afmarulanda/wazuh-ansible-4.7.2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
8981160803
wazuh-ansible-4.7.2/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
afmarulanda 7be2d54b0e versión stable
2024-02-29 14:50:41 -05:00

539 lines
14 KiB
YAML
Raw Blame History

---
wazuh_manager_version: 4.7.2
wazuh_manager_fqdn: "wazuh-server"
wazuh_manager_package_state: present
# Custom packages installation
wazuh_custom_packages_installation_manager_enabled: false
wazuh_custom_packages_installation_manager_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/"
wazuh_custom_packages_installation_manager_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/"
# Sources installation
wazuh_manager_sources_installation:
enabled: false
branch: "v4.7.2"
user_language: "en"
user_no_stop: "y"
user_install_type: "server"
user_dir: "/var/ossec"
user_delete_dir: null
user_enable_active_response: null
user_enable_syscheck: "y"
user_enable_rootcheck: "y"
user_enable_openscap: "n"
user_enable_authd: "y"
user_generate_authd_cert: null
user_update: "y"
user_binaryinstall: null
user_enable_email: "n"
user_auto_start: "y"
user_email_address: null
user_email_smpt: null
user_enable_syslog: "n"
user_white_list: "n"
user_ca_store: null
threads: "2"
wazuh_dir: "/var/ossec"
##########################################
### Wazuh-OSSEC
##########################################
# groups to create
agent_groups: []
## Global
wazuh_manager_json_output: 'yes'
wazuh_manager_alerts_log: 'yes'
wazuh_manager_logall: 'no'
wazuh_manager_logall_json: 'no'
wazuh_manager_email_notification: 'no'
wazuh_manager_mailto:
- 'admin@example.net'
wazuh_manager_email_smtp_server: smtp.example.wazuh.com
wazuh_manager_email_from: wazuh@example.wazuh.com
wazuh_manager_email_maxperhour: 12
wazuh_manager_email_queue_size: 131072
wazuh_manager_email_log_source: 'alerts.log'
wazuh_manager_globals:
- '127.0.0.1'
- '^localhost.localdomain$'
- '127.0.0.53'
wazuh_manager_agent_disconnection_time: '20s'
wazuh_manager_agents_disconnection_alert_time: '100s'
## Alerts
wazuh_manager_log_level: 3
wazuh_manager_email_level: 12
## Logging
wazuh_manager_log_format: 'plain'
## Email alerts
wazuh_manager_extra_emails:
- enable: false
mail_to: 'recipient@example.wazuh.com'
format: full
level: 7
event_location: null
group: null
do_not_delay: false
do_not_group: false
rule_id: null
## Remote
wazuh_manager_connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
## Reports
wazuh_manager_reports:
- enable: false
category: 'syscheck'
title: 'Daily report: File changes'
email_to: 'recipient@example.wazuh.com'
location: null
group: null
rule: null
level: null
srcip: null
user: null
showlogs: null
## Woodles
wazuh_manager_rootcheck:
frequency: 43200
wazuh_manager_openscap:
disable: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
wazuh_manager_ciscat:
disable: 'yes'
install_java: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
ciscat_path: 'wodles/ciscat'
wazuh_manager_osquery:
disable: 'yes'
run_daemon: 'yes'
log_path: '/var/log/osquery/osqueryd.results.log'
config_path: '/etc/osquery/osquery.conf'
ad_labels: 'yes'
wazuh_manager_syscollector:
disable: 'no'
interval: '1h'
scan_on_start: 'yes'
hardware: 'yes'
os: 'yes'
network: 'yes'
packages: 'yes'
ports_no: 'yes'
processes: 'yes'
wazuh_manager_monitor_aws:
disabled: 'yes'
interval: '10m'
run_on_start: 'yes'
skip_on_error: 'yes'
s3:
- name: null
bucket_type: null
path: null
only_logs_after: null
access_key: null
secret_key: null
## SCA
wazuh_manager_sca:
enabled: 'yes'
scan_on_start: 'yes'
interval: '12h'
skip_nfs: 'yes'
day: ''
wday: ''
time: ''
## Vulnerability Detector
wazuh_manager_vulnerability_detector:
enabled: 'no'
interval: '5m'
min_full_scan_interval: '6h'
run_on_start: 'yes'
providers:
- enabled: 'no'
os:
- 'trusty'
- 'xenial'
- 'bionic'
- 'focal'
- 'jammy'
update_interval: '1h'
name: '"canonical"'
- enabled: 'no'
os:
- 'buster'
- 'bullseye'
- 'bookworm'
update_interval: '1h'
name: '"debian"'
- enabled: 'no'
os:
- '5'
- '6'
- '7'
- '8'
- '9'
update_interval: '1h'
name: '"redhat"'
- enabled: 'no'
os:
- '8'
- '9'
update_interval: '1h'
name: '"almalinux"'
- enabled: 'no'
os:
- 'amazon-linux'
- 'amazon-linux-2'
- 'amazon-linux-2023'
update_interval: '1h'
name: '"alas"'
- enabled: 'no'
os:
- '11-server'
- '11-desktop'
- '12-server'
- '12-desktop'
- '15-server'
- '15-desktop'
update_interval: '1h'
name: '"suse"'
- enabled: 'no'
update_interval: '1h'
name: '"arch"'
- enabled: 'no'
update_interval: '1h'
name: '"msu"'
- enabled: 'no'
update_interval: '1h'
name: '"nvd"'
## Syscheck
wazuh_manager_syscheck:
disable: 'no'
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
ignore:
- /etc/mtab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
ignore_linux_type:
- '.log$|.swp$'
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: ''
- dirs: /bin,/sbin,/boot
checks: ''
auto_ignore_frequency:
frequency: 'frequency="10"'
timeframe: 'timeframe="3600"'
value: 'no'
skip_nfs: 'yes'
skip_dev: 'yes'
skip_proc: 'yes'
skip_sys: 'yes'
process_priority: 10
max_eps: 100
sync_enabled: 'yes'
sync_interval: '5m'
sync_max_interval: '1h'
sync_max_eps: 10
## Command
wazuh_manager_commands:
- name: 'disable-account'
executable: 'disable-account'
timeout_allowed: 'yes'
- name: 'restart-wazuh'
executable: 'restart-wazuh'
- name: 'firewall-drop'
executable: 'firewall-drop'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'host-deny'
executable: 'host-deny'
timeout_allowed: 'yes'
- name: 'route-null'
executable: 'route-null'
timeout_allowed: 'yes'
- name: 'win_route-null'
executable: 'route-null.exe'
timeout_allowed: 'yes'
- name: 'netsh'
executable: 'netsh.exe'
timeout_allowed: 'yes'
## Localfile
wazuh_manager_localfiles:
common:
- format: 'command'
command: df -P
frequency: '360'
- format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
- format: 'syslog'
location: "{{ wazuh_dir }}/logs/active-responses.log"
debian:
- format: 'syslog'
location: '/var/log/auth.log'
- format: 'syslog'
location: '/var/log/syslog'
- format: 'syslog'
location: '/var/log/dpkg.log'
- format: 'syslog'
location: '/var/log/kern.log'
centos:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'audit'
location: '/var/log/audit/audit.log'
## Syslog outputs
wazuh_manager_syslog_outputs:
- server: null
port: null
format: null
## Integrations
wazuh_manager_integrations:
# slack
- name: null
hook_url: '<hook_url>'
alert_level: 10
alert_format: 'json'
rule_id: null
# pagerduty
- name: null
api_key: '<api_key>'
alert_level: 12
## Labels
wazuh_manager_labels:
enable: false
list:
- key: Env
value: Production
## Ruleset
wazuh_manager_ruleset:
rules_path: 'custom_ruleset/rules/'
decoders_path: 'custom_ruleset/decoders/'
cdb_lists:
- 'audit-keys'
- 'security-eventchannel'
- 'amazon/aws-eventnames'
wazuh_manager_rule_exclude:
- '0215-policy_rules.xml'
## Auth
wazuh_manager_authd:
enable: true
port: 1515
use_source_ip: 'no'
force:
enabled: 'yes'
key_mismatch: 'yes'
disconnected_time: '1h'
after_registration_time: '1h'
purge: 'yes'
use_password: 'no'
ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH'
ssl_agent_ca: null
ssl_verify_host: 'no'
ssl_manager_cert: 'sslmanager.cert'
ssl_manager_key: 'sslmanager.key'
ssl_auto_negotiate: 'no'
## Cluster
wazuh_manager_cluster:
disable: 'yes'
name: 'wazuh'
node_name: 'manager_01'
node_type: 'master'
key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa'
port: '1516'
bind_addr: '0.0.0.0'
nodes:
- 'manager'
hidden: 'no'
## Wazuh API setup
wazuh_manager_api:
bind_addr: 0.0.0.0
port: 55000
behind_proxy_server: no
https: yes
https_key: "api/configuration/ssl/server.key"
https_cert: "api/configuration/ssl/server.crt"
https_use_ca: False
https_ca: "api/configuration/ssl/ca.crt"
logging_level: "info"
logging_path: "logs/api.log"
cors: no
cors_source_route: "*"
cors_expose_headers: "*"
cors_allow_headers: "*"
cors_allow_credentials: no
cache: yes
cache_time: 0.750
access_max_login_attempts: 5
access_block_time: 300
access_max_request_per_minute: 300
drop_privileges: yes
experimental_features: no
remote_commands_localfile: yes
remote_commands_localfile_exceptions: []
remote_commands_wodle: yes
remote_commands_wodle_exceptions: []
# wazuh_api_users:
# - username: custom-user
# password: .S3cur3Pa55w0rd*- # Must comply with requirements (8+ length, uppercase, lowercase, specials chars)
# NOTE: As wazuh_manager_config is built dynamically per playbooks and ansible.cfg provided in the repo,
# we should also cover the case for partial settings in inventory variables overlayed on top of role's
# defaults with merge hash_behaviour. If you do a full replace instead of the hash_behaviour, set this to false.
#
# Please do notice this behaviour is deprecated in 2.13 and role will move away from it in future versions:
# https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-hash-behaviour
#
wazuh_manager_config_overlay: true
## Other/Wrappers
wazuh_manager_config_defaults:
repo: '{{ wazuh_repo }}'
json_output: '{{ wazuh_manager_json_output }}'
alerts_log: '{{ wazuh_manager_alerts_log }}'
logall: '{{ wazuh_manager_logall }}'
logall_json: '{{ wazuh_manager_logall_json }}'
log_format: '{{ wazuh_manager_log_format }}'
api: '{{ wazuh_manager_api }}'
cluster: '{{ wazuh_manager_cluster }}'
connection: '{{ wazuh_manager_connection }}'
authd: '{{ wazuh_manager_authd }}'
email_notification: '{{ wazuh_manager_email_notification }}'
mail_to: '{{ wazuh_manager_mailto }}'
mail_smtp_server: '{{ wazuh_manager_email_smtp_server }}'
mail_from: '{{ wazuh_manager_email_from }}'
mail_maxperhour: '{{ wazuh_manager_email_maxperhour }}'
mail_queue_size: '{{ wazuh_manager_email_queue_size }}'
email_log_source: '{{ wazuh_manager_email_log_source }}'
extra_emails: '{{ wazuh_manager_extra_emails }}'
reports: '{{ wazuh_manager_reports}}'
syscheck: '{{ wazuh_manager_syscheck }}'
rootcheck: '{{ wazuh_manager_rootcheck }}'
openscap: '{{ wazuh_manager_openscap }}'
cis_cat: '{{ wazuh_manager_ciscat }}'
osquery: '{{ wazuh_manager_osquery }}'
syscollector: '{{ wazuh_manager_syscollector }}'
sca: '{{ wazuh_manager_sca }}'
vulnerability_detector: '{{ wazuh_manager_vulnerability_detector }}'
log_level: '{{ wazuh_manager_log_level }}'
email_level: '{{ wazuh_manager_email_level }}'
localfiles: '{{ wazuh_manager_localfiles }}'
globals: '{{ wazuh_manager_globals }}'
commands: '{{ wazuh_manager_commands }}'
ruleset: '{{ wazuh_manager_ruleset }}'
rule_exclude: '{{ wazuh_manager_rule_exclude }}'
syslog_outputs: '{{ wazuh_manager_syslog_outputs }}'
integrations: '{{ wazuh_manager_integrations }}'
monitor_aws: '{{ wazuh_manager_monitor_aws }}'
labels: '{{ wazuh_manager_labels }}'
agents_disconnection_time: '{{ wazuh_manager_agent_disconnection_time }}'
agents_disconnection_alert_time: '{{ wazuh_manager_agents_disconnection_alert_time }}'
# shared-agent.conf
# shared_agent_config:
# - type: os
# type_value: Linux
# syscheck:
# frequency: 43200
# scan_on_start: 'yes'
# ignore:
# - /etc/mtab
# - /etc/mnttab
# - /etc/hosts.deny
# - /etc/mail/statistics
# - /etc/svc/volatile
# no_diff:
# - /etc/ssl/private.key
# rootcheck:
# frequency: 43200
# cis_distribution_filename: null
# localfiles:
# - format: 'syslog'
# location: '/var/log/messages'
# - format: 'syslog'
# location: '/var/log/secure'
# - format: 'syslog'
# location: '/var/log/maillog'
# - format: 'apache'
# location: '/var/log/httpd/error_log'
# - format: 'apache'
# location: '/var/log/httpd/access_log'
# - format: 'apache'
# location: "{{ wazuh_dir }}/logs/active-responses.log"
# - type: os
# type_value: Windows
# syscheck:
# frequency: 43200
# scan_on_start: 'yes'
# auto_ignore: 'no'
# windows_registry:
# - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
# arch: 'both'
# - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
# localfiles:
# - location: 'Security'
# format: 'eventchannel'
# - location: 'System'
# format: 'eventlog'
Reference in New Issue View Git Blame Copy Permalink