diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index ea73e74b..57e9d5e2 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -4,6 +4,12 @@ wazuh_manager_version: 4.0.0-1 wazuh_manager_fqdn: "wazuh-server" wazuh_manager_package_state: present +nodejs: + repo_dict: + debian: "deb" + redhat: "rpm" + repo_url_ext: "nodesource.com/setup_10.x" + # Custom packages installation wazuh_custom_packages_installation_manager_enabled: false wazuh_custom_packages_installation_manager_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/" @@ -35,381 +41,480 @@ wazuh_manager_sources_installation: user_ca_store: null threads: "2" +wazuh_manager_repo: + apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main' + yum: 'https://packages.wazuh.com/4.x/yum/' + gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' + + +########################################## +### Wazuh-OSSEC +########################################## + +# groups to create +agent_groups: [] + +## Global +wazuh_manager_json_output: 'yes' +wazuh_manager_alerts_log: 'yes' +wazuh_manager_logall: 'no' +wazuh_manager_logall_json: 'no' + +wazuh_manager_email_notification: 'no' +wazuh_manager_mailto: + - 'admin@example.net' + +wazuh_manager_email_smtp_server: smtp.example.wazuh.com +wazuh_manager_email_from: ossecm@example.wazuh.com +wazuh_manager_email_maxperhour: 12 +wazuh_manager_email_queue_size: 131072 +wazuh_manager_email_log_source: 'alerts.log' + +wazuh_manager_globals: + - '127.0.0.1' + - '^localhost.localdomain$' + - '127.0.0.53' + +## Alerts +wazuh_manager_log_level: 3 +wazuh_manager_email_level: 12 + +## Logging +wazuh_manager_log_format: 'plain' + +## Email alerts +wazuh_manager_extra_emails: + - enable: false + mail_to: 'recipient@example.wazuh.com' + format: full + level: 7 + event_location: null + group: null + do_not_delay: false + do_not_group: false + rule_id: null + + +## Remote +wazuh_manager_connection: + - type: 'secure' + port: '1514' + protocol: 'tcp' + queue_size: 131072 + +## Reports +wazuh_manager_reports: + - enable: false + category: 'syscheck' + title: 'Daily report: File changes' + email_to: 'recipient@example.wazuh.com' + location: null + group: null + rule: null + level: null + srcip: null + user: null + showlogs: null + +## Woodles +wazuh_manager_rootcheck: + frequency: 43200 + +wazuh_manager_openscap: + disable: 'yes' + timeout: 1800 + interval: '1d' + scan_on_start: 'yes' + +wazuh_manager_ciscat: + disable: 'yes' + install_java: 'yes' + timeout: 1800 + interval: '1d' + scan_on_start: 'yes' + java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin' + ciscat_path: 'wodles/ciscat' + +wazuh_manager_osquery: + disable: 'yes' + run_daemon: 'yes' + log_path: '/var/log/osquery/osqueryd.results.log' + config_path: '/etc/osquery/osquery.conf' + ad_labels: 'yes' + +wazuh_manager_syscollector: + disable: 'no' + interval: '1h' + scan_on_start: 'yes' + hardware: 'yes' + os: 'yes' + network: 'yes' + packages: 'yes' + ports_no: 'yes' + processes: 'yes' + +wazuh_manager_monitor_aws: + disabled: 'yes' + interval: '10m' + run_on_start: 'yes' + skip_on_error: 'yes' + s3: + - name: null + bucket_type: null + path: null + only_logs_after: null + access_key: null + secret_key: null + +## SCA +wazuh_manager_sca: + enabled: 'yes' + scan_on_start: 'yes' + interval: '12h' + skip_nfs: 'yes' + day: '' + wday: '' + time: '' + +## Vulnerability Detector +wazuh_manager_vulnerability_detector: + enabled: 'no' + interval: '5m' + ignore_time: '6h' + run_on_start: 'yes' + providers: + - enabled: 'no' + os: + - 'trusty' + - 'xenial' + - 'bionic' + update_interval: '1h' + name: '"canonical"' + - enabled: 'no' + os: + - 'wheezy' + - 'stretch' + - 'jessie' + - 'buster' + update_interval: '1h' + name: '"debian"' + - enabled: 'no' + update_from_year: '2010' + update_interval: '1h' + name: '"redhat"' + - enabled: 'no' + update_from_year: '2010' + update_interval: '1h' + name: '"nvd"' + +## Syscheck +wazuh_manager_syscheck: + disable: 'no' + frequency: 43200 + scan_on_start: 'yes' + auto_ignore: 'no' + ignore: + - /etc/mtab + - /etc/hosts.deny + - /etc/mail/statistics + - /etc/random-seed + - /etc/random.seed + - /etc/adjtime + - /etc/httpd/logs + - /etc/utmpx + - /etc/wtmpx + - /etc/cups/certs + - /etc/dumpdates + - /etc/svc/volatile + ignore_linux_type: + - '.log$|.swp$' + no_diff: + - /etc/ssl/private.key + directories: + - dirs: /etc,/usr/bin,/usr/sbin + checks: '' + - dirs: /bin,/sbin,/boot + checks: '' + auto_ignore_frequency: + frequency: 'frequency="10"' + timeframe: 'timeframe="3600"' + value: 'no' + skip_nfs: 'yes' + skip_dev: 'yes' + skip_proc: 'yes' + skip_sys: 'yes' + process_priority: 10 + max_eps: 100 + sync_enabled: 'yes' + sync_interval: '5m' + sync_max_interval: '1h' + sync_max_eps: 10 + +## Command +wazuh_manager_commands: + - name: 'disable-account' + executable: 'disable-account.sh' + expect: 'user' + timeout_allowed: 'yes' + - name: 'restart-ossec' + executable: 'restart-ossec.sh' + expect: '' + - name: 'firewall-drop' + executable: 'firewall-drop.sh' + expect: 'srcip' + timeout_allowed: 'yes' + - name: 'host-deny' + executable: 'host-deny.sh' + expect: 'srcip' + timeout_allowed: 'yes' + - name: 'route-null' + executable: 'route-null.sh' + expect: 'srcip' + timeout_allowed: 'yes' + - name: 'win_route-null' + executable: 'route-null.cmd' + expect: 'srcip' + timeout_allowed: 'yes' + - name: 'win_route-null-2012' + executable: 'route-null-2012.cmd' + expect: 'srcip' + timeout_allowed: 'yes' + - name: 'netsh' + executable: 'netsh.cmd' + expect: 'srcip' + timeout_allowed: 'yes' + - name: 'netsh-win-2016' + executable: 'netsh-win-2016.cmd' + expect: 'srcip' + timeout_allowed: 'yes' + +## Localfile +wazuh_manager_localfiles: + common: + - format: 'command' + command: df -P + frequency: '360' + - format: 'full_command' + command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d + alias: 'netstat listening ports' + frequency: '360' + - format: 'full_command' + command: 'last -n 20' + frequency: '360' + - format: 'syslog' + location: '/var/ossec/logs/active-responses.log' + debian: + - format: 'syslog' + location: '/var/log/auth.log' + - format: 'syslog' + location: '/var/log/syslog' + - format: 'syslog' + location: '/var/log/dpkg.log' + - format: 'syslog' + location: '/var/log/kern.log' + centos: + - format: 'syslog' + location: '/var/log/messages' + - format: 'syslog' + location: '/var/log/secure' + - format: 'syslog' + location: '/var/log/maillog' + - format: 'audit' + location: '/var/log/audit/audit.log' + +## Syslog outputs +wazuh_manager_syslog_outputs: + - server: null + port: null + format: null + +## Integrations +wazuh_manager_integrations: + # slack + - name: null + hook_url: '' + alert_level: 10 + alert_format: 'json' + rule_id: null + # pagerduty + - name: null + api_key: '' + alert_level: 12 + +## Labels +wazuh_manager_labels: + enable: false + list: + - key: Env + value: Production + +## Ruleset +wazuh_manager_ruleset: + rules_path: 'custom_ruleset/rules/' + decoders_path: 'custom_ruleset/decoders/' + cdb_lists: + - 'audit-keys' + - 'security-eventchannel' + - 'amazon/aws-eventnames' + +wazuh_manager_rule_exclude: + - '0215-policy_rules.xml' + +## Auth +wazuh_manager_authd: + enable: true + port: 1515 + use_source_ip: 'no' + force_insert: 'yes' + force_time: 0 + purge: 'yes' + use_password: 'no' + limit_maxagents: 'yes' + ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH' + ssl_agent_ca: null + ssl_verify_host: 'no' + ssl_manager_cert: 'sslmanager.cert' + ssl_manager_key: 'sslmanager.key' + ssl_auto_negotiate: 'no' + +## Cluster +wazuh_manager_cluster: + disable: 'yes' + name: 'wazuh' + node_name: 'manager_01' + node_type: 'master' + key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa' + port: '1516' + bind_addr: '0.0.0.0' + nodes: + - 'manager' + hidden: 'no' + +## Wazuh API setup +wazuh_manager_api: + bind_addr: 0.0.0.0 + port: 55000 + behind_proxy_server: no + https: yes + https_key: "api/configuration/ssl/server.key" + https_cert: "api/configuration/ssl/server.crt" + https_use_ca: False + https_ca: "api/configuration/ssl/ca.crt" + logging_level: "info" + logging_path: "logs/api.log" + cors: no + cors_source_route: "*" + cors_expose_headers: "*" + cors_allow_headers: "*" + cors_allow_credentials: no + cache: yes + cache_time: 0.750 + access_max_login_attempts: 5 + access_block_time: 300 + access_max_request_per_minute: 300 + use_only_authd: no + drop_privileges: yes + experimental_features: no + # wazuh_api_users: # - username: custom-user # password: .S3cur3Pa55w0rd*- # Must comply with requirements (8+ length, uppercase, lowercase, specials chars) -wazuh_manager_config: - repo: - apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main' - yum: 'https://packages.wazuh.com/4.x/yum/' - gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' - key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' - json_output: 'yes' - alerts_log: 'yes' - logall: 'no' - logall_json: 'no' - log_format: 'plain' - api: - bind_addr: 0.0.0.0 - port: 55000 - behind_proxy_server: no - https: yes - https_key: "api/configuration/ssl/server.key" - https_cert: "api/configuration/ssl/server.crt" - https_use_ca: False - https_ca: "api/configuration/ssl/ca.crt" - logging_level: "info" - logging_path: "logs/api.log" - cors: no - cors_source_route: "*" - cors_expose_headers: "*" - cors_allow_headers: "*" - cors_allow_credentials: no - cache: yes - cache_time: 0.750 - access_max_login_attempts: 5 - access_block_time: 300 - access_max_request_per_minute: 300 - use_only_authd: no - drop_privileges: yes - experimental_features: no - cluster: - disable: 'yes' - name: 'wazuh' - node_name: 'manager_01' - node_type: 'master' - key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa' - port: '1516' - bind_addr: '0.0.0.0' - nodes: - - 'manager' - hidden: 'no' - connection: - - type: 'secure' - port: '1514' - protocol: 'tcp' - queue_size: 131072 - authd: - enable: true - port: 1515 - use_source_ip: 'no' - force_insert: 'yes' - force_time: 0 - purge: 'yes' - use_password: 'no' - limit_maxagents: 'yes' - ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH' - ssl_agent_ca: null - ssl_verify_host: 'no' - ssl_manager_cert: 'sslmanager.cert' - ssl_manager_key: 'sslmanager.key' - ssl_auto_negotiate: 'no' - email_notification: 'no' - mail_to: - - 'admin@example.net' - mail_smtp_server: smtp.example.wazuh.com - mail_from: ossecm@example.wazuh.com - mail_maxperhour: 12 - mail_queue_size: 131072 - email_log_source: 'alerts.log' - extra_emails: - - enable: false - mail_to: 'recipient@example.wazuh.com' - format: full - level: 7 - event_location: null - group: null - do_not_delay: false - do_not_group: false - rule_id: null - reports: - - enable: false - category: 'syscheck' - title: 'Daily report: File changes' - email_to: 'recipient@example.wazuh.com' - location: null - group: null - rule: null - level: null - srcip: null - user: null - showlogs: null - syscheck: - disable: 'no' - frequency: 43200 - scan_on_start: 'yes' - auto_ignore: 'no' - ignore: - - /etc/mtab - - /etc/hosts.deny - - /etc/mail/statistics - - /etc/random-seed - - /etc/random.seed - - /etc/adjtime - - /etc/httpd/logs - - /etc/utmpx - - /etc/wtmpx - - /etc/cups/certs - - /etc/dumpdates - - /etc/svc/volatile - ignore_linux_type: - - '.log$|.swp$' - no_diff: - - /etc/ssl/private.key - directories: - - dirs: /etc,/usr/bin,/usr/sbin - checks: '' - - dirs: /bin,/sbin,/boot - checks: '' - auto_ignore_frequency: - frequency: 'frequency="10"' - timeframe: 'timeframe="3600"' - value: 'no' - skip_nfs: 'yes' - skip_dev: 'yes' - skip_proc: 'yes' - skip_sys: 'yes' - process_priority: 10 - max_eps: 100 - sync_enabled: 'yes' - sync_interval: '5m' - sync_max_interval: '1h' - sync_max_eps: 10 - rootcheck: - frequency: 43200 - openscap: - disable: 'yes' - timeout: 1800 - interval: '1d' - scan_on_start: 'yes' - cis_cat: - disable: 'yes' - install_java: 'yes' - timeout: 1800 - interval: '1d' - scan_on_start: 'yes' - java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin' - ciscat_path: 'wodles/ciscat' - osquery: - disable: 'yes' - run_daemon: 'yes' - log_path: '/var/log/osquery/osqueryd.results.log' - config_path: '/etc/osquery/osquery.conf' - ad_labels: 'yes' - syscollector: - disable: 'no' - interval: '1h' - scan_on_start: 'yes' - hardware: 'yes' - os: 'yes' - network: 'yes' - packages: 'yes' - ports_no: 'yes' - processes: 'yes' - sca: - enabled: 'yes' - scan_on_start: 'yes' - interval: '12h' - skip_nfs: 'yes' - day: '' - wday: '' - time: '' - vulnerability_detector: - enabled: 'no' - interval: '5m' - ignore_time: '6h' - run_on_start: 'yes' - providers: - - enabled: 'no' - os: - - 'trusty' - - 'xenial' - - 'bionic' - update_interval: '1h' - name: '"canonical"' - - enabled: 'no' - os: - - 'wheezy' - - 'stretch' - - 'jessie' - - 'buster' - update_interval: '1h' - name: '"debian"' - - enabled: 'no' - update_from_year: '2010' - update_interval: '1h' - name: '"redhat"' - - enabled: 'no' - update_from_year: '2010' - update_interval: '1h' - name: '"nvd"' - log_level: 3 - email_level: 12 - localfiles: - common: - - format: 'command' - command: df -P - frequency: '360' - - format: 'full_command' - command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d - alias: 'netstat listening ports' - frequency: '360' - - format: 'full_command' - command: 'last -n 20' - frequency: '360' - - format: 'syslog' - location: '/var/ossec/logs/active-responses.log' - debian: - - format: 'syslog' - location: '/var/log/auth.log' - - format: 'syslog' - location: '/var/log/syslog' - - format: 'syslog' - location: '/var/log/dpkg.log' - - format: 'syslog' - location: '/var/log/kern.log' - centos: - - format: 'syslog' - location: '/var/log/messages' - - format: 'syslog' - location: '/var/log/secure' - - format: 'syslog' - location: '/var/log/maillog' - - format: 'audit' - location: '/var/log/audit/audit.log' - globals: - - '127.0.0.1' - - '^localhost.localdomain$' - - '127.0.0.53' - commands: - - name: 'disable-account' - executable: 'disable-account.sh' - expect: 'user' - timeout_allowed: 'yes' - - name: 'restart-ossec' - executable: 'restart-ossec.sh' - expect: '' - - name: 'firewall-drop' - executable: 'firewall-drop.sh' - expect: 'srcip' - timeout_allowed: 'yes' - - name: 'host-deny' - executable: 'host-deny.sh' - expect: 'srcip' - timeout_allowed: 'yes' - - name: 'route-null' - executable: 'route-null.sh' - expect: 'srcip' - timeout_allowed: 'yes' - - name: 'win_route-null' - executable: 'route-null.cmd' - expect: 'srcip' - timeout_allowed: 'yes' - - name: 'win_route-null-2012' - executable: 'route-null-2012.cmd' - expect: 'srcip' - timeout_allowed: 'yes' - - name: 'netsh' - executable: 'netsh.cmd' - expect: 'srcip' - timeout_allowed: 'yes' - - name: 'netsh-win-2016' - executable: 'netsh-win-2016.cmd' - expect: 'srcip' - timeout_allowed: 'yes' - ruleset: - rules_path: 'custom_ruleset/rules/' - decoders_path: 'custom_ruleset/decoders/' - cdb_lists: - - 'audit-keys' - - 'security-eventchannel' - - 'amazon/aws-eventnames' - rule_exclude: - - '0215-policy_rules.xml' - syslog_outputs: - - server: null - port: null - format: null - integrations: - #slack - - name: null - hook_url: '' - alert_level: 10 - alert_format: 'json' - rule_id: null - #pagerduty - - name: null - api_key: '' - alert_level: 12 - monitor_aws: - disabled: 'yes' - interval: '10m' - run_on_start: 'yes' - skip_on_error: 'yes' - s3: - - name: null - bucket_type: null - path: null - only_logs_after: null - access_key: null - secret_key: null - labels: - enable: false - list: - - key: Env - value: Production +# NOTE: As wazuh_manager_config is built dynamically per playbooks and ansible.cfg provided in the repo, +# we should also cover the case for partial settings in inventory variables overlayed on top of role's +# defaults with merge hash_behaviour. If you do a full replace instead of the hash_behaviour, set this to false. +# +# Please do notice this behaviour is deprecated in 2.13 and role will move away from it in future versions: +# https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-hash-behaviour +# +wazuh_manager_config_overlay: true + +## Other/Wrappers +wazuh_manager_config_defaults: + repo: '{{ wazuh_manager_repo }}' + json_output: '{{ wazuh_manager_json_output }}' + alerts_log: '{{ wazuh_manager_alerts_log }}' + logall: '{{ wazuh_manager_logall }}' + logall_json: '{{ wazuh_manager_logall_json }}' + log_format: '{{ wazuh_manager_log_format }}' + api: '{{ wazuh_manager_api }}' + cluster: '{{ wazuh_manager_cluster }}' + connection: '{{ wazuh_manager_connection }}' + authd: '{{ wazuh_manager_authd }}' + email_notification: '{{ wazuh_manager_email_notification }}' + mail_to: '{{ wazuh_manager_mailto }}' + mail_smtp_server: '{{ wazuh_manager_email_smtp_server }}' + mail_from: '{{ wazuh_manager_email_from }}' + mail_maxperhour: '{{ wazuh_manager_email_maxperhour }}' + mail_queue_size: '{{ wazuh_manager_email_queue_size }}' + email_log_source: '{{ wazuh_manager_email_log_source }}' + extra_emails: '{{ wazuh_manager_extra_emails }}' + reports: '{{ wazuh_manager_reports}}' + syscheck: '{{ wazuh_manager_syscheck }}' + rootcheck: '{{ wazuh_manager_rootcheck }}' + openscap: '{{ wazuh_manager_openscap }}' + cis_cat: '{{ wazuh_manager_ciscat }}' + osquery: '{{ wazuh_manager_osquery }}' + syscollector: '{{ wazuh_manager_syscollector }}' + sca: '{{ wazuh_manager_sca }}' + vulnerability_detector: '{{ wazuh_manager_vulnerability_detector }}' + log_level: '{{ wazuh_manager_log_level }}' + email_level: '{{ wazuh_manager_email_level }}' + localfiles: '{{ wazuh_manager_localfiles }}' + globals: '{{ wazuh_manager_globals }}' + commands: '{{ wazuh_manager_commands }}' + ruleset: '{{ wazuh_manager_ruleset }}' + rule_exclude: '{{ wazuh_manager_rule_exclude }}' + syslog_outputs: '{{ wazuh_manager_syslog_outputs }}' + integrations: '{{ wazuh_manager_integrations }}' + monitor_aws: '{{ wazuh_manager_monitor_aws }}' + labels: '{{ wazuh_manager_labels }}' + +# shared-agent.conf # shared_agent_config: - # - type: os - # type_value: Linux - # syscheck: - # frequency: 43200 - # scan_on_start: 'yes' - # ignore: - # - /etc/mtab - # - /etc/mnttab - # - /etc/hosts.deny - # - /etc/mail/statistics - # - /etc/svc/volatile - # no_diff: - # - /etc/ssl/private.key - # rootcheck: - # frequency: 43200 - # cis_distribution_filename: null - # localfiles: - # - format: 'syslog' - # location: '/var/log/messages' - # - format: 'syslog' - # location: '/var/log/secure' - # - format: 'syslog' - # location: '/var/log/maillog' - # - format: 'apache' - # location: '/var/log/httpd/error_log' - # - format: 'apache' - # location: '/var/log/httpd/access_log' - # - format: 'apache' - # location: '/var/ossec/logs/active-responses.log' - # - type: os - # type_value: Windows - # syscheck: - # frequency: 43200 - # scan_on_start: 'yes' - # auto_ignore: 'no' - # windows_registry: - # - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' - # arch: 'both' - # - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder' - # localfiles: - # - location: 'Security' - # format: 'eventchannel' - # - location: 'System' - # format: 'eventlog' - -nodejs: - repo_dict: - debian: "deb" - redhat: "rpm" - repo_url_ext: "nodesource.com/setup_10.x" - -agent_groups: [] # groups to create +# - type: os +# type_value: Linux +# syscheck: +# frequency: 43200 +# scan_on_start: 'yes' +# ignore: +# - /etc/mtab +# - /etc/mnttab +# - /etc/hosts.deny +# - /etc/mail/statistics +# - /etc/svc/volatile +# no_diff: +# - /etc/ssl/private.key +# rootcheck: +# frequency: 43200 +# cis_distribution_filename: null +# localfiles: +# - format: 'syslog' +# location: '/var/log/messages' +# - format: 'syslog' +# location: '/var/log/secure' +# - format: 'syslog' +# location: '/var/log/maillog' +# - format: 'apache' +# location: '/var/log/httpd/error_log' +# - format: 'apache' +# location: '/var/log/httpd/access_log' +# - format: 'apache' +# location: '/var/ossec/logs/active-responses.log' +# - type: os +# type_value: Windows +# syscheck: +# frequency: 43200 +# scan_on_start: 'yes' +# auto_ignore: 'no' +# windows_registry: +# - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' +# arch: 'both' +# - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder' +# localfiles: +# - location: 'Security' +# format: 'eventchannel' +# - location: 'System' +# format: 'eventlog' diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml index fb0be0e0..24274b4a 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml @@ -1,4 +1,12 @@ --- + +- name: Overlay wazuh_manager_config on top of defaults + set_fact: + wazuh_manager_config: '{{ wazuh_manager_config_defaults | combine(config_layer, recursive=True) }}' + vars: + config_layer: '{{ wazuh_manager_config | default({}) }}' + when: wazuh_manager_config_overlay | bool + - name: "Install dependencies" package: name: