Wazuh-based SIEM with Linux and Windows osquery-enabled agents with Ansible + Vagrant

Fully-fledged Wazuh (OSSEC HIDS + Elastic stack) installation with Linux and Windows Wazuh agents and osquery, via Ansible and Vagrant.

Run

With Ansible, Vagrant and VirtualBox

Install Vagrant
Run vagrant up

With Terraform (deprecated and not up-to-date)

Careful: no firewall has been setup, your Terraform servers are listening on a public IP by default with NO KIBANA or ELASTIC AUTHENTICATION

Set your terraform.tfvars
Install Terraform plugin for your cloud provider
terraform apply
Install Ansible Terraform dynamic inventory binary at adammck/terraform-inventory
Set some variable due to a plugin issue: export TF_STATE=./; (see adammck/terraform-inventory#144)
Run the Ansible playbooks

Known issues

Get-Service OssecSvc on Windows hosts: service is stopped after the playbook played.
Troubleshoot Windows osquery bugs

Workarounds

On MacOS Catalina, trying to use Ansible with WinRM, if you get:

objc[11628]: +[NSNumber initialize] may have been in progress in another thread when fork() was called.
objc[11628]: +[NSNumber initialize] may have been in progress in another thread when fork() was called. We cannot safely call it or ignore it in the fork() child process. Crashing instead. Set a breakpoint on objc_initializeAfterForkError to debug.
ERROR! A worker was found in a dead state

You need to set some variable: export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES See ansible/ansible#32499

External documentation

TODO

Known issues

Troubleshoot Windows osquery bugs

Features

Add Powershell command execution logging and alerting
Setup X-pack auth config + HTTPS/TLS certs everywhere
Active response

Possible evolutions

add minotring of node modules security output recurring task (npm audit)
integrate other tools/sysinternals into ansible playbooks: https://docs.microsoft.com/en-us/sysinternals/downloads/rootkit-revealer
- with a script to suspend all processes and dump RAM and disk (sysinternals) as an action response
VirusTotal API / Malice / Cuckoo integration
Suricata integration
Multi-cluster / load-balanced Ansible playbook
- K8s/Helm ?

Low priority

WAF / CI/CD for application security?
more robust osquery configuration for Linux? https://github.com/palantir/osquery-configuration

Name		Name	Last commit message	Last commit date
Latest commit History 38 Commits
examples		examples
roles		roles
terraform		terraform
wazuh-docker		wazuh-docker
.gitignore		.gitignore
.gitmodules		.gitmodules
ConfigureRemotingForAnsible.ps1		ConfigureRemotingForAnsible.ps1
LICENSE		LICENSE
README.md		README.md
Vagrantfile		Vagrantfile
ansible.cfg		ansible.cfg
osquery-win-vars.yml		osquery-win-vars.yml
ossec.conf.xml		ossec.conf.xml
requirements.yml		requirements.yml
sysmonconfig-export.xml		sysmonconfig-export.xml
taxii-tests.sh		taxii-tests.sh
taxii.py		taxii.py
vagrant.ini		vagrant.ini
wazuh-agent-win-vars.yml		wazuh-agent-win-vars.yml
wazuh-agent-win.yml		wazuh-agent-win.yml
wazuh-agent.yml		wazuh-agent.yml
wazuh-vm-single-node.yml		wazuh-vm-single-node.yml
win-client-extra.yml		win-client-extra.yml
winlogbeat.ps1		winlogbeat.ps1

License

ketsapiwiq/siem-infra

Folders and files

Latest commit

History

Repository files navigation

Wazuh-based SIEM with Linux and Windows osquery-enabled agents with Ansible + Vagrant

Run

With Ansible, Vagrant and VirtualBox

With Terraform (deprecated and not up-to-date)

Known issues

Workarounds

External documentation

TODO

Known issues

Features

Possible evolutions

Low priority

About

Topics

Resources

License

Stars

Watchers

Forks

Languages