Add support for FreeBSD decoders, rules and sca files

- Use git for fetch decoders, rules and sca files
- Fix support for Integrity Monitoring logs from Logstash
- Some other tiny modifications

Author: alonsobsd

Makejail

@@ -5,20 +5,30 @@ ARG network=wazuh-net
 
 CMD sed -e "s|quarterly|latest|g" -i.bak /etc/pkg/FreeBSD.conf
 
-PKG bash wazuh-indexer wazuh-server wazuh-dashboard openjdk17
+PKG bash wazuh-indexer wazuh-server wazuh-dashboard openjdk17 git-tiny
 
 CMD openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -subj "/C=US/ST=California/CN=Wazuh/" -keyout /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert
 CMD chmod 640 /var/ossec/etc/sslmanager.key
 CMD chmod 640 /var/ossec/etc/sslmanager.cert
 
 CMD cp /etc/localtime /var/ossec/etc
 CMD cp /usr/local/etc/wazuh-server/wazuh-template.json /usr/local/etc/logstash/
-COPY files/var/ossec/etc/decoders/local_decoder.xml /var/ossec/etc/decoders/
-CMD chown wazuh:wazuh /var/ossec/etc/decoders/local_decoder.xml
-CMD chmod 660 /var/ossec/etc/decoders/local_decoder.xml
-COPY files/var/ossec/etc/rules/local_rules.xml /var/ossec/etc/rules/
-CMD chown wazuh:wazuh /var/ossec/etc/rules/local_rules.xml
-CMD chmod 660 /var/ossec/etc/rules/local_rules.xml
+
+CMD git clone https://github.com/alonsobsd/wazuh-freebsd.git /root/wazuh-freebsd
+CMD cp /root/wazuh-freebsd/var/ossec/ruleset/sca/cis_freebsd*.yml /var/ossec/ruleset/sca/
+CMD chmod 640 /var/ossec/ruleset/sca/cis_freebsd*.yml
+CMD chown root:wazuh /var/ossec/ruleset/sca/cis_freebsd*.yml
+CMD cp /root/wazuh-freebsd/var/ossec/ruleset/decoders/0600-freebsd_decoders.xml /var/ossec/ruleset/decoders/0600-freebsd_decoders.xml
+CMD chmod 640 /var/ossec/ruleset/decoders/0600-freebsd_decoders.xml
+CMD chown root:wazuh /var/ossec/ruleset/decoders/0600-freebsd_decoders.xml
+CMD cp /root/wazuh-freebsd/var/ossec/ruleset/rules/1000-freebsd_rules.xml /var/ossec/ruleset/rules/1000-freebsd_rules.xml
+CMD chmod 640 /var/ossec/ruleset/rules/1000-freebsd_rules.xml
+CMD chown root:wazuh /var/ossec/ruleset/rules/1000-freebsd_rules.xml
+
+CMD rm -rf /root/wazuh-freebsd
+PKG --remove git-tiny
+PKG --autoremove
+
 COPY files/var/ossec/etc/ossec.conf /var/ossec/etc
 COPY files/var/ossec/etc/ossec.conf /var/ossec/etc
 COPY files/usr/local/etc/beats/filebeat.yml /usr/local/etc/beats/

files/usr/local/etc/logstash/logstash.conf

@@ -7,7 +7,7 @@ input {
   beats {
     host => "%{SERVER_IP}"
     port => 5044
-    ssl => false
+    ssl_enabled => false
 #    ssl => true
 #    ssl_certificate => "/usr/local/etc/logstash/certs/logstash.pem"
 #    ssl_certificate_authorities => ["/usr/local/etc/logstash/certs/root-ca.pem"]
@@ -39,6 +39,30 @@ filter {
   }
 }
 
+filter {
+  json {
+    source => "[event][original]"
+    target => "[wazuhevent]"
+  }
+
+  mutate {
+        copy => { "[wazuhevent][syscheck][event]" => "syscheck.event" }
+        copy => { "[wazuhevent][syscheck][mode]" => "syscheck.mode" }
+        copy => { "[wazuhevent][syscheck][path]" => "syscheck.path" }
+        copy => { "[wazuhevent][syscheck][gid_after]" => "syscheck.gid_after" }
+        copy => { "[wazuhevent][syscheck][gname_after]" => "syscheck.gname_after" }
+        copy => { "[wazuhevent][syscheck][inode_after]" => "syscheck.inode_after" }
+        copy => { "[wazuhevent][syscheck][md5_after]" => "syscheck.md5_after" }
+        copy => { "[wazuhevent][syscheck][perm_after]" => "syscheck.perm_after" }
+        copy => { "[wazuhevent][syscheck][syscheck.sha1_after]" => "syscheck.sha1_after" }
+        copy => { "[wazuhevent][syscheck][sha256_after]" => "syscheck.sha256_after" }
+        copy => { "[wazuhevent][syscheck][size_after]" => "syscheck.size_after" }
+        copy => { "[wazuhevent][syscheck][uid_after]" => "syscheck.uid_after" }
+        copy => { "[wazuhevent][syscheck][uname_after]" => "syscheck.uname_after" }
+        remove_field => [ "wazuhevent" ]
+  }
+}
+
 #
 # You can define it for output testing
 #

files/usr/local/etc/opensearch/opensearch.yml

@@ -41,4 +41,6 @@ plugins.security.restapi.roles_enabled:
 - "security_rest_api_access"
 
 plugins.security.system_indices.enabled: true
-plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
+plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
+
+compatibility.override_main_response_version: true

files/var/ossec/etc/ossec.conf

@@ -44,7 +44,6 @@
 
     <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
     <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
-<!--    <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> -->
 
     <skip_nfs>yes</skip_nfs>
   </rootcheck>
@@ -256,4 +255,17 @@
     <ssl_auto_negotiate>no</ssl_auto_negotiate>
   </auth>
 
+  <cluster>
+    <name>wazuh</name>
+    <node_name>indexer1</node_name>
+    <node_type>master</node_type>
+    <key></key>
+    <port>1516</port>
+    <bind_addr>0.0.0.0</bind_addr>
+    <nodes>
+        <node>NODE_IP</node>
+    </nodes>
+    <hidden>no</hidden>
+    <disabled>yes</disabled>
+  </cluster>
 </ossec_config>