--- wazuh_manager_version: 4.1.3-1 wazuh_manager_fqdn: "wazuh-server" wazuh_manager_package_state: present # Custom packages installation wazuh_custom_packages_installation_manager_enabled: false wazuh_custom_packages_installation_manager_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/" wazuh_custom_packages_installation_manager_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/" # Sources installation wazuh_manager_sources_installation: enabled: false branch: "v4.1.3" user_language: "en" user_no_stop: "y" user_install_type: "server" user_dir: "/var/ossec" user_delete_dir: null user_enable_active_response: null user_enable_syscheck: "y" user_enable_rootcheck: "y" user_enable_openscap: "n" user_enable_authd: "y" user_generate_authd_cert: null user_update: "y" user_binaryinstall: null user_enable_email: "n" user_auto_start: "y" user_email_address: null user_email_smpt: null user_enable_syslog: "n" user_white_list: "n" user_ca_store: null threads: "2" wazuh_dir: "/var/ossec" wazuh_manager_repo: apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main' yum: 'https://packages.wazuh.com/4.x/yum/' gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' ########################################## ### Wazuh-OSSEC ########################################## # groups to create agent_groups: [] ## Global wazuh_manager_json_output: 'yes' wazuh_manager_alerts_log: 'yes' wazuh_manager_logall: 'no' wazuh_manager_logall_json: 'no' wazuh_manager_email_notification: 'no' wazuh_manager_mailto: - 'admin@example.net' wazuh_manager_email_smtp_server: smtp.example.wazuh.com wazuh_manager_email_from: ossecm@example.wazuh.com wazuh_manager_email_maxperhour: 12 wazuh_manager_email_queue_size: 131072 wazuh_manager_email_log_source: 'alerts.log' wazuh_manager_globals: - '127.0.0.1' - '^localhost.localdomain$' - '127.0.0.53' wazuh_manager_agent_disconnection_time: '20s' wazuh_manager_agents_disconnection_alert_time: '100s' ## Alerts wazuh_manager_log_level: 3 wazuh_manager_email_level: 12 ## Logging wazuh_manager_log_format: 'plain' ## Email alerts wazuh_manager_extra_emails: - enable: false mail_to: 'recipient@example.wazuh.com' format: full level: 7 event_location: null group: null do_not_delay: false do_not_group: false rule_id: null ## Remote wazuh_manager_connection: - type: 'secure' port: '1514' protocol: 'tcp' queue_size: 131072 ## Reports wazuh_manager_reports: - enable: false category: 'syscheck' title: 'Daily report: File changes' email_to: 'recipient@example.wazuh.com' location: null group: null rule: null level: null srcip: null user: null showlogs: null ## Woodles wazuh_manager_rootcheck: frequency: 43200 wazuh_manager_openscap: disable: 'yes' timeout: 1800 interval: '1d' scan_on_start: 'yes' wazuh_manager_ciscat: disable: 'yes' install_java: 'yes' timeout: 1800 interval: '1d' scan_on_start: 'yes' java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin' ciscat_path: 'wodles/ciscat' wazuh_manager_osquery: disable: 'yes' run_daemon: 'yes' log_path: '/var/log/osquery/osqueryd.results.log' config_path: '/etc/osquery/osquery.conf' ad_labels: 'yes' wazuh_manager_syscollector: disable: 'no' interval: '1h' scan_on_start: 'yes' hardware: 'yes' os: 'yes' network: 'yes' packages: 'yes' ports_no: 'yes' processes: 'yes' wazuh_manager_monitor_aws: disabled: 'yes' interval: '10m' run_on_start: 'yes' skip_on_error: 'yes' s3: - name: null bucket_type: null path: null only_logs_after: null access_key: null secret_key: null ## SCA wazuh_manager_sca: enabled: 'yes' scan_on_start: 'yes' interval: '12h' skip_nfs: 'yes' day: '' wday: '' time: '' ## Vulnerability Detector wazuh_manager_vulnerability_detector: enabled: 'no' interval: '5m' ignore_time: '6h' run_on_start: 'yes' providers: - enabled: 'no' os: - 'trusty' - 'xenial' - 'bionic' update_interval: '1h' name: '"canonical"' - enabled: 'no' os: - 'wheezy' - 'stretch' - 'jessie' - 'buster' update_interval: '1h' name: '"debian"' - enabled: 'no' update_from_year: '2010' update_interval: '1h' name: '"redhat"' - enabled: 'no' update_from_year: '2010' update_interval: '1h' name: '"nvd"' ## Syscheck wazuh_manager_syscheck: disable: 'no' frequency: 43200 scan_on_start: 'yes' auto_ignore: 'no' ignore: - /etc/mtab - /etc/hosts.deny - /etc/mail/statistics - /etc/random-seed - /etc/random.seed - /etc/adjtime - /etc/httpd/logs - /etc/utmpx - /etc/wtmpx - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile ignore_linux_type: - '.log$|.swp$' no_diff: - /etc/ssl/private.key directories: - dirs: /etc,/usr/bin,/usr/sbin checks: '' - dirs: /bin,/sbin,/boot checks: '' auto_ignore_frequency: frequency: 'frequency="10"' timeframe: 'timeframe="3600"' value: 'no' skip_nfs: 'yes' skip_dev: 'yes' skip_proc: 'yes' skip_sys: 'yes' process_priority: 10 max_eps: 100 sync_enabled: 'yes' sync_interval: '5m' sync_max_interval: '1h' sync_max_eps: 10 ## Command wazuh_manager_commands: - name: 'disable-account' executable: 'disable-account.sh' expect: 'user' timeout_allowed: 'yes' - name: 'restart-ossec' executable: 'restart-ossec.sh' expect: '' - name: 'firewall-drop' executable: 'firewall-drop.sh' expect: 'srcip' timeout_allowed: 'yes' - name: 'host-deny' executable: 'host-deny.sh' expect: 'srcip' timeout_allowed: 'yes' - name: 'route-null' executable: 'route-null.sh' expect: 'srcip' timeout_allowed: 'yes' - name: 'win_route-null' executable: 'route-null.cmd' expect: 'srcip' timeout_allowed: 'yes' - name: 'win_route-null-2012' executable: 'route-null-2012.cmd' expect: 'srcip' timeout_allowed: 'yes' - name: 'netsh' executable: 'netsh.cmd' expect: 'srcip' timeout_allowed: 'yes' - name: 'netsh-win-2016' executable: 'netsh-win-2016.cmd' expect: 'srcip' timeout_allowed: 'yes' ## Localfile wazuh_manager_localfiles: common: - format: 'command' command: df -P frequency: '360' - format: 'full_command' command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d alias: 'netstat listening ports' frequency: '360' - format: 'full_command' command: 'last -n 20' frequency: '360' - format: 'syslog' location: "{{ wazuh_dir }}/logs/active-responses.log" debian: - format: 'syslog' location: '/var/log/auth.log' - format: 'syslog' location: '/var/log/syslog' - format: 'syslog' location: '/var/log/dpkg.log' - format: 'syslog' location: '/var/log/kern.log' centos: - format: 'syslog' location: '/var/log/messages' - format: 'syslog' location: '/var/log/secure' - format: 'syslog' location: '/var/log/maillog' - format: 'audit' location: '/var/log/audit/audit.log' ## Syslog outputs wazuh_manager_syslog_outputs: - server: null port: null format: null ## Integrations wazuh_manager_integrations: # slack - name: null hook_url: '' alert_level: 10 alert_format: 'json' rule_id: null # pagerduty - name: null api_key: '' alert_level: 12 ## Labels wazuh_manager_labels: enable: false list: - key: Env value: Production ## Ruleset wazuh_manager_ruleset: rules_path: 'custom_ruleset/rules/' decoders_path: 'custom_ruleset/decoders/' cdb_lists: - 'audit-keys' - 'security-eventchannel' - 'amazon/aws-eventnames' wazuh_manager_rule_exclude: - '0215-policy_rules.xml' ## Auth wazuh_manager_authd: enable: true port: 1515 use_source_ip: 'no' force_insert: 'yes' force_time: 0 purge: 'yes' use_password: 'no' ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH' ssl_agent_ca: null ssl_verify_host: 'no' ssl_manager_cert: 'sslmanager.cert' ssl_manager_key: 'sslmanager.key' ssl_auto_negotiate: 'no' ## Cluster wazuh_manager_cluster: disable: 'yes' name: 'wazuh' node_name: 'manager_01' node_type: 'master' key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa' port: '1516' bind_addr: '0.0.0.0' nodes: - 'manager' hidden: 'no' ## Wazuh API setup wazuh_manager_api: bind_addr: 0.0.0.0 port: 55000 behind_proxy_server: no https: yes https_key: "api/configuration/ssl/server.key" https_cert: "api/configuration/ssl/server.crt" https_use_ca: False https_ca: "api/configuration/ssl/ca.crt" https_ssl_cipher: "TLSv1.2" logging_level: "info" logging_path: "logs/api.log" cors: no cors_source_route: "*" cors_expose_headers: "*" cors_allow_headers: "*" cors_allow_credentials: no cache: yes cache_time: 0.750 access_max_login_attempts: 5 access_block_time: 300 access_max_request_per_minute: 300 use_only_authd: no drop_privileges: yes experimental_features: no remote_commands_localfile: yes remote_commands_localfile_exceptions: [] remote_commands_wodle: yes remote_commands_wodle_exceptions: [] # wazuh_api_users: # - username: custom-user # password: .S3cur3Pa55w0rd*- # Must comply with requirements (8+ length, uppercase, lowercase, specials chars) # NOTE: As wazuh_manager_config is built dynamically per playbooks and ansible.cfg provided in the repo, # we should also cover the case for partial settings in inventory variables overlayed on top of role's # defaults with merge hash_behaviour. If you do a full replace instead of the hash_behaviour, set this to false. # # Please do notice this behaviour is deprecated in 2.13 and role will move away from it in future versions: # https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-hash-behaviour # wazuh_manager_config_overlay: true ## Other/Wrappers wazuh_manager_config_defaults: repo: '{{ wazuh_manager_repo }}' json_output: '{{ wazuh_manager_json_output }}' alerts_log: '{{ wazuh_manager_alerts_log }}' logall: '{{ wazuh_manager_logall }}' logall_json: '{{ wazuh_manager_logall_json }}' log_format: '{{ wazuh_manager_log_format }}' api: '{{ wazuh_manager_api }}' cluster: '{{ wazuh_manager_cluster }}' connection: '{{ wazuh_manager_connection }}' authd: '{{ wazuh_manager_authd }}' email_notification: '{{ wazuh_manager_email_notification }}' mail_to: '{{ wazuh_manager_mailto }}' mail_smtp_server: '{{ wazuh_manager_email_smtp_server }}' mail_from: '{{ wazuh_manager_email_from }}' mail_maxperhour: '{{ wazuh_manager_email_maxperhour }}' mail_queue_size: '{{ wazuh_manager_email_queue_size }}' email_log_source: '{{ wazuh_manager_email_log_source }}' extra_emails: '{{ wazuh_manager_extra_emails }}' reports: '{{ wazuh_manager_reports}}' syscheck: '{{ wazuh_manager_syscheck }}' rootcheck: '{{ wazuh_manager_rootcheck }}' openscap: '{{ wazuh_manager_openscap }}' cis_cat: '{{ wazuh_manager_ciscat }}' osquery: '{{ wazuh_manager_osquery }}' syscollector: '{{ wazuh_manager_syscollector }}' sca: '{{ wazuh_manager_sca }}' vulnerability_detector: '{{ wazuh_manager_vulnerability_detector }}' log_level: '{{ wazuh_manager_log_level }}' email_level: '{{ wazuh_manager_email_level }}' localfiles: '{{ wazuh_manager_localfiles }}' globals: '{{ wazuh_manager_globals }}' commands: '{{ wazuh_manager_commands }}' ruleset: '{{ wazuh_manager_ruleset }}' rule_exclude: '{{ wazuh_manager_rule_exclude }}' syslog_outputs: '{{ wazuh_manager_syslog_outputs }}' integrations: '{{ wazuh_manager_integrations }}' monitor_aws: '{{ wazuh_manager_monitor_aws }}' labels: '{{ wazuh_manager_labels }}' agents_disconnection_time: '{{ wazuh_manager_agent_disconnection_time }}' agents_disconnection_alert_time: '{{ wazuh_manager_agents_disconnection_alert_time }}' # shared-agent.conf # shared_agent_config: # - type: os # type_value: Linux # syscheck: # frequency: 43200 # scan_on_start: 'yes' # ignore: # - /etc/mtab # - /etc/mnttab # - /etc/hosts.deny # - /etc/mail/statistics # - /etc/svc/volatile # no_diff: # - /etc/ssl/private.key # rootcheck: # frequency: 43200 # cis_distribution_filename: null # localfiles: # - format: 'syslog' # location: '/var/log/messages' # - format: 'syslog' # location: '/var/log/secure' # - format: 'syslog' # location: '/var/log/maillog' # - format: 'apache' # location: '/var/log/httpd/error_log' # - format: 'apache' # location: '/var/log/httpd/access_log' # - format: 'apache' # location: "{{ wazuh_dir }}/logs/active-responses.log" # - type: os # type_value: Windows # syscheck: # frequency: 43200 # scan_on_start: 'yes' # auto_ignore: 'no' # windows_registry: # - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' # arch: 'both' # - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder' # localfiles: # - location: 'Security' # format: 'eventchannel' # - location: 'System' # format: 'eventlog'