Merge pull request #711 from stackhpc/custom-policies

Wazuh: allow custom SCA policies
stackhpc · Oct 17, 2023 · 73009f0 · 73009f0
2 parents 208c1d8 + 880c912
commit 73009f0
Show file tree

Hide file tree

Showing 4 changed files with 81 additions and 0 deletions.
diff --git a/doc/source/configuration/wazuh.rst b/doc/source/configuration/wazuh.rst
@@ -290,6 +290,21 @@ Example OpenSSL rune to convert to PKCS#8:
 
 TODO: document how to use a local certificate. Do we need to override all certificates?
 
+Custom SCA Policies (optional)
+------------------------------
+
+Wazuh ships with a large selection of Security Configuration Assessment
+rulesets. However, you may find you want to add more. This can be achieved via
+`custom policies <https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/how-to-configure.html>`_.
+
+SKC supports this automatically, just add the policy file from this PR to
+``{{ kayobe_env_config_path }}/wazuh/custom_sca_policies``.
+
+Currently, Wazuh does not ship with a CIS benchmark for Rocky 9. You can find
+the in-development policy here: https://github.com/wazuh/wazuh/pull/17810 To
+include this in your deployment, simply copy it to
+``{{ kayobe_env_config_path }}/wazuh/custom_sca_policies/cis_rocky_linux_9.yml``.
+
 Deploy
 ------
 

diff --git a/etc/kayobe/ansible/wazuh-manager.yml b/etc/kayobe/ansible/wazuh-manager.yml
@@ -17,6 +17,63 @@
     - role: "{{ playbook_dir }}/roles/wazuh-ansible/wazuh-ansible/roles/wazuh/ansible-filebeat-oss"
     - role: "{{ playbook_dir }}/roles/wazuh-ansible/wazuh-ansible/roles/wazuh/wazuh-dashboard"
   post_tasks:
+    - block:
+        - name: Check if custom SCA policies directory exists
+          stat:
+            path: "{{ local_custom_sca_policies_path }}"
+          register: custom_sca_policies_folder
+          delegate_to: localhost
+          become: no
+
+        - name: Gather list of custom SCA policies
+          find:
+            paths: "{{ local_custom_sca_policies_path }}"
+            patterns: '*.yml'
+          delegate_to: localhost
+          register: custom_sca_policies
+          when: custom_sca_policies_folder.stat.exists
+
+        - name: Allow Wazuh agents to execute commands in SCA policies sent from the Wazuh manager
+          blockinfile:
+            path: "/var/ossec/etc/local_internal_options.conf"
+            state: present
+            owner: wazuh
+            group: wazuh
+            block: |
+              sca.remote_commands=1
+          when: custom_sca_policies.files | length > 0
+
+        - name: Copy custom SCA policy files to Wazuh manager
+          copy:
+            # Note the trailing slash to copy directory contents
+            src: "{{ local_custom_sca_policies_path }}/"
+            dest: "/var/ossec/etc/shared/default/"
+            owner: wazuh
+            group: wazuh
+          when: custom_sca_policies.files | length > 0
+
+        - name: Add custom policy definition(s) to the shared Agent config
+          blockinfile:
+            path: "/var/ossec/etc/shared/default/agent.conf"
+            state: present
+            owner: wazuh
+            group: wazuh
+            marker: "{mark} ANSIBLE MANAGED BLOCK Custom SCA Policies"
+            insertafter: "<!-- Shared agent configuration here -->"
+            block: |
+              {% filter indent(width=2, first=true) %}
+              <sca>
+                <policies>
+              {% for item in custom_sca_policies.files %}
+                  <policy>etc/shared/{{ item.path | basename }}</policy>
+              {% endfor %}
+                </policies>
+              </sca>
+              {% endfilter %}
+          when: custom_sca_policies.files | length > 0
+      notify:
+        - Restart wazuh
+
     - name: Set http/s_proxy vars in ossec-init.conf for vulnerability detector
       blockinfile:
         path: "/var/ossec/etc/ossec.conf"

diff --git a/etc/kayobe/inventory/group_vars/wazuh-manager/wazuh-manager b/etc/kayobe/inventory/group_vars/wazuh-manager/wazuh-manager
@@ -24,6 +24,9 @@ local_certs_path: "{{ playbook_dir }}/wazuh/certificates"
 # Ansible control host custom certificates directory
 local_custom_certs_path: "{{ playbook_dir }}/wazuh/custom_certificates"
 
+# Ansible custom SCA policies directory
+local_custom_sca_policies_path: "{{ kayobe_env_config_path }}/wazuh/custom_sca_policies"
+
 # Indexer variables
 indexer_node_name: "{{ inventory_hostname }}"
 

diff --git a/releasenotes/notes/wazuh-custom-sca-policies-a5f15818948928b0.yaml b/releasenotes/notes/wazuh-custom-sca-policies-a5f15818948928b0.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Wazuh can now de deployed with additional custom SCA policies. Just add the
+    policy file(s) to the directory
+    ``{{ kayobe_env_config_path }}/wazuh/custom_sca_policies``.