0ct0pu5/crowdsec
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

update default windows acquisition configuration (#2195)

Browse source
This commit is contained in:
blotus 2023-05-12 13:47:01 +02:00 committed by GitHub
parent abbc130844
commit 8aca0ea860
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 29 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
config/acquis_win.yaml
View file

@ -1,3 +1,4 @@
##RDP
source: wineventlog
event_channel: Security
event_ids:
@ -5,4 +6,26 @@ event_ids:
- 4623
event_level: information
labels:
type: eventlog
type: eventlog
---
##Firewall
filenames:
- C:\Windows\System32\LogFiles\Firewall\pfirewall.log
labels:
type: windows-firewall
---
##SQL Server
source: wineventlog
event_channel: Application
event_ids:
- 18456
event_level: information
labels:
type: eventlog
---
##IIS
use_time_machine: true
filenames:
- C:\inetpub\logs\LogFiles\*\*.log
labels:
type: iis

10
windows/installer/product.wxs
View file

@ -132,17 +132,17 @@
<SetProperty Id="HubUpdate" Value="&quot;[INSTALLDIR]\cscli.exe&quot; hub update" Sequence="execute" Before="HubUpdate" />
<CustomAction Id="HubUpdate" BinaryKey="WixCA" DllEntry="WixQuietExec" Execute="deferred" Return="check" Impersonate="no" />
<SetProperty Id="InstallWinCollection" Value="&quot;[INSTALLDIR]\cscli.exe&quot; collections install crowdsecurity/windows" Sequence="execute" Before="InstallWinCollection" />
<CustomAction Id="InstallWinCollection" BinaryKey="WixCA" DllEntry="WixQuietExec" Execute="deferred" Return="check" Impersonate="no" />
<CustomAction Id="HubUpdate" BinaryKey="WixCA" DllEntry="WixQuietExec" Execute="deferred" Return="ignore" Impersonate="no" />
<SetProperty Id="InstallWinCollection" Value="&quot;[INSTALLDIR]\cscli.exe&quot; collections install crowdsecurity/windows crowdsecurity/windows-firewall crowdsecurity/iis crowdsecurity/mssql" Sequence="execute" Before="InstallWinCollection" />
<CustomAction Id="InstallWinCollection" BinaryKey="WixCA" DllEntry="WixQuietExec" Execute="deferred" Return="ignore" Impersonate="no" />
<SetProperty Id="FixPermissionsCreds" Value="&quot;icacls.exe&quot; C:\ProgramData\CrowdSec\config\*_api_credentials.yaml /inheritance:r /grant:r *S-1-5-32-544:(F)" Sequence="execute" Before="FixPermissionsCreds" />
<CustomAction Id="FixPermissionsCreds" BinaryKey="WixCA" DllEntry="WixQuietExec" Execute="deferred" Return="check" Impersonate="no" />
<SetProperty Id="FixPermissionsNotif" Value="&quot;icacls.exe&quot; C:\ProgramData\CrowdSec\config\notifications\*.yaml /inheritance:r /grant:r *S-1-5-32-544:(F)" Sequence="execute" Before="FixPermissionsNotif" />
<CustomAction Id="FixPermissionsNotif" BinaryKey="WixCA" DllEntry="WixQuietExec" Execute="deferred" Return="check" Impersonate="no" />
<SetProperty Id="RegisterMachine" Value="&quot;[INSTALLDIR]\cscli.exe&quot; machines add -a" Sequence="execute" Before="RegisterMachine" />
<CustomAction Id="RegisterMachine" BinaryKey="WixCA" DllEntry="WixQuietExec" Execute="deferred" Return="check" Impersonate="no" />
<CustomAction Id="RegisterMachine" BinaryKey="WixCA" DllEntry="WixQuietExec" Execute="deferred" Return="ignore" Impersonate="no" />
<SetProperty Id="RegisterCAPI" Value="&quot;[INSTALLDIR]\cscli.exe&quot; capi register" Sequence="execute" Before="RegisterMachine" />
<CustomAction Id="RegisterCAPI" BinaryKey="WixCA" DllEntry="WixQuietExec" Execute="deferred" Return="check" Impersonate="no" />
<CustomAction Id="RegisterCAPI" BinaryKey="WixCA" DllEntry="WixQuietExec" Execute="deferred" Return="ignore" Impersonate="no" />
<InstallExecuteSequence>
<WriteEnvironmentStrings />
<Custom Action="HubUpdate" After="InstallFiles">NOT Installed AND NOT REMOVE</Custom>