_nfs>yes</skip_nfs> | |
</rootcheck> | |
<wodle name="open-scap"> | |
<disabled>yes</disabled> | |
<timeout>1800</timeout> | |
<interval>1d</interval> | |
<scan-on-start>yes</scan-on-start> | |
</wodle> | |
<wodle name="cis-cat"> | |
<disabled>yes</disabled> | |
<timeout>1800</timeout> | |
<interval>1d</interval> | |
<scan-on-start>yes</scan-on-start> | |
<java_path>wodles/java</java_path> | |
<ciscat_path>wodles/ciscat</ciscat_path> | |
</wodle> | |
<!-- Osquery integration --> | |
<wodle name="osquery"> | |
<disabled>yes</disabled> | |
<run_daemon>yes</run_daemon> | |
<log_path>/var/log/osquery/osqueryd.results.log</log_path> | |
<config_path>/etc/osquery/osquery.conf</config_path> | |
<add_labels>yes</add_labels> | |
</wodle> | |
<!-- System inventory --> | |
<wodle name="syscollector"> | |
<disabled>no</disabled> | |
<interval>1h</interval> | |
<scan_on_start>yes</scan_on_start> | |
<hardware>yes</hardware> | |
<os>yes</os> | |
<network>yes</network> | |
<packages>yes</packages> | |
<ports all="no">yes</ports> | |
<processes>yes</processes> | |
</wodle> | |
<wodle name="vulnerability-detector"> | |
<disabled>yes</disabled> | |
<interval>1m</interval> | |
<run_on_start>yes</run_on_start> | |
<feed name="ubuntu-18"> | |
<disabled>yes</disabled> | |
<update_interval>1h</update_interval> | |
</feed> | |
<feed name="redhat-7"> | |
<disabled>yes</disabled> | |
<update_interval>1h</update_interval> | |
</feed> | |
<feed name="debian-9"> | |
<disabled>yes</disabled> | |
<update_interval>1h</update_interval> | |
</feed> | |
</wodle> | |
<!-- File integrity monitoring --> | |
<syscheck> | |
<disabled>no</disabled> | |
<!-- Frequency that syscheck is executed default every 12 hours --> | |
<frequency>43200</frequency> | |
<scan_on_start>yes</scan_on_start> | |
<!-- Generate alert when new file detected --> | |
<alert_new_files>yes</alert_new_files> | |
<!-- Don't ignore files that change more than 'frequency' times --> | |
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore> | |
<!-- Directories to check (perform all possible verifications) --> | |
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> | |
<directories check_all="yes">/bin,/sbin,/boot</directories> | |
<!-- Files/directories to ignore --> | |
<ignore>/etc/mtab</ignore> | |
<ignore>/etc/hosts.deny</ignore> | |
<ignore>/etc/mail/statistics</ignore> | |
<ignore>/etc/random-seed</ignore> | |
<ignore>/etc/random.seed</ignore> | |
<ignore>/etc/adjtime</ignore> | |
<ignore>/etc/httpd/logs</ignore> | |
<ignore>/etc/utmpx</ignore> | |
<ignore>/etc/wtmpx</ignore> | |
<ignore>/etc/cups/certs</ignore> | |
<ignore>/etc/dumpdates</ignore> | |
<ignore>/etc/svc/volatile</ignore> | |
<ignore>/sys/kernel/security</ignore> | |
<ignore>/sys/kernel/debug</ignore> | |
<!-- Check the file, but never compute the diff --> | |
<nodiff>/etc/ssl/private.key</nodiff> | |
<skip_nfs>yes</skip_nfs> | |
<!-- Remove not monitored files --> | |
<remove_old_diff>yes</remove_old_diff> | |
<!-- Allow the system to restart Auditd after installing the plugin --> | |
<restart_audit>yes</restart_audit> | |
</syscheck> | |
<!-- Active response --> | |
<global> | |
<white_list>127.0.0.1</white_list> | |
<white_list>^localhost.localdomain$</white_list> | |
<white_list>10.66.0.2</white_list> | |
</global> | |
<command> | |
<name>disable-account</name> | |
<executable>disable-account.sh</executable> | |
<expect>user</expect> | |
<timeout_allowed>yes</timeout_allowed> | |
</command> | |
<command> | |
<name>restart-ossec</name> | |
<executable>restart-ossec.sh</executable> | |
<expect></expect> | |
</command> | |
<command> | |
<name>firewall-drop</name> | |
<executable>firewall-drop.sh</executable> | |
<expect>srcip</expect> | |
<timeout_allowed>yes</timeout_allowed> | |
</command> | |
<command> | |
<name>host-deny</name> | |
<executable>host-deny.sh</executable> | |
<expect>srcip</expect> | |
<timeout_allowed>yes</timeout_allowed> | |
</command> | |
<command> | |
<name>route-null</name> | |
<executable>route-null.sh</executable> | |
<expect>srcip</expect> | |
<timeout_allowed>yes</timeout_allowed> | |
</command> | |
<command> | |
<name>win_route-null</name> | |
<executable>route-null.cmd</executable> | |
<expect>srcip</expect> | |
<timeout_allowed>yes</timeout_allowed> | |
</command> | |
<command> | |
<name>win_route-null-2012</name> | |
<executable>route-null-2012.cmd</executable> | |
<expect>srcip</expect> | |
<timeout_allowed>yes</timeout_allowed> | |
</command> | |
<command> | |
<name>netsh</name> | |
<executable>netsh.cmd</executable> | |
<expect>srcip</expect> | |
<timeout_allowed>yes</timeout_allowed> | |
</command> | |
<command> | |
<name>netsh-win-2016</name> | |
<executable>netsh-win-2016.cmd</executable> | |
<expect>srcip</expect> | |
<timeout_allowed>yes</timeout_allowed> | |
</command> | |
<!-- | |
<active-response> | |
active-response options here | |
</active-response> | |
--> | |
<!-- Log analysis --> | |
<localfile> | |
<log_format>command</log_format> | |
<command>df -P</command> | |
<frequency>360</frequency> | |
</localfile> | |
<localfile> | |
<log_format>full_command</log_format> | |
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command> | |
<alias>netstat listening ports</alias> | |
<frequency>360</frequency> | |
</localfile> | |
<localfile> | |
<log_format>full_command</log_format> | |
<command>last -n 20</command> | |
<frequency>360</frequency> | |
</localfile> | |
<ruleset> | |
<!-- Default ruleset --> | |
<decoder_dir>ruleset/decoders</decoder_dir> | |
<rule_dir>ruleset/rules</rule_dir> | |
<rule_exclude>0215-policy_rules.xml</rule_exclude> | |
<list>etc/lists/audit-keys</list> | |
<list>etc/lists/amazon/aws-sources</list> | |
<list>etc/lists/amazon/aws-eventnames</list> | |
<!-- User-defined ruleset --> | |
<decoder_dir>etc/decoders</decoder_dir> | |
<rule_dir>etc/rules</rule_dir> | |
</ruleset> | |
<!-- Configuration for ossec-authd | |
To enable this service, run: | |
ossec-control enable auth | |
--> | |
<auth> | |
<disabled>no</disabled> | |
<port>1515</port> | |
<use_source_ip>no</use_source_ip> | |
<force_insert>no</force_insert> | |
<force_time>0</force_time> | |
<purge>no</purge> | |
<use_password>no</use_password> | |
<limit_maxagents>yes</limit_maxagents> | |
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers> | |
<!-- <ssl_agent_ca></ssl_agent_ca> --> | |
<ssl_verify_host>no</ssl_verify_host> | |
<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert> | |
<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key> | |
<ssl_auto_negotiate>no</ssl_auto_negotiate> | |
</auth> | |
<cluster> | |
<name>wazuh</name> | |
<node_name>wazuh-manager-master</node_name> | |
<node_type>master</node_type> | |
<!-- TODO: Don't hardcode the key! (and change it) --> | |
<key>123a45bc67def891gh23i45jk67l8mn9</key> | |
<port>1516</port> | |
<bind_addr>0.0.0.0</bind_addr> | |
<nodes> | |
<node>wazuh-manager-master-0.wazuh-cluster.wazuh.svc.cluster.local</node> | |
</nodes> | |
<hidden>no</hidden> | |
<disabled>no</disabled> | |
</cluster> | |
</ossec_config> | |
<ossec_config> | |
<localfile> | |
<log_format>syslog</log_format> | |
<location>/var/ossec/logs/active-responses.log</location> | |
</localfile> | |
<localfile> | |
<log_format>syslog</log_format> | |
<location>/var/log/syslog</location> | |
</localfile> | |
<localfile> | |
<log_format>syslog</log_format> | |
<location>/var/log/dpkg.log</location> | |
</localfile> | |
</ossec_config> | |
metadata: | |
name: wazuh-manager-master-conf | |
namespace: wazuh | |
--- | |
apiVersion: apps/v1 | |
kind: StatefulSet | |
metadata: | |
name: wazuh-manager-master | |
namespace: wazuh | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: wazuh-manager | |
node-type: master | |
serviceName: wazuh-cluster | |
podManagementPolicy: Parallel | |
template: | |
metadata: | |
labels: | |
app: wazuh-manager | |
node-type: master | |
name: wazuh-manager-master | |
spec: | |
containers: | |
- name: wazuh-manager | |
image: 'wazuh/wazuh:3.11.3_7.5.2' | |
resources: | |
requests: | |
cpu: 1 | |
memory: 1024Mi | |
limits: | |
cpu: 1 | |
memory: 2048Mi | |
volumeMounts: | |
- name: config | |
mountPath: /wazuh-config-mount/etc/ossec.conf | |
subPath: ossec.conf | |
readOnly: true | |
- name: data | |
mountPath: /var/ossec/data | |
ports: | |
- containerPort: 1515 | |
name: registration | |
- containerPort: 1516 | |
name: cluster | |
- containerPort: 55000 | |
name: api | |
volumes: | |
- name: data | |
glusterfs: | |
endpoints: gluster | |
path: wazuh-master | |
- name: config | |
configMap: | |
name: wazuh-manager-master-conf | |
# wazuh workers | |
--- | |
apiVersion: v1 | |
kind: Service | |
spec: | |
type: ClusterIP | |
selector: | |
app: wazuh-manager | |
node-type: worker | |
ports: | |
- name: agent-tcp | |
port: 1514 | |
targetPort: 1514 | |
protocol: TCP | |
- name: agent-udp | |
port: 1514 | |
targetPort: 1514 | |
protocol: UDP | |
metadata: | |
name: wazuh-workers | |
namespace: wazuh | |
labels: | |
app: wazuh-manager | |
--- | |
apiVersion: v1 | |
kind: ConfigMap | |
data: | |
# /var/ossec/etc-template/ossec.conf | |
ossec.conf: |- | |
<!-- | |
Wazuh - Manager - Default configuration for ubuntu 16.04 | |
More info at: https://documentation.wazuh.com | |
Mailing list: https://groups.google.com/forum/#!forum/wazuh | |
Customization: TCP on port 1514 | |
Customization: Cluster mode enabled, worker node | |
--> | |
<ossec_config> | |
<global> | |
<jsonout_output>yes</jsonout_output> | |
<alerts_log>yes</alerts_log> | |
<logall>no</logall> | |
<logall_json>no</logall_json> | |
<email_notification>no</email_notification> | |
<smtp_server>smtp.example.wazuh.com</smtp_server> | |
<email_from>ossecm@example.wazuh.com</email_from> | |
<email_to>recipient@example.wazuh.com</email_to> | |
<email_maxperhour>12</email_maxperhour> | |
<queue_size>131072</queue_size> | |
</global> | |
<alerts> | |
<log_alert_level>3</log_alert_level> | |
<email_alert_level>12</email_alert_level> | |
</alerts> | |
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs --> | |
<logging> | |
<log_format>plain</log_format> | |
</logging> | |
<remote> | |
<connection>secure</connection> | |
<port>1514</port> | |
<protocol>tcp</protocol> | |
<queue_size>131072</queue_size> | |
</remote> | |
<!-- Policy monitoring --> | |
<rootcheck> | |
<disabled>no</disabled> | |
<check_unixaudit>yes</check_unixaudit> | |
<check_files>yes</check_files> | |
<check_trojans>yes</check_trojans> | |
<check_dev>yes</check_dev> | |
<check_sys>yes</check_sys> | |
<check_pids>yes</check_pids> | |
<check_ports>yes</check_ports> | |
<check_if>yes</check_if> | |
<!-- Frequency that rootcheck is executed - every 12 hours --> | |
<frequency>43200</frequency> | |
<rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files> | |
<rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans> | |
<system_audit>/var/ossec/etc/rootcheck/system_audit_rcl.txt</system_audit> | |
<system_audit>/var/ossec/etc/rootcheck/system_audit_ssh.txt</system_audit> | |
<skip_nfs>yes</skip_nfs> | |
</rootcheck> | |
<wodle name="open-scap"> | |
<disabled>yes</disabled> | |
<timeout>1800</timeout> | |
<interval>1d</interval> | |
<scan-on-start>yes</scan-on-start> | |
</wodle> | |
<wodle name="cis-cat"> | |
<disabled>yes</disabled> | |
<timeout>1800</timeout> | |
<interval>1d</interval> | |
<scan-on-start>yes</scan-on-start> | |
<java_path>wodles/java</java_path> | |
<ciscat_path>wodles/ciscat</ciscat_path> | |
</wodle> | |
<!-- Osquery integration --> | |
<wodle name="osquery"> | |
<disabled>yes</disabled> | |
<run_daemon>yes</run_daemon> | |
<log_path>/var/log/osquery/osqueryd.results.log</log_path> | |
<config_path>/etc/osquery/osquery.conf</config_path> | |
<add_labels>yes</add_labels> | |
</wodle> | |
<!-- System inventory --> | |
<wodle name="syscollector"> | |
<disabled>no</disabled> | |
<interval>1h</interval> | |
<scan_on_start>yes</scan_on_start> | |
<hardware>yes</hardware> | |
<os>yes</os> | |
<network>yes</network> | |
<packages>yes</packages> | |
<ports all="no">yes</ports> | |
<processes>yes</processes> | |
</wodle> | |
<wodle name="vulnerability-detector"> | |
<disabled>yes</disabled> | |
<interval>1m</interval> | |
<run_on_start>yes</run_on_start> | |
<feed name="ubuntu-18"> | |
<disabled>yes</disabled> | |
<update_interval>1h</update_interval> | |
</feed> | |
<feed name="redhat-7"> | |
<disabled>yes</disabled> | |
<update_interval>1h</update_interval> | |
</feed> | |
<feed name="debian-9"> | |
<disabled>yes</disabled> | |
<update_interval>1h</update_interval> | |
</feed> | |
</wodle> | |
<!-- File integrity monitoring --> | |
<syscheck> | |
<disabled>no</disabled> | |
<!-- Frequency that syscheck is executed default every 12 hours --> | |
<frequency>43200</frequency> | |
<scan_on_start>yes</scan_on_start> | |
<!-- Generate alert when new file detected --> | |
<alert_new_files>yes</alert_new_files> | |
<!-- Don't ignore files that change more than 'frequency' times --> | |
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore> | |
<!-- Directories to check (perform all possible verifications) --> | |
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> | |
<directories check_all="yes">/bin,/sbin,/boot</directories> | |
<!-- Files/directories to ignore --> | |
<ignore>/etc/mtab</ignore> | |
<ignore>/etc/hosts.deny</ignore> | |
<ignore>/etc/mail/statistics</ignore> | |
<ignore>/etc/random-seed</ignore> | |
<ignore>/etc/random.seed</ignore> | |
<ignore>/etc/adjtime</ignore> | |
<ignore>/etc/httpd/logs</ignore> | |
<ignore>/etc/utmpx</ignore> | |
<ignore>/etc/wtmpx</ignore> | |
<ignore>/etc/cups/certs</ignore> | |
<ignore>/etc/dumpdates</ignore> | |
<ignore>/etc/svc/volatile</ignore> | |
<ignore>/sys/kernel/security</ignore> | |
<ignore>/sys/kernel/debug</ignore> | |
<!-- Check the file, but never compute the diff --> | |
<nodiff>/etc/ssl/private.key</nodiff> | |
<skip_nfs>yes</skip_nfs> | |
<!-- Remove not monitored files --> | |
<remove_old_diff>yes</remove_old_diff> | |
<!-- Allow the system to restart Auditd after installing the plugin --> | |
<restart_audit>yes</restart_audit> | |
</syscheck> | |
<!-- Active response --> | |
<global> | |
<white_list>127.0.0.1</white_list> | |
<white_list>^localhost.localdomain$</white_list> | |
<white_list>10.66.0.2</white_list> | |
</global> | |
<command> | |
<name>disable-account</name> | |
<executable>disable-account.sh</executable> | |
<expect>user</expect> | |
<timeout_allowed>yes</timeout_allowed> | |
</command> | |
<command> | |
<name>restart-ossec</name> | |
<executable>restart-ossec.sh</executable> | |
<expect></expect> | |
</command> | |
<command> | |
<name>firewall-drop</name> | |
<executable>firewall-drop.sh</executable> | |
<expect>srcip</expect> | |
<timeout_allowed>yes</timeout_allowed> | |
</command> | |
<command> | |
<name>host-deny</name> | |
<executable>host-deny.sh</executable> | |
<expect>srcip</expect> | |
<timeout_allowed>yes</timeout_allowed> | |
</command> | |
<command> | |
<name>route-null</name> | |
<executable>route-null.sh</executable> | |
<expect>srcip</expect> | |
<timeout_allowed>yes</timeout_allowed> | |
</command> | |
<command> | |
<name>win_route-null</name> | |
<executable>route-null.cmd</executable> | |
<expect>srcip</expect> | |
<timeout_allowed>yes</timeout_allowed> | |
</command> | |
<command> | |
<name>win_route-null-2012</name> | |
<executable>route-null-2012.cmd</executable> | |
<expect>srcip</expect> | |
<timeout_allowed>yes</timeout_allowed> | |
</command> | |
<command> | |
<name>netsh</name> | |
<executable>netsh.cmd</executable> | |
<expect>srcip</expect> | |
<timeout_allowed>yes</timeout_allowed> | |
</command> | |
<command> | |
<name>netsh-win-2016</name> | |
<executable>netsh-win-2016.cmd</executable> | |
<expect>srcip</expect> | |
<timeout_allowed>yes</timeout_allowed> | |
</command> | |
<!-- | |
<active-response> | |
active-response options here | |
</active-response> | |
--> | |
<!-- Log analysis --> | |
<localfile> | |
<log_format>command</log_format> | |
<command>df -P</command> | |
<frequency>360</frequency> | |
</localfile> | |
<localfile> | |
<log_format>full_command</log_format> | |
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command> | |
<alias>netstat listening ports</alias> | |
<frequency>360</frequency> | |
</localfile> | |
<localfile> | |
<log_format>full_command</log_format> | |
<command>last -n 20</command> | |
<frequency>360</frequency> | |
</localfile> | |
<ruleset> | |
<!-- Default ruleset --> | |
<decoder_dir>ruleset/decoders</decoder_dir> | |
<rule_dir>ruleset/rules</rule_dir> | |
<rule_exclude>0215-policy_rules.xml</rule_exclude> | |
<list>etc/lists/audit-keys</list> | |
<list>etc/lists/amazon/aws-sources</list> | |
<list>etc/lists/amazon/aws-eventnames</list> | |
<!-- User-defined ruleset --> | |
<decoder_dir>etc/decoders</decoder_dir> | |
<rule_dir>etc/rules</rule_dir> | |
</ruleset> | |
<!-- Configuration for ossec-authd | |
To enable this service, run: | |
ossec-control enable auth | |
--> | |
<auth> | |
<disabled>no</disabled> | |
<port>1515</port> | |
<use_source_ip>no</use_source_ip> | |
<force_insert>no</force_insert> | |
<force_time>0</force_time> | |
<purge>no</purge> | |
<use_password>no</use_password> | |
<limit_maxagents>yes</limit_maxagents> | |
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers> | |
<!-- <ssl_agent_ca></ssl_agent_ca> --> | |
<ssl_verify_host>no</ssl_verify_host> | |
<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert> | |
<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key> | |
<ssl_auto_negotiate>no</ssl_auto_negotiate> | |
</auth> | |
<cluster> | |
<name>wazuh</name> | |
<node_name>wazuh-manager-worker-0</node_name> | |
<node_type>worker</node_type> | |
<!-- TODO: Don't hardcode the key! (and change it) --> | |
<key>123a45bc67def891gh23i45jk67l8mn9</key> | |
<port>1516</port> | |
<bind_addr>0.0.0.0</bind_addr> | |
<nodes> | |
<node>wazuh-manager-master-0.wazuh-cluster.wazuh.svc.cluster.local</node> | |
</nodes> | |
<hidden>no</hidden> | |
<disabled>no</disabled> | |
</cluster> | |
</ossec_config> | |
<ossec_config> | |
<localfile> | |
<log_format>syslog</log_format> | |
<location>/var/ossec/logs/active-responses.log</location> | |
</localfile> | |
<localfile> | |
<log_format>syslog</log_format> | |
<location>/var/log/syslog</location> | |
</localfile> | |
<localfile> | |
<log_format>syslog</log_format> | |
<location>/var/log/dpkg.log</location> | |
</localfile> | |
</ossec_config> | |
metadata: | |
name: wazuh-manager-worker-0-conf | |
namespace: wazuh | |
--- | |
apiVersion: v1 | |
kind: ConfigMap | |
data: | |
# /var/ossec/etc-template/ossec.conf | |
ossec.conf: |- | |
<!-- | |
Wazuh - Manager - Default configuration for ubuntu 16.04 | |
More info at: https://documentation.wazuh.com | |
Mailing list: https://groups.google.com/forum/#!forum/wazuh | |
Customization: TCP on port 1514 | |
Customization: Cluster mode enabled, worker node | |
--> | |
<ossec_config> | |
<global> | |
<jsonout_output>yes</jsonout_output> | |
<alerts_log>yes</alerts_log> | |
<logall>no</logall> | |
<logall_json>no</logall_json> | |
<email_notification>no</email_notification> | |
<smtp_server>smtp.example.wazuh.com</smtp_server> | |
<email_from>ossecm@example.wazuh.com</email_from> | |
<email_to>recipient@example.wazuh.com</email_to> | |
<email_maxperhour>12</email_maxperhour> | |
<queue_size>131072</queue_size> | |
</global> | |
<alerts> | |
<log_alert_level>3</log_alert_level> | |
<email_alert_level>12</email_alert_level> | |
</alerts> | |
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs --> | |
<logging> | |
<log_format>plain</log_format> | |
</logging> | |
<remote> | |
<connection>secure</connection> | |
<port>1514</port> | |
<protocol>tcp</protocol> | |
<queue_size>131072</queue_size> | |
</remote> | |
<!-- Policy monitoring --> | |
<rootcheck> | |
<disabled>no</disabled> | |
<check_unixaudit>yes</check_unixaudit> | |
<check_files>yes</check_files> | |
<check_trojans>yes</check_trojans> | |
<check_dev>yes</check_dev> | |
<check_sys>yes</check_sys> | |
<check_pids>yes</check_pids> | |
<check_ports>yes</check_ports> | |
<check_if>yes</check_if> | |
<!-- Frequency that rootcheck is executed - every 12 hours --> | |
<frequency>43200</frequency> | |
<rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files> | |
<rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans> | |
<system_audit>/var/ossec/etc/rootcheck/system_audit_rcl.txt</system_audit> | |
<system_audit>/var/ossec/etc/rootcheck/system_audit_ssh.txt</system_audit> | |
<skip_nfs>yes</skip_nfs> | |
</rootcheck> | |
<wodle name="open-scap"> | |
<disabled>yes</disabled> | |
<timeout>1800</timeout> | |
<interval>1d</interval> | |
<scan-on-start>yes</scan-on-start> | |
</wodle> | |
<wodle name="cis-cat"> | |
<disabled>yes</disabled> | |
<timeout>1800</timeout> | |
<interval>1d</interval> | |
<scan-on-start>yes</scan-on-start> | |
<java_path>wodles/java</java_path> | |
<ciscat_path>wodles/ciscat</ciscat_path> | |
</wodle> | |
<!-- Osquery integration --> | |
<wodle name="osquery"> | |
<disabled>yes</disabled> | |
<run_daemon>yes</run_daemon> | |
<log_path>/var/log/osquery/osqueryd.results.log</log_path> | |
<config_path>/etc/osquery/osquery.conf</config_path> | |
<add_labels>yes</add_labels> | |
</wodle> | |
<!-- System inventory --> | |
<wodle name="syscollector"> | |
<disabled>no</disabled> | |
<interval>1h</interval> | |
<scan_on_start>yes</scan_on_start> | |
<hardware>yes</hardware> | |
<os>yes</os> | |
<network>yes</network> | |
<packages>yes</packages> | |
<ports all="no">yes</ports> | |
<processes>yes</processes> | |
</wodle> | |
<wodle name="vulnerability-detector"> | |
<disabled>yes</disabled> | |
<interval>1m</interval> | |
<run_on_start>yes</run_on_start> | |
<feed name="ubuntu-18"> | |
<disabled>yes</disabled> | |
<update_interval>1h</update_interval> | |
</feed> | |
<feed name="redhat-7"> | |
<disabled>yes</disabled> | |
<update_interval>1h</update_interval> | |
</feed> | |
<feed name="debian-9"> | |
<disabled>yes</disabled> | |
<update_interval>1h</update_interval> | |
</feed> | |
</wodle> | |
<!-- File integrity monitoring --> | |
<syscheck> | |
<disabled>no</disabled> | |
<!-- Frequency that syscheck is executed default every 12 hours --> | |
<frequency>43200</frequency> | |
<scan_on_start>yes</scan_on_start> | |
<!-- Generate alert when new file detected --> | |
<alert_new_files>yes</alert_new_files> | |
<!-- Don't ignore files that change more than 'frequency' times --> | |
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore> | |
<!-- Directories to check (perform all possible verifications) --> | |
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> | |
<directories check_all="yes">/bin,/sbin,/boot</directories> | |
<!-- Files/directories to ignore --> | |
<ignore>/etc/mtab</ignore> | |
<ignore>/etc/hosts.deny</ignore> | |
<ignore>/etc/mail/statistics</ignore> | |
<ignore>/etc/random-seed</ignore> | |
<ignore>/etc/random.seed</ignore> | |
<ignore>/etc/adjtime</ignore> | |
<ignore>/etc/httpd/logs</ignore> | |
<ignore>/etc/utmpx</ignore> | |
<ignore>/etc/wtmpx</ignore> | |
<ignore>/etc/cups/certs</ignore> | |
<ignore>/etc/dumpdates</ignore> | |
<ignore>/etc/svc/volatile</ignore> | |
<ignore>/sys/kernel/security</ignore> | |
<ignore>/sys/kernel/debug</ignore> | |
<!-- Check the file, but never compute the diff --> | |
<nodiff>/etc/ssl/private.key</nodiff> | |
<skip_nfs>yes</skip_nfs> | |
<!-- Remove not monitored files --> | |
<remove_old_diff>yes</remove_old_diff> | |
<!-- Allow the system to restart Auditd after installing the plugin --> | |
<restart_audit>yes</restart_audit> | |
</syscheck> | |
<!-- Active response --> | |
<global> | |
<white_list>127.0.0.1</white_list> | |
<white_list>^localhost.localdomain$</white_list> | |
<white_list>10.66.0.2</white_list> | |
</global> | |
<command> | |
<name>disable-account</name> | |
<executable>disable-account.sh</executable> | |
<expect>user</expect> | |
<timeout_allowed>yes</timeout_allowed> | |
</command> | |
<command> | |
<name>restart-ossec</name> | |
<executable>restart-ossec.sh</executable> | |
<expect></expect> | |
</command> | |
<command> | |
<name>firewall-drop</name> | |
<executable>firewall-drop.sh</executable> | |
<expect>srcip</expect> | |
<timeout_allowed>yes</timeout_allowed> | |
</command> | |
<command> | |
<name>host-deny</name> | |
<executable>host-deny.sh</executable> | |
<expect>srcip</expect> | |
<timeout_allowed>yes</timeout_allowed> | |
</command> | |
<command> | |
<name>route-null</name> | |
<executable>route-null.sh</executable> | |
<expect>srcip</expect> | |
<timeout_allowed>yes</timeout_allowed> | |
</command> | |
<command> | |
<name>win_route-null</name> | |
<executable>route-null.cmd</executable> | |
<expect>srcip</expect> | |
<timeout_allowed>yes</timeout_allowed> | |
</command> | |
<command> | |
<name>win_route-null-2012</name> | |
<executable>route-null-2012.cmd</executable> | |
<expect>srcip</expect> | |
<timeout_allowed>yes</timeout_allowed> | |
</command> | |
<command> | |
<name>netsh</name> | |
<executable>netsh.cmd</executable> | |
<expect>srcip</expect> | |
<timeout_allowed>yes</timeout_allowed> | |
</command> | |
<command> | |
<name>netsh-win-2016</name> | |
<executable>netsh-win-2016.cmd</executable> | |
<expect>srcip</expect> | |
<timeout_allowed>yes</timeout_allowed> | |
</command> | |
<!-- | |
<active-response> | |
active-response options here | |
</active-response> | |
--> | |
<!-- Log analysis --> | |
<localfile> | |
<log_format>command</log_format> | |
<command>df -P</command> | |
<frequency>360</frequency> | |
</localfile> | |
<localfile> | |
<log_format>full_command</log_format> | |
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command> | |
<alias>netstat listening ports</alias> | |
<frequency>360</frequency> | |
</localfile> | |
<localfile> | |
<log_format>full_command</log_format> | |
<command>last -n 20</command> | |
<frequency>360</frequency> | |
</localfile> | |
<ruleset> | |
<!-- Default ruleset --> | |
<decoder_dir>ruleset/decoders</decoder_dir> | |
<rule_dir>ruleset/rules</rule_dir> | |
<rule_exclude>0215-policy_rules.xml</rule_exclude> | |
<list>etc/lists/audit-keys</list> | |
<list>etc/lists/amazon/aws-sources</list> | |
<list>etc/lists/amazon/aws-eventnames</list> | |
<!-- User-defined ruleset --> | |
<decoder_dir>etc/decoders</decoder_dir> | |
<rule_dir>etc/rules</rule_dir> | |
</ruleset> | |
<!-- Configuration for ossec-authd | |
To enable this service, run: | |
ossec-control enable auth | |
--> | |
<auth> | |
<disabled>no</disabled> | |
<port>1515</port> | |
<use_source_ip>no</use_source_ip> | |
<force_insert>no</force_insert> | |
<force_time>0</force_time> | |
<purge>no</purge> | |
<use_password>no</use_password> | |
<limit_maxagents>yes</limit_maxagents> | |
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers> | |
<!-- <ssl_agent_ca></ssl_agent_ca> --> | |
<ssl_verify_host>no</ssl_verify_host> | |
<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert> | |
<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key> | |
<ssl_auto_negotiate>no</ssl_auto_negotiate> | |
</auth> | |
<cluster> | |
<name>wazuh</name> | |
<node_name>wazuh-manager-worker-1</node_name> | |
<node_type>worker</node_type> | |
<!-- TODO: Don't hardcode the key! (and change it) --> | |
<key>123a45bc67def891gh23i45jk67l8mn9</key> | |
<port>1516</port> | |
<bind_addr>0.0.0.0</bind_addr> | |
<nodes> | |
<node>wazuh-manager-master-0.wazuh-cluster.wazuh.svc.cluster.local</node> | |
</nodes> | |
<hidden>no</hidden> | |
<disabled>no</disabled> | |
</cluster> | |
</ossec_config> | |
<ossec_config> | |
<localfile> | |
<log_format>syslog</log_format> | |
<location>/var/ossec/logs/active-responses.log</location> | |
</localfile> | |
<localfile> | |
<log_format>syslog</log_format> | |
<location>/var/log/syslog</location> | |
</localfile> | |
<localfile> | |
<log_format>syslog</log_format> | |
<location>/var/log/dpkg.log</location> | |
</localfile> | |
</ossec_config> | |
metadata: | |
name: wazuh-manager-worker-1-conf | |
namespace: wazuh | |
--- | |
apiVersion: apps/v1 | |
kind: StatefulSet | |
metadata: | |
name: wazuh-manager-worker-0 | |
namespace: wazuh | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: wazuh-manager | |
node-type: worker | |
sts-id: '0' | |
serviceName: wazuh-cluster | |
podManagementPolicy: Parallel | |
template: | |
metadata: | |
labels: | |
app: wazuh-manager | |
node-type: worker | |
sts-id: '0' | |
name: wazuh-manager-worker-0 | |
spec: | |
affinity: | |
podAntiAffinity: | |
preferredDuringSchedulingIgnoredDuringExecution: | |
- weight: 100 | |
podAffinityTerm: | |
labelSelector: | |
matchExpressions: | |
- key: sts-id | |
operator: In | |
values: | |
- '1' | |
topologyKey: kubernetes.io/hostname | |
containers: | |
- name: wazuh-manager | |
image: 'wazuh/wazuh:3.11.3_7.5.2' | |
resources: | |
requests: | |
cpu: 1 | |
memory: 1024Mi | |
limits: | |
cpu: 1 | |
memory: 2048Mi | |
volumeMounts: | |
- name: config | |
mountPath: /wazuh-config-mount/etc/ossec.conf | |
subPath: ossec.conf | |
readOnly: true | |
- name: data | |
mountPath: /var/ossec/data | |
ports: | |
- containerPort: 1514 | |
name: agents-events | |
- containerPort: 1516 | |
name: cluster | |
volumes: | |
- name: data | |
glusterfs: | |
endpoints: gluster | |
path: wazuh-worker-0 | |
- name: config | |
configMap: | |
name: wazuh-manager-worker-0-conf | |
--- | |
apiVersion: apps/v1 | |
kind: StatefulSet | |
metadata: | |
name: wazuh-manager-worker-1 | |
namespace: wazuh | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: wazuh-manager | |
node-type: worker | |
sts-id: '1' | |
serviceName: wazuh-cluster | |
podManagementPolicy: Parallel | |
template: | |
metadata: | |
labels: | |
app: wazuh-manager | |
node-type: worker | |
sts-id: '1' | |
name: wazuh-manager-worker-1 | |
spec: | |
affinity: | |
podAntiAffinity: | |
preferredDuringSchedulingIgnoredDuringExecution: | |
- weight: 100 | |
podAffinityTerm: | |
labelSelector: | |
matchExpressions: | |
- key: sts-id | |
operator: In | |
values: | |
- '0' | |
topologyKey: kubernetes.io/hostname | |
containers: | |
- name: wazuh-manager | |
image: 'wazuh/wazuh:3.11.3_7.5.2' | |
resources: | |
requests: | |
cpu: 1 | |
memory: 1024Mi | |
limits: | |
cpu: 1 | |
memory: 2048Mi | |
volumeMounts: | |
- name: config | |
mountPath: /wazuh-config-mount/etc/ossec.conf | |
subPath: ossec.conf | |
readOnly: true | |
- name: data | |
mountPath: /var/ossec/data | |
ports: | |
- containerPort: 1514 | |
name: agents-events | |
- containerPort: 1516 | |
name: cluster | |
volumes: | |
- name: data | |
glusterfs: | |
endpoints: gluster | |
path: wazuh-worker-1 | |
- name: config | |
configMap: | |
name: wazuh-manager-worker-1-conf |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment