Merge master changes

roles/elastic-stack/ansible-elasticsearch/defaults/main.yml

@@ -27,9 +27,8 @@ elasticsearch_discovery_nodes:
 elasticsearch_node_data: true
 elasticsearch_node_ingest: true
 
-# X-Pack Security 
+# X-Pack Security
 elasticsearch_xpack_security: false
-elasticsearch_xpack_security_user: elastic
 elasticsearch_xpack_security_password: elastic_pass
 
 node_certs_generator: false

roles/elastic-stack/ansible-kibana/defaults/main.yml

@@ -31,8 +31,6 @@ kibana_ssl_verification_mode: "full"
 elasticsearch_xpack_security_user: elastic
 elasticsearch_xpack_security_password: elastic_pass
 
-node_certs_generator: false
-node_certs_source: /usr/share/elasticsearch
 node_certs_destination: /etc/kibana/certs
 
 # CA Generation

roles/opendistro/opendistro-elasticsearch/defaults/main.yml

@@ -1,8 +1,5 @@
 ---
 # Cluster Settings
-es_version: "7.9.1"
-es_major_version: "7.x"
-
 opendistro_version: 1.11.0
 
 single_node: false
@@ -38,13 +35,8 @@ package_repos:
 opendistro_sec_plugin_conf_path: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig
 opendistro_sec_plugin_tools_path: /usr/share/elasticsearch/plugins/opendistro_security/tools
 opendistro_conf_path: /etc/elasticsearch/
-es_nodes: |-
-        {% for item in groups['es_cluster'] -%}
-          {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %}
-        {%- endfor %}
 
 # Security password
-opendistro_security_password: admin
 opendistro_custom_user: ""
 opendistro_custom_user_role: "admin"
 
@@ -58,11 +50,6 @@ certs_gen_tool_version: 1.8
 # Url of Search Guard certificates generator tool
 certs_gen_tool_url: "https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-tlstool/{{ certs_gen_tool_version }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip"
 
-elasticrepo:
-  apt: 'https://artifacts.elastic.co/packages/7.x/apt'
-  yum: 'https://artifacts.elastic.co/packages/7.x/yum'
-  gpg: 'https://artifacts.elastic.co/GPG-KEY-opendistro'
-  key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4'
 
 opendistro_admin_password: changeme
 opendistro_kibana_password: changeme

roles/opendistro/opendistro-kibana/defaults/main.yml

@@ -2,10 +2,6 @@
 
 # Kibana configuration
 elasticsearch_http_port: 9200
-elasticsearch_nodes: |-
-        {% for item in groups['es_cluster'] -%}
-          {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %}
-        {%- endfor %}
 elastic_api_protocol: https
 kibana_conf_path: /etc/kibana
 kibana_node_name: node-1
@@ -44,7 +40,6 @@ kibana_newsfeed_enabled: "false"
 kibana_telemetry_optin: "false"
 kibana_telemetry_enabled: "false"
 
-opendistro_security_user: elastic
 opendistro_admin_password: changeme
 opendistro_kibana_user: kibanaserver
 opendistro_kibana_password: changeme

roles/wazuh/ansible-filebeat-oss/README.md

@@ -19,7 +19,6 @@ Role Variables
 Available variables are listed below, along with default values (see `defaults/main.yml`):
 
 ```
-  filebeat_output_elasticsearch_enabled: false
   filebeat_output_elasticsearch_hosts:
     - "localhost:9200"
 

roles/wazuh/ansible-filebeat-oss/defaults/main.yml

@@ -3,9 +3,6 @@ filebeat_version: 7.9.1
 
 wazuh_template_branch: v4.0.1
 
-filebeat_create_config: true
-
-filebeat_output_elasticsearch_enabled: false
 filebeat_output_elasticsearch_hosts:
   - "localhost:9200"
 
@@ -18,8 +15,6 @@ elasticsearch_security_user: admin
 elasticsearch_security_password: changeme
 # Security plugin
 filebeat_security: true
-filebeat_security_user: admin
-filebeat_security_password: changeme
 filebeat_ssl_dir: /etc/pki/filebeat
 
 # Local path to store the generated certificates (OpenDistro security plugin)

roles/wazuh/ansible-filebeat/README.md

@@ -19,7 +19,6 @@ Role Variables
 Available variables are listed below, along with default values (see `defaults/main.yml`):
 
 ```
-  filebeat_output_elasticsearch_enabled: false
   filebeat_output_elasticsearch_hosts:
     - "localhost:9200"
 

roles/wazuh/ansible-filebeat/defaults/main.yml

@@ -5,29 +5,11 @@ wazuh_template_branch: v4.0.1
 
 filebeat_create_config: true
 
-filebeat_prospectors:
-  - input_type: log
-    paths:
-      - "/var/ossec/logs/alerts/alerts.json"
-    document_type: json
-    json.message_key: log
-    json.keys_under_root: true
-    json.overwrite_keys: true
-
 filebeat_node_name: node-1
 
-filebeat_output_elasticsearch_enabled: false
 filebeat_output_elasticsearch_hosts:
   - "localhost:9200"
 
-filebeat_enable_logging: true
-filebeat_log_level: debug
-filebeat_log_dir: /var/log/mybeat
-filebeat_log_filename: mybeat.log
-filebeat_ssl_dir: /etc/pki/filebeat
-filebeat_ssl_certificate_file: ""
-filebeat_ssl_insecure: "false"
-
 filebeat_module_package_url: https://packages.wazuh.com/4.x/filebeat
 filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz
 filebeat_module_package_path: /tmp/
@@ -40,11 +22,8 @@ filebeat_xpack_security: false
 elasticsearch_xpack_security_user: elastic
 elasticsearch_xpack_security_password: elastic_pass
 
-node_certs_generator : false
-node_certs_source: /usr/share/elasticsearch
 node_certs_destination: /etc/filebeat/certs
 
-
 # CA Generation
 master_certs_path: "{{ playbook_dir }}/es_certs"
 generate_CA: true

roles/wazuh/ansible-wazuh-agent/defaults/main.yml

@@ -32,19 +32,11 @@ wazuh_agent_sources_installation:
   user_agent_config_profile: null
   user_ca_store: "/var/ossec/wpk_root.pem"
 
-wazuh_managers:
-  - address: 127.0.0.1
-    port: 1514
-    protocol: tcp
-    api_port: 55000
-    api_proto: 'http'
-    api_user: null
-    max_retries: 5
-    retry_interval: 5
 wazuh_api_reachable_from_agent: false
 wazuh_profile_centos: 'centos, centos7, centos7.6'
 wazuh_profile_ubuntu: 'ubuntu, ubuntu18, ubuntu18.04'
 wazuh_auto_restart: 'yes'
+
 wazuh_agent_authd:
   registration_address: 127.0.0.1
   enable: false
@@ -69,234 +61,294 @@ wazuh_winagent_config:
   md5: f2444d89dab2c4c31bbdef454c95eb28
 wazuh_winagent_config_url: https://packages.wazuh.com/4.x/windows/wazuh-agent-4.0.1-1.msi
 wazuh_winagent_package_name: wazuh-agent-4.0.1-1.msi
-wazuh_agent_config:
-  repo:
-    apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main'
-    yum: 'https://packages.wazuh.com/4.x/yum/'
-    gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
-    key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145'
-  active_response:
-    ar_disabled: 'no'
-    ca_store: '/var/ossec/etc/wpk_root.pem'
-    ca_store_win: 'wpk_root.pem'
-    ca_verification: 'yes'
-  log_format: 'plain'
-  client_buffer:
-    disable: 'no'
-    queue_size: '5000'
-    events_per_sec: '500'
-  syscheck:
-    frequency: 43200
-    scan_on_start: 'yes'
-    auto_ignore: 'no'
-    win_audit_interval: 60
-    skip_nfs: 'yes'
-    skip_dev: 'yes'
-    skip_proc: 'yes'
-    skip_sys: 'yes'
-    process_priority: 10
-    max_eps: 100
-    sync_enabled: 'yes'
-    sync_interval: '5m'
-    sync_max_interval: '1h'
-    sync_max_eps: 10
-    ignore:
-      - /etc/mtab
-      - /etc/hosts.deny
-      - /etc/mail/statistics
-      - /etc/random-seed
-      - /etc/random.seed
-      - /etc/adjtime
-      - /etc/httpd/logs
-      - /etc/utmpx
-      - /etc/wtmpx
-      - /etc/cups/certs
-      - /etc/dumpdates
-      - /etc/svc/volatile
-    ignore_linux_type:
-      - '.log$|.swp$'
-    ignore_win:
-      - '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
-    no_diff:
-      - /etc/ssl/private.key
-    directories:
-      - dirs: /etc,/usr/bin,/usr/sbin
-        checks: ''
-      - dirs: /bin,/sbin,/boot
-        checks: ''
-    win_directories:
-      - dirs: '%WINDIR%'
-        checks: 'recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$"'
-      - dirs: '%WINDIR%\SysNative'
-        checks: >-
-          recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|
-          net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$"
-      - dirs: '%WINDIR%\SysNative\drivers\etc%'
-        checks: 'recursion_level="0"'
-      - dirs: '%WINDIR%\SysNative\wbem'
-        checks: 'recursion_level="0" restrict="WMIC.exe$"'
-      - dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0'
-        checks: 'recursion_level="0" restrict="powershell.exe$"'
-      - dirs: '%WINDIR%\SysNative'
-        checks: 'recursion_level="0" restrict="winrm.vbs$"'
-      - dirs: '%WINDIR%\System32'
-        checks: >-
-          recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|
-          netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$"
-      - dirs: '%WINDIR%\System32\drivers\etc'
-        checks: 'recursion_level="0"'
-      - dirs: '%WINDIR%\System32\wbem'
-        checks: 'recursion_level="0" restrict="WMIC.exe$"'
-      - dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0'
-        checks: 'recursion_level="0" restrict="powershell.exe$"'
-      - dirs: '%WINDIR%\System32'
-        checks: 'recursion_level="0" restrict="winrm.vbs$"'
-      - dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup'
-        checks: 'realtime="yes"'
 
-    windows_registry:
+wazuh_agent_repo:
-      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
+  apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main'
-      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'
+  yum: 'https://packages.wazuh.com/4.x/yum/'
-      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'
+  gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
-      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'
+  key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145'
-      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'
+
-      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'
-      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'
-      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
-      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'
-        arch: "both"
-      - key: 'HKEY_LOCAL_MACHINE\Software\Policies'
-        arch: "both"
-      - key: 'HKEY_LOCAL_MACHINE\Security'
-      - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'
-        arch: "both"
-      - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'
-      - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs'
-      - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'
-      - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'
-        arch: "both"
-      - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'
-        arch: "both"
-      - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'
-      - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'
-        arch: "both"
-      - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'
-        arch: "both"
-      - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'
-        arch: "both"
-      - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
-        arch: "both"
-      - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'
-        arch: "both"
-    windows_registry_ignore:
-      - key: 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets'
-      - key: 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'
-      - key: '\Enum$'
-        type: "sregex"
-  rootcheck:
-    frequency: 43200
-  openscap:
-    disable: 'yes'
-    timeout: 1800
-    interval: '1d'
-    scan_on_start: 'yes'
-  osquery:
-    disable: 'yes'
-    run_daemon: 'yes'
-    bin_path_win: 'C:\Program Files\osquery\osqueryd'
-    log_path: '/var/log/osquery/osqueryd.results.log'
-    log_path_win: 'C:\Program Files\osquery\log\osqueryd.results.log'
-    config_path: '/etc/osquery/osquery.conf'
-    config_path_win: 'C:\Program Files\osquery\osquery.conf'
-    add_labels: 'yes'
-  syscollector:
-    disable: 'no'
-    interval: '1h'
-    scan_on_start: 'yes'
-    hardware: 'yes'
-    os: 'yes'
-    network: 'yes'
-    packages: 'yes'
-    ports_no: 'yes'
-    processes: 'yes'
-  sca:
-    enabled: 'yes'
-    scan_on_start: 'yes'
-    interval: '12h'
-    skip_nfs: 'yes'
-    day: ''
-    wday: ''
-    time: ''
-  cis_cat:
-    disable: 'yes'
-    install_java: 'no'
-    timeout: 1800
-    interval: '1d'
-    scan_on_start: 'yes'
-    java_path: 'wodles/java'
-    java_path_win: '\\server\jre\bin\java.exe'
-    ciscat_path: 'wodles/ciscat'
-    ciscat_path_win: 'C:\cis-cat'
-  localfiles:
-    debian:
-      - format: 'syslog'
-        location: '/var/log/auth.log'
-      - format: 'syslog'
-        location: '/var/log/syslog'
-      - format: 'syslog'
-        location: '/var/log/dpkg.log'
-      - format: 'syslog'
-        location: '/var/log/kern.log'
-    centos:
-      - format: 'syslog'
-        location: '/var/log/messages'
-      - format: 'syslog'
-        location: '/var/log/secure'
-      - format: 'syslog'
-        location: '/var/log/maillog'
-      - format: 'audit'
-        location: '/var/log/audit/audit.log'
-    linux:
-      - format: 'syslog'
-        location: '/var/ossec/logs/active-responses.log'
-      - format: 'full_command'
-        command: 'last -n 20'
-        frequency: '360'
-      - format: 'command'
-        command: df -P
-        frequency: '360'
-      - format: 'full_command'
-        command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
-        alias: 'netstat listening ports'
-        frequency: '360'
-    windows:
-      - format: 'eventlog'
-        location: 'Application'
-      - format: 'eventchannel'
-        location: 'Security'
-        query: 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]'
-      - format: 'eventlog'
-        location: 'System'
-      - format: 'syslog'
-        location: 'active-response\active-responses.log'
-  labels:
-    enable: false
-    list:
-      - key: Env
-        value: Production
-  enrollment:
-    enabled: ''
-    manager_address: ''
-    port: 1515
-    agent_name: 'testname'
-    groups: ''
-    agent_address: ''
-    ssl_cipher: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
-    server_ca_path: ''
-    agent_certificate_path: ''
-    agent_key_path: ''
-    authorization_pass_path : /var/ossec/etc/authd.pass
-    auto_method: 'no'
-    delay_after_enrollment: 20
-    use_source_ip: 'no'
 wazuh_agent_nat: false
+
+##########################################
+### Wazuh
+##########################################
+
+wazuh_agent_config_overlay: yes
+
+## Client
+wazuh_managers:
+  - address: 127.0.0.1
+    port: 1514
+    protocol: tcp
+    api_port: 55000
+    api_proto: 'http'
+    api_user: null
+    max_retries: 5
+    retry_interval: 5
+
+## Enrollment
+wazuh_agent_enrollment:
+  enabled: ''
+  manager_address: ''
+  port: 1515
+  agent_name: 'testname'
+  groups: ''
+  agent_address: ''
+  ssl_cipher: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
+  server_ca_path: ''
+  agent_certificate_path: ''
+  agent_key_path: ''
+  authorization_pass_path: /var/ossec/etc/authd.pass
+  auto_method: 'no'
+  delay_after_enrollment: 20
+  use_source_ip: 'no'
+
+## Client buffer
+wazuh_agent_client_buffer:
+  disable: 'no'
+  queue_size: '5000'
+  events_per_sec: '500'
+
+## Rootcheck
+wazuh_agent_rootcheck:
+  frequency: 43200
+
+## Wodles
+wazuh_agent_openscap:
+  disable: 'yes'
+  timeout: 1800
+  interval: '1d'
+  scan_on_start: 'yes'
+
+wazuh_agent_cis_cat:
+  disable: 'yes'
+  install_java: 'no'
+  timeout: 1800
+  interval: '1d'
+  scan_on_start: 'yes'
+  java_path: 'wodles/java'
+  java_path_win: '\\server\jre\bin\java.exe'
+  ciscat_path: 'wodles/ciscat'
+  ciscat_path_win: 'C:\cis-cat'
+
+wazuh_agent_osquery:
+  disable: 'yes'
+  run_daemon: 'yes'
+  bin_path_win: 'C:\Program Files\osquery\osqueryd'
+  log_path: '/var/log/osquery/osqueryd.results.log'
+  log_path_win: 'C:\Program Files\osquery\log\osqueryd.results.log'
+  config_path: '/etc/osquery/osquery.conf'
+  config_path_win: 'C:\Program Files\osquery\osquery.conf'
+  add_labels: 'yes'
+
+wazuh_agent_syscollector:
+  disable: 'no'
+  interval: '1h'
+  scan_on_start: 'yes'
+  hardware: 'yes'
+  os: 'yes'
+  network: 'yes'
+  packages: 'yes'
+  ports_no: 'yes'
+  processes: 'yes'
+
+## SCA
+wazuh_agent_sca:
+  enabled: 'yes'
+  scan_on_start: 'yes'
+  interval: '12h'
+  skip_nfs: 'yes'
+  day: ''
+  wday: ''
+  time: ''
+
+## Syscheck
+wazuh_agent_syscheck:
+  frequency: 43200
+  scan_on_start: 'yes'
+  auto_ignore: 'no'
+  win_audit_interval: 60
+  skip_nfs: 'yes'
+  skip_dev: 'yes'
+  skip_proc: 'yes'
+  skip_sys: 'yes'
+  process_priority: 10
+  max_eps: 100
+  sync_enabled: 'yes'
+  sync_interval: '5m'
+  sync_max_interval: '1h'
+  sync_max_eps: 10
+  ignore:
+    - /etc/mtab
+    - /etc/hosts.deny
+    - /etc/mail/statistics
+    - /etc/random-seed
+    - /etc/random.seed
+    - /etc/adjtime
+    - /etc/httpd/logs
+    - /etc/utmpx
+    - /etc/wtmpx
+    - /etc/cups/certs
+    - /etc/dumpdates
+    - /etc/svc/volatile
+  ignore_linux_type:
+    - '.log$|.swp$'
+  ignore_win:
+    - '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
+  no_diff:
+    - /etc/ssl/private.key
+  directories:
+    - dirs: /etc,/usr/bin,/usr/sbin
+      checks: ''
+    - dirs: /bin,/sbin,/boot
+      checks: ''
+  win_directories:
+    - dirs: '%WINDIR%'
+      checks: 'recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$"'
+    - dirs: '%WINDIR%\SysNative'
+      checks: >-
+        recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|
+        net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$"
+    - dirs: '%WINDIR%\SysNative\drivers\etc%'
+      checks: 'recursion_level="0"'
+    - dirs: '%WINDIR%\SysNative\wbem'
+      checks: 'recursion_level="0" restrict="WMIC.exe$"'
+    - dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0'
+      checks: 'recursion_level="0" restrict="powershell.exe$"'
+    - dirs: '%WINDIR%\SysNative'
+      checks: 'recursion_level="0" restrict="winrm.vbs$"'
+    - dirs: '%WINDIR%\System32'
+      checks: >-
+        recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|
+        netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$"
+    - dirs: '%WINDIR%\System32\drivers\etc'
+      checks: 'recursion_level="0"'
+    - dirs: '%WINDIR%\System32\wbem'
+      checks: 'recursion_level="0" restrict="WMIC.exe$"'
+    - dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0'
+      checks: 'recursion_level="0" restrict="powershell.exe$"'
+    - dirs: '%WINDIR%\System32'
+      checks: 'recursion_level="0" restrict="winrm.vbs$"'
+    - dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup'
+      checks: 'realtime="yes"'
+  windows_registry:
+    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
+    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'
+    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'
+    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'
+    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'
+    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'
+    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'
+    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
+    - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'
+      arch: "both"
+    - key: 'HKEY_LOCAL_MACHINE\Software\Policies'
+      arch: "both"
+    - key: 'HKEY_LOCAL_MACHINE\Security'
+    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'
+      arch: "both"
+    - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'
+    - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs'
+    - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'
+    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'
+      arch: "both"
+    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'
+      arch: "both"
+    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'
+    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'
+      arch: "both"
+    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'
+      arch: "both"
+    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'
+      arch: "both"
+    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
+      arch: "both"
+    - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'
+      arch: "both"
+  windows_registry_ignore:
+    - key: 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets'
+    - key: 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'
+    - key: '\Enum$'
+      type: "sregex"
+
+## Localfile
+wazuh_agent_localfiles:
+  debian:
+    - format: 'syslog'
+      location: '/var/log/auth.log'
+    - format: 'syslog'
+      location: '/var/log/syslog'
+    - format: 'syslog'
+      location: '/var/log/dpkg.log'
+    - format: 'syslog'
+      location: '/var/log/kern.log'
+  centos:
+    - format: 'syslog'
+      location: '/var/log/messages'
+    - format: 'syslog'
+      location: '/var/log/secure'
+    - format: 'syslog'
+      location: '/var/log/maillog'
+    - format: 'audit'
+      location: '/var/log/audit/audit.log'
+  linux:
+    - format: 'syslog'
+      location: '/var/ossec/logs/active-responses.log'
+    - format: 'full_command'
+      command: 'last -n 20'
+      frequency: '360'
+    - format: 'command'
+      command: df -P
+      frequency: '360'
+    - format: 'full_command'
+      command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
+      alias: 'netstat listening ports'
+      frequency: '360'
+  windows:
+    - format: 'eventlog'
+      location: 'Application'
+    - format: 'eventchannel'
+      location: 'Security'
+      query: 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]'
+    - format: 'eventlog'
+      location: 'System'
+    - format: 'syslog'
+      location: 'active-response\active-responses.log'
+
+## Labels
+wazuh_agent_labels:
+  enable: false
+  list:
+    - key: Env
+      value: Production
+
+## Active response
+wazuh_agent_active_response:
+  ar_disabled: 'no'
+  ca_store: '/var/ossec/etc/wpk_root.pem'
+  ca_store_win: 'wpk_root.pem'
+  ca_verification: 'yes'
+
+## Logging
+wazuh_agent_log_format: 'plain'
+
+# wazuh_agent_config
+wazuh_agent_config_defaults:
+  repo: '{{ wazuh_agent_repo }}'
+  active_response: '{{ wazuh_agent_active_response }}'
+  log_format: '{{ wazuh_agent_log_format }}'
+  client_buffer: '{{ wazuh_agent_client_buffer }}'
+  syscheck: '{{ wazuh_agent_syscheck }}'
+
+  rootcheck: '{{ wazuh_agent_rootcheck }}'
+  openscap: '{{ wazuh_agent_openscap }}'
+
+  osquery: '{{ wazuh_agent_osquery }}'
+  syscollector: '{{ wazuh_agent_syscollector }}'
+  sca: '{{ wazuh_agent_sca }}'
+  cis_cat: '{{ wazuh_agent_cis_cat }}'
+  localfiles: '{{ wazuh_agent_localfiles }}'
+
+  labels: '{{ wazuh_agent_labels }}'
+  enrollment: '{{ wazuh_agent_enrollment }}'

roles/wazuh/ansible-wazuh-agent/tasks/main.yml

@@ -1,4 +1,12 @@
 ---
+
+- name: Overlay wazuh_agent_config on top of defaults
+  set_fact:
+    wazuh_agent_config: '{{ wazuh_agent_config_defaults | combine(config_layer, recursive=True) }}'
+  vars:
+    config_layer: '{{ wazuh_agent_config | default({}) }}'
+  when: wazuh_agent_config_overlay | bool
+
 - include_tasks: "Windows.yml"
   when: ansible_os_family == "Windows"