Updates to adapt ossec.conf templates to Wazuh v3.12 default ones
This commit is contained in:
Zenidd
parent
14e2a6bb47
commit
dfc7bbf4b3
@ -87,8 +87,17 @@ wazuh_agent_config:
|
|||||||
scan_on_start: 'yes'
|
scan_on_start: 'yes'
|
||||||
auto_ignore: 'no'
|
auto_ignore: 'no'
|
||||||
alert_new_files: 'yes'
|
alert_new_files: 'yes'
|
||||||
win_audit_interval: 300
|
win_audit_interval: 60
|
||||||
skip_nfs: 'yes'
|
skip_nfs: 'yes'
|
||||||
|
skip_dev: 'yes'
|
||||||
|
skip_proc: 'yes'
|
||||||
|
skip_sys: 'yes'
|
||||||
|
process_priority: 10
|
||||||
|
max_eps: 100
|
||||||
|
sync_enabled: 'yes'
|
||||||
|
sync_interval: '5m'
|
||||||
|
sync_max_interval: '1h'
|
||||||
|
sync_max_eps: 10
|
||||||
ignore:
|
ignore:
|
||||||
- /etc/mtab
|
- /etc/mtab
|
||||||
- /etc/hosts.deny
|
- /etc/hosts.deny
|
||||||
@ -114,106 +123,39 @@ wazuh_agent_config:
|
|||||||
- /etc/ssl/private.key
|
- /etc/ssl/private.key
|
||||||
directories:
|
directories:
|
||||||
- dirs: /etc,/usr/bin,/usr/sbin
|
- dirs: /etc,/usr/bin,/usr/sbin
|
||||||
checks: 'check_all="yes"'
|
checks: ''
|
||||||
- dirs: /bin,/sbin,/boot
|
- dirs: /bin,/sbin,/boot
|
||||||
checks: 'check_all="yes"'
|
checks: ''
|
||||||
win_directories:
|
win_directories:
|
||||||
- dirs: '%WINDIR%\regedit.exe'
|
- dirs: '%WINDIR%'
|
||||||
checks: 'check_all="yes"'
|
checks: 'recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$"'
|
||||||
- dirs: '%WINDIR%\system.ini'
|
- dirs: '%WINDIR%\SysNative'
|
||||||
checks: 'check_all="yes"'
|
checks: >-
|
||||||
- dirs: '%WINDIR%\win.ini'
|
recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|
|
||||||
checks: 'check_all="yes"'
|
net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$"
|
||||||
- dirs: '%WINDIR%\SysNative\at.exe'
|
- dirs: '%WINDIR%\SysNative\drivers\etc%'
|
||||||
checks: 'check_all="yes"'
|
checks: 'recursion_level="0"'
|
||||||
- dirs: '%WINDIR%\SysNative\attrib.exe'
|
- dirs: '%WINDIR%\SysNative\wbem'
|
||||||
checks: 'check_all="yes"'
|
checks: 'recursion_level="0" restrict="WMIC.exe$"'
|
||||||
- dirs: '%WINDIR%\SysNative\cacls.exe'
|
- dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0'
|
||||||
checks: 'check_all="yes"'
|
checks: 'recursion_level="0" restrict="powershell.exe$"'
|
||||||
- dirs: '%WINDIR%\SysNative\cmd.exe'
|
- dirs: '%WINDIR%\SysNative'
|
||||||
checks: 'check_all="yes"'
|
checks: 'recursion_level="0" restrict="winrm.vbs$"'
|
||||||
- dirs: '%WINDIR%\SysNative\drivers\etc'
|
- dirs: '%WINDIR%\System32'
|
||||||
checks: 'check_all="yes"'
|
checks: >-
|
||||||
- dirs: '%WINDIR%\SysNative\eventcreate.exe'
|
recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|
|
||||||
checks: 'check_all="yes"'
|
netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$"
|
||||||
- dirs: '%WINDIR%\SysNative\ftp.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\SysNative\lsass.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\SysNative\net.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\SysNative\net1.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\SysNative\netsh.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\SysNative\reg.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\SysNative\regedt32.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\SysNative\regsvr32.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\SysNative\runas.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\SysNative\sc.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\SysNative\schtasks.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\SysNative\sethc.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\SysNative\subst.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\SysNative\wbem\WMIC.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0\powershell.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\SysNative\winrm.vbs'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\System32\at.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\System32\attrib.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\System32\cacls.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\System32\cmd.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\System32\drivers\etc'
|
- dirs: '%WINDIR%\System32\drivers\etc'
|
||||||
checks: 'check_all="yes"'
|
checks: 'recursion_level="0"'
|
||||||
- dirs: '%WINDIR%\System32\eventcreate.exe'
|
- dirs: '%WINDIR%\System32\wbem'
|
||||||
checks: 'check_all="yes"'
|
checks: 'recursion_level="0" restrict="WMIC.exe$"'
|
||||||
- dirs: '%WINDIR%\System32\ftp.exe'
|
- dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0'
|
||||||
checks: 'check_all="yes"'
|
checks: 'recursion_level="0" restrict="powershell.exe$"'
|
||||||
- dirs: '%WINDIR%\System32\net.exe'
|
- dirs: '%WINDIR%\System32'
|
||||||
checks: 'check_all="yes"'
|
checks: 'recursion_level="0" restrict="winrm.vbs$"'
|
||||||
- dirs: '%WINDIR%\System32\net1.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\System32\netsh.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\System32\reg.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\System32\regedit.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\System32\regedt32.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\System32\regsvr32.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\System32\runas.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\System32\sc.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\System32\schtasks.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\System32\sethc.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\System32\subst.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\System32\wbem\WMIC.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%WINDIR%\System32\winrm.vbs'
|
|
||||||
checks: 'check_all="yes"'
|
|
||||||
- dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup'
|
- dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup'
|
||||||
checks: 'check_all="yes" realtime="yes"'
|
checks: 'realtime="yes"'
|
||||||
|
|
||||||
windows_registry:
|
windows_registry:
|
||||||
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
|
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
|
||||||
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'
|
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'
|
||||||
|
|||||||
@ -61,7 +61,6 @@
|
|||||||
<skip_nfs>yes</skip_nfs>
|
<skip_nfs>yes</skip_nfs>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if ansible_os_family == "Windows" %}
|
{% if ansible_os_family == "Windows" %}
|
||||||
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
|
|
||||||
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
|
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
|
||||||
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
|
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
@ -248,6 +247,9 @@
|
|||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
<skip_nfs>{{ wazuh_agent_config.syscheck.skip_nfs }}</skip_nfs>
|
<skip_nfs>{{ wazuh_agent_config.syscheck.skip_nfs }}</skip_nfs>
|
||||||
|
<skip_dev>{{ wazuh_agent_config.syscheck.skip_dev }}</skip_dev>
|
||||||
|
<skip_proc>{{ wazuh_agent_config.syscheck.skip_proc }}</skip_proc>
|
||||||
|
<skip_sys>{{ wazuh_agent_config.syscheck.skip_sys }}</skip_sys>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% if ansible_os_family == "Windows" %}
|
{% if ansible_os_family == "Windows" %}
|
||||||
@ -274,6 +276,20 @@
|
|||||||
<!-- Frequency for ACL checking (seconds) -->
|
<!-- Frequency for ACL checking (seconds) -->
|
||||||
<windows_audit_interval>{{ wazuh_agent_config.syscheck.win_audit_interval }}</windows_audit_interval>
|
<windows_audit_interval>{{ wazuh_agent_config.syscheck.win_audit_interval }}</windows_audit_interval>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
<!-- Nice value for Syscheck module -->
|
||||||
|
<process_priority>{{ wazuh_agent_config.syscheck.process_priority }}</process_priority>
|
||||||
|
|
||||||
|
<!-- Maximum output throughput -->
|
||||||
|
<max_eps>{{ wazuh_agent_config.syscheck.max_eps }}</max_eps>
|
||||||
|
|
||||||
|
<!-- Database synchronization settings -->
|
||||||
|
<synchronization>
|
||||||
|
<enabled>{{ wazuh_agent_config.syscheck.sync_enabled }}</enabled>
|
||||||
|
<interval>{{ wazuh_agent_config.syscheck.interval }}</interval>
|
||||||
|
<max_interval>{{ wazuh_agent_config.syscheck.max_interval }}</max_interval>
|
||||||
|
<max_eps>{{ wazuh_agent_config.syscheck.max_eps }}</max_eps>
|
||||||
|
</synchronization>
|
||||||
</syscheck>
|
</syscheck>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user