Skip to content

Commit 73009f0

Browse files
authored
Merge pull request #711 from stackhpc/custom-policies
Wazuh: allow custom SCA policies
2 parents 208c1d8 + 880c912 commit 73009f0

File tree

4 files changed

+81
-0
lines changed

4 files changed

+81
-0
lines changed

doc/source/configuration/wazuh.rst

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -290,6 +290,21 @@ Example OpenSSL rune to convert to PKCS#8:
290290

291291
TODO: document how to use a local certificate. Do we need to override all certificates?
292292

293+
Custom SCA Policies (optional)
294+
------------------------------
295+
296+
Wazuh ships with a large selection of Security Configuration Assessment
297+
rulesets. However, you may find you want to add more. This can be achieved via
298+
`custom policies <https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/how-to-configure.html>`_.
299+
300+
SKC supports this automatically, just add the policy file from this PR to
301+
``{{ kayobe_env_config_path }}/wazuh/custom_sca_policies``.
302+
303+
Currently, Wazuh does not ship with a CIS benchmark for Rocky 9. You can find
304+
the in-development policy here: https://github.com/wazuh/wazuh/pull/17810 To
305+
include this in your deployment, simply copy it to
306+
``{{ kayobe_env_config_path }}/wazuh/custom_sca_policies/cis_rocky_linux_9.yml``.
307+
293308
Deploy
294309
------
295310

etc/kayobe/ansible/wazuh-manager.yml

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,63 @@
1717
- role: "{{ playbook_dir }}/roles/wazuh-ansible/wazuh-ansible/roles/wazuh/ansible-filebeat-oss"
1818
- role: "{{ playbook_dir }}/roles/wazuh-ansible/wazuh-ansible/roles/wazuh/wazuh-dashboard"
1919
post_tasks:
20+
- block:
21+
- name: Check if custom SCA policies directory exists
22+
stat:
23+
path: "{{ local_custom_sca_policies_path }}"
24+
register: custom_sca_policies_folder
25+
delegate_to: localhost
26+
become: no
27+
28+
- name: Gather list of custom SCA policies
29+
find:
30+
paths: "{{ local_custom_sca_policies_path }}"
31+
patterns: '*.yml'
32+
delegate_to: localhost
33+
register: custom_sca_policies
34+
when: custom_sca_policies_folder.stat.exists
35+
36+
- name: Allow Wazuh agents to execute commands in SCA policies sent from the Wazuh manager
37+
blockinfile:
38+
path: "/var/ossec/etc/local_internal_options.conf"
39+
state: present
40+
owner: wazuh
41+
group: wazuh
42+
block: |
43+
sca.remote_commands=1
44+
when: custom_sca_policies.files | length > 0
45+
46+
- name: Copy custom SCA policy files to Wazuh manager
47+
copy:
48+
# Note the trailing slash to copy directory contents
49+
src: "{{ local_custom_sca_policies_path }}/"
50+
dest: "/var/ossec/etc/shared/default/"
51+
owner: wazuh
52+
group: wazuh
53+
when: custom_sca_policies.files | length > 0
54+
55+
- name: Add custom policy definition(s) to the shared Agent config
56+
blockinfile:
57+
path: "/var/ossec/etc/shared/default/agent.conf"
58+
state: present
59+
owner: wazuh
60+
group: wazuh
61+
marker: "{mark} ANSIBLE MANAGED BLOCK Custom SCA Policies"
62+
insertafter: "<!-- Shared agent configuration here -->"
63+
block: |
64+
{% filter indent(width=2, first=true) %}
65+
<sca>
66+
<policies>
67+
{% for item in custom_sca_policies.files %}
68+
<policy>etc/shared/{{ item.path | basename }}</policy>
69+
{% endfor %}
70+
</policies>
71+
</sca>
72+
{% endfilter %}
73+
when: custom_sca_policies.files | length > 0
74+
notify:
75+
- Restart wazuh
76+
2077
- name: Set http/s_proxy vars in ossec-init.conf for vulnerability detector
2178
blockinfile:
2279
path: "/var/ossec/etc/ossec.conf"

etc/kayobe/inventory/group_vars/wazuh-manager/wazuh-manager

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,9 @@ local_certs_path: "{{ playbook_dir }}/wazuh/certificates"
2424
# Ansible control host custom certificates directory
2525
local_custom_certs_path: "{{ playbook_dir }}/wazuh/custom_certificates"
2626

27+
# Ansible custom SCA policies directory
28+
local_custom_sca_policies_path: "{{ kayobe_env_config_path }}/wazuh/custom_sca_policies"
29+
2730
# Indexer variables
2831
indexer_node_name: "{{ inventory_hostname }}"
2932

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
---
2+
features:
3+
- |
4+
Wazuh can now de deployed with additional custom SCA policies. Just add the
5+
policy file(s) to the directory
6+
``{{ kayobe_env_config_path }}/wazuh/custom_sca_policies``.

0 commit comments

Comments
 (0)