Ansible for Wazuh

Ansible roles and playbook to install Wazuh agents on Linux and Windows machines. Used to install Wazuh agents on VMs in Illinois Tech's cyber range. Consider checking out Splunk's attack_range GitHub repo for other fantastic Ansible roles.

NOT FOR PRODUCTION USE
I did not necessarily follow Ansible best practices nor account for all edge cases, so it's worth giving the tasks a manual review before running this in your environment. For example:

• the wazuh_linx role assumes your Linux distro uses apt for package management
• the sysmon_windows and aurora_edr roles assume you're using 64-bit versions of Windows
• (bug) the auditd_logging role modifies the ossec.conf file every time it is run

⚠️ Be sure to update the .msi URL in the defaults file for the wazuh_windows role ⚠️
You can find an up-to-date URL on this page of the Wazuh documentation.

Inventory

Update files in this directory to suit your needs. It currently has inventory files for Game of Active Directory and a custom "services" network.

• goad ⇒ Game of Active Directory on 192.168.10.0/24
• services ⇒ custom services network on 192.168.30.0/24
• test ⇒ a sample of hosts from goad and services for testing

Roles

The bread and butter of this repo: roles for installing Wazuh agents on Linux and Windows. Feel free to use these in your own playbook.

• wazuh_linux ⇒ installs Wazuh agent on Linux
• wazuh_windows ⇒ installs Wazuh agent on Windows
• sysmon_windows ⇒ installs Sysmon on Windows and configures Sysmon logging for Wazuh
  • Uses the SwiftOnSecurity Sysmon config by default but you can change this in the defaults file
• defender_logging ⇒ forwards Windows Defender logs to Wazuh
• aurora_edr ⇒ installs Aurora Lite (free EDR that relies on ETW) on Windows and forwards logs to Wazuh
  • Be sure to replace aurora-license.lic in roles->aurora_edr->files with your license! You can get a free license here
  • You may need to manually disable Windows Defender real-time protection or create an exclusion prior to installing Aurora EDR - see official documentation for more details
• powershell_logging ⇒ enables PowerShell logging on Windows and forwards logs to Wazuh
• auditd_logging ⇒ logs all commands and shell execution and forwards logs to Wazuh

Variables

• wazuh_manager ⇒ Wazuh manager server to connect to
• agent_name ⇒ name for host in Wazuh (specify for each host in inventory)
• agent_group ⇒ group to add each host to (specify under group vars in inventory or in playbook)

Playbook (install.yml)

Calls the roles to run them.

Runners

• ping.sh ⇒ ensure hosts are reachable
• test.sh ⇒ runs install.yml playbook for hosts in test inventory
• build.sh ⇒ runs install.yml playbook for all hosts (in goad and services inventories)