Merge pull request #27 from apdibbo/wazuh-to-baseline

Wazuh to baseline
stfc · Oct 4, 2024 · 6689634 · 6689634
2 parents 77ebfd0 + a873eb6
commit 6689634
Show file tree

Hide file tree

Showing 14 changed files with 655 additions and 37 deletions.
diff --git a/os_builders/inventory/localhost.yml b/os_builders/inventory/localhost.yml
@@ -2,3 +2,7 @@ all:
     hosts:
         localhost:
             ansible_connection: local
+default:
+    hosts:
+        localhost:
+            ansible_connection: local
diff --git a/os_builders/roles/nubes_bootcontext/files/nubes-bootcontext.sh b/os_builders/roles/nubes_bootcontext/files/nubes-bootcontext.sh
@@ -37,3 +37,5 @@ if grep -q minimum_uid=1000 /etc/pam.d/common-password; then
 fi
 
 /usr/local/sbin/update_cloud_users.sh
+
+systemctl restart wazuh-agent
diff --git a/os_builders/roles/nubes_bootcontext/files/update_cloud_users.sh b/os_builders/roles/nubes_bootcontext/files/update_cloud_users.sh
@@ -1,15 +1,19 @@
 #!/bin/bash
 
-for i in packer packer-test;
-do
-    userdel $i -r;
-done
+if [[ -f /var/lock/firstboot ]] ;
+then
+    for i in packer packer-test;
+    do
+        id -u $i && userdel $i -r;
+    done
+    rm -f /var/lock/firstboot
+fi
 
-mkdir /mnt/context
-mount /dev/sr0 /mnt/context
+[[ -d /mnt/context ]] || mkdir /mnt/context
+[[ -d /mnt/context/openstack ]] || mount /dev/sr0 /mnt/context
 INSTANCEID=$(jq .uuid /mnt/context/openstack/latest/meta_data.json | sed "s/\"//g")
 
-if curl -s http://openstack.nubes.rl.ac.uk:9999/cgi-bin/get_username_list.sh?"$INSTANCEID" | grep ".";
+if curl -s http://openstack.nubes.rl.ac.uk:9999/cgi-bin/get_username.sh?"$INSTANCEID" | grep ".";
 then
     OPENSTACK_URL='openstack.nubes.rl.ac.uk'
 else
@@ -35,26 +39,23 @@ SSH_PUBLIC_KEY=$(jq .keys[0].data /mnt/context/openstack/latest/meta_data.json |
 
 groupadd wheel
 
-for ID in $FEDIDS; do
-    useradd "$ID" -g wheel -m -s /bin/bash
+for ID in $FEDID $FEDIDS; do
+    id -u "$ID" || useradd "$ID" -g wheel -m -s /bin/bash
     usermod "$ID" -a -G wheel
-    SUDOVALID=$(visudo -c -f /etc/sudoers.d/cloud)
-    if [ "$SUDOVALID" != "/etc/sudoers.d/cloud: parsed OK" ]
+    if ! visudo -c -f /etc/sudoers.d/cloud;
     then
         echo " $ID  ALL=(ALL)       NOPASSWD: ALL" > /etc/sudoers.d/cloud
     fi
-    if grep -q "$ID" /etc/sudoers.d/cloud
+    if ! grep -q "$ID" /etc/sudoers.d/cloud
     then
-        true
-    else
         echo " $ID  ALL=(ALL)       NOPASSWD: ALL" >> /etc/sudoers.d/cloud
     fi
     chmod 0440 /etc/sudoers.d/cloud
-    mkdir -p /home/"$ID"/.ssh
+    [[ -d /home/"$ID"/.ssh ]] || mkdir -p /home/"$ID"/.ssh
     chown "$ID" /home/"$ID"
     chown "$ID" /home/"$ID"/.ssh
     if [[ "$ID" == "$FEDID" ]]; then
         echo "$SSH_PUBLIC_KEY "| sed 's/\\n//g' >> /home/"$ID"/.ssh/authorized_keys
     fi
-    chown "$ID" /home/"$FEDID"/.ssh/authorized_keys
+    chown "$ID" /home/"$ID"/.ssh/authorized_keys
 done
diff --git a/os_builders/roles/nubes_bootcontext/tasks/main.yml b/os_builders/roles/nubes_bootcontext/tasks/main.yml
@@ -1,3 +1,7 @@
+- name: Gather the package facts
+  ansible.builtin.package_facts:
+    manager: auto
+
 - name: Copy in nubes-bootcontext script
   copy:
     src: "nubes-bootcontext.sh"

diff --git a/os_builders/roles/prep_vm_post_reboot/tasks/cleanup_quattor.yml b/os_builders/roles/prep_vm_post_reboot/tasks/cleanup_quattor.yml
@@ -1,23 +1,25 @@
 - name: Cleanout Quattor
-  stat:
-    path: /etc/ccm.conf
-  register: ccm_conf_exists
-  when: ansible_distribution == "Rocky"  and "ccm" in ansible_facts.packages
+  block:
+    - name: Cleanout Quattor
+      stat:
+        path: /etc/ccm.conf
+      register: ccm_conf_exists
 
-- name: Cleanout ccm config file
-  file:
-    path: "/etc/ccm.conf"
-    state: absent
-  when: ccm_conf_exists
+    - name: Cleanout ccm config file
+      file:
+        path: "/etc/ccm.conf"
+        state: absent
+      when: ccm_conf_exists
 
-- name: Cleanout quattor profile
-  file:
-    path: "/var/lib/profile*"
-    state: absent
-  when: ccm_conf_exists
+    - name: Cleanout quattor profile
+      file:
+        path: "/var/lib/profile*"
+        state: absent
+      when: ccm_conf_exists
 
-- name: Stop quattor listener
-  systemd_service:
-    name: ncm-cdispd
-    state: stopped
-  when: ccm_conf_exists
+    - name: Stop quattor listener
+      systemd_service:
+        name: ncm-cdispd
+        state: stopped
+      when: ccm_conf_exists
+  when: ansible_distribution == "Rocky"  and "ccm" in ansible_facts.packages
diff --git a/os_builders/roles/prep_vm_post_reboot/tasks/cleanup_users.yml b/os_builders/roles/prep_vm_post_reboot/tasks/cleanup_users.yml
@@ -5,5 +5,8 @@
     state: absent
   loop:
   - "nagios"
-  - "wjc16017"
-  - "wjc16017-admin"
+
+- name: mark next boot as first boot
+  file:
+      path: /var/lock/firstboot
+      state: touch
diff --git a/os_builders/roles/prep_vm_post_reboot/tasks/main.yml b/os_builders/roles/prep_vm_post_reboot/tasks/main.yml
@@ -1,13 +1,16 @@
 # Cleanup machine
+- include_tasks: wazuh.yml
 - include_tasks: get_package_facts.yml
 - include_tasks: run_quattor.yml
+  when: ansible_distribution == "Rocky"  and "ccm" in ansible_facts.packages
 - include_tasks: get_package_facts.yml
 - include_tasks: cleanout_tmp.yml
 - include_tasks: cleanout_rc_directories.yml
 - include_tasks: cleanup_network_conf.yml
 - include_tasks: run_update_keys.yml
 - include_tasks: set_locale.yml
 - include_tasks: cleanup_quattor.yml
+  when: ansible_distribution == "Rocky"  and "ccm" in ansible_facts.packages
 - include_tasks: run_pakiti.yml
 - include_tasks: cleanup_users.yml
 - include_tasks: cleanup_old_kernels.yml

diff --git a/os_builders/roles/prep_vm_post_reboot/tasks/wazuh.yml b/os_builders/roles/prep_vm_post_reboot/tasks/wazuh.yml
@@ -0,0 +1,14 @@
+- name: Set wazuh package name variable
+  set_fact:
+    wazuh_package_name: "wazuh-agent"
+
+- name: Stop wazuh-agent service
+  become: true
+  ansible.builtin.command:
+    cmd: "systemctl stop wazuh-agent.service"
+  when: wazuh_package_name in ansible_facts.packages
+
+- name: Clean Wazuh agent history
+  file:
+    path: "/var/ossec/etc/client.keys"
+    state: absent
diff --git a/os_builders/roles/vm_baseline/files/wazuh/enrich-wazuh-agent.py b/os_builders/roles/vm_baseline/files/wazuh/enrich-wazuh-agent.py
@@ -0,0 +1,148 @@
+#!/usr/bin/python3
+
+import os
+import subprocess
+import socket
+import json
+import xml.etree.ElementTree
+import shutil
+import pathlib
+import requests
+
+
+source = "/var/ossec/etc/ossec.template"
+destination = "/var/ossec/etc/ossec.conf"
+extra_config_dir = "/var/ossec/etc/extra/"
+
+
+def dict_to_xml(tag, d):
+
+    elem = xml.etree.ElementTree.Element(tag)
+    for key, val in d.items():
+        # create an Element
+        # class object
+        child = xml.etree.ElementTree.Element(key)
+        child.text = str(val)
+        elem.append(child)
+
+    return elem
+
+
+# Open template config file
+with open(source) as sourcefile:
+    ossec_string = sourcefile.read()
+
+# initialise data structures
+labels_conf = {}
+logfiles_conf = []
+fim_conf = []
+sca_conf = []
+commands_conf = []
+active_responses_conf = []
+groups_conf = []
+wodles_conf = {}
+
+# Load in any additional config
+for extra_config_file in pathlib.Path(extra_config_dir).glob("*.json"):
+    print(extra_config_file)
+    with open(extra_config_file) as extra_config_json:
+        extra_config = json.load(extra_config_json)
+    labels_conf.update(extra_config.get("labels", {}))
+    wodles_conf.update(extra_config.get("wodles", {}))
+    logfiles_conf.extend(extra_config.get("logfiles", []))
+    fim_conf.extend(extra_config.get("file_integrity_monitoring", []))
+    sca_conf.extend(extra_config.get("security_config_assessments", []))
+    commands_conf.extend(extra_config.get("commands", []))
+    active_responses_conf.extend(extra_config.get("active_responses", []))
+    groups_conf.extend(extra_config.get("groups", []))
+
+ossec_conf = xml.etree.ElementTree.parse(source)
+ossec_xml = ossec_conf.getroot()
+
+agent_hostname = socket.getfqdn()
+
+# Check if the host is an OpenStack VM
+param = "-w 1 -c 1"
+metadata_ip = "169.254.169.254"
+response = os.system(f"ping {param} {metadata_ip}")
+if response == 0:
+    try:
+        metadata_url = "http://169.254.169.254/openstack/latest/meta_data.json"
+        response = requests.get(metadata_url)
+        openstack_metadata = response.json()
+        metadata_to_parse = ["uuid", "name", "hostname", "project_id"]
+        for vm_attr in metadata_to_parse:
+            labels_conf["openstack." + vm_attr] = openstack_metadata[vm_attr]
+        agent_hostname = agent_hostname + "-" + openstack_metadata["uuid"]
+    except:
+        print("not an openstack VM")
+
+
+if os.path.exists("/etc/ccm.conf"):
+    print("Is Quattor Managed")
+    # Get aquilon personality from profile
+    p = subprocess.Popen(
+        ["/usr/sbin/ccm", "/system/personality/name"], bufsize=1, stdout=subprocess.PIPE
+    )
+    personality = p.communicate()
+    # Remove cruft from string
+    personality = (
+        str(personality[0])
+        .replace('b"$ name : ', "")
+        .replace("'\\n\\n\"", '"')
+        .replace("'", '"')
+    )
+    # Format as XML and merge into Labels XML - probably a better way of doing this but hayho
+    labels_conf["aq.personality"] = personality
+
+
+# Commands for use with Active Responses
+for command_item in commands_conf:
+    new_command = dict_to_xml("command", command_item)
+    ossec_xml.append(new_command)
+
+# Log Files
+for logfile_item in logfiles_conf:
+    new_logfile = dict_to_xml("localfile", logfile_item)
+    ossec_xml.append(new_logfile)
+
+# Security Configuration Assessments
+for sca_item in sca_conf:
+    new_sca = dict_to_xml("sca", sca_item)
+    ossec_xml.append(new_sca)
+
+# Active Response
+for activeresponse_item in active_responses_conf:
+    new_activeresponse = dict_to_xml("active-response", activeresponse_item)
+    ossec_xml.append(new_activeresponse)
+
+# File Integrity monitoring
+for fim_item in fim_conf:
+    new_fim = dict_to_xml("syscheck", fim_item)
+    ossec_xml.append(new_fim)
+
+# Labels
+for key, value in labels_conf.items():
+    new_label = xml.etree.ElementTree.SubElement(ossec_xml.find("labels"), "label")
+    new_label.text = value
+    new_label.attrib["key"] = key
+# labels_xml = ossec_xml.find('labels')
+
+# Wodles
+for wodle_key, wodle_item in wodles_conf.items():
+    new_wodle = dict_to_xml("wodle", wodle_item)
+    new_wodle.set("name", wodle_key)
+    ossec_xml.append(new_wodle)
+
+# Hostname and Groups setup
+client_update = ossec_xml.find("client").find("enrollment")
+groups_update = xml.etree.ElementTree.SubElement(client_update, "enrollment")
+group_seperator = ","
+groups_update.tag = "groups"
+groups_update.text = group_seperator.join(groups_conf)
+hostname_update = xml.etree.ElementTree.SubElement(client_update, "enrollment")
+hostname_update.tag = "agent_name"
+hostname_update.text = agent_hostname
+
+
+ossec_conf.write(destination)
diff --git a/os_builders/roles/vm_baseline/files/wazuh/local_internal_options.conf b/os_builders/roles/vm_baseline/files/wazuh/local_internal_options.conf
@@ -0,0 +1,3 @@
+sca.remote_commands=1
+wazuh_command.remote_commands=1
+logcollector.remote_commands=1
Original file line number	Diff line number	Diff line change
Expand Up		@@ -37,3 +37,5 @@ if grep -q minimum_uid=1000 /etc/pam.d/common-password; then
		fi

		/usr/local/sbin/update_cloud_users.sh

		systemctl restart wazuh-agent