--- wazuh_managers: - address: 127.0.0.1 port: 1514 protocol: tcp api_port: 55000 api_proto: 'http' api_user: null wazuh_profile: null wazuh_auto_restart: 'yes' wazuh_agent_authd: enable: false port: 1515 ssl_agent_ca: null ssl_agent_cert: null ssl_agent_key: null ssl_auto_negotiate: 'no' wazuh_notify_time: '10' wazuh_time_reconnect: '60' wazuh_crypto_method: 'aes' wazuh_winagent_config: install_dir: 'C:\Program Files\ossec-agent\' install_dir_x86: 'C:\Program Files (x86)\ossec-agent\' auth_path: C:\'Program Files'\ossec-agent\agent-auth.exe auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe version: '3.8.1' revision: '1' repo: https://packages.wazuh.com/3.x/windows/ md5: 43936e7bc7eb51bd186f47dac4a6f477 wazuh_agent_config: active_response: ar_disabled: 'no' ca_store: '/var/ossec/etc/wpk_root.pem' ca_store_win: 'wpk_root.pem' ca_verification: 'yes' log_format: 'plain' client_buffer: disable: 'no' queue_size: '5000' events_per_sec: '500' syscheck: frequency: 43200 scan_on_start: 'yes' auto_ignore: 'no' alert_new_files: 'yes' remove_old_diff: 'yes' restart_audit: 'yes' win_audit_interval: 300 skip_nfs: 'yes' ignore: - /etc/mtab #- /etc/mnttab - /etc/hosts.deny - /etc/mail/statistics - /etc/random-seed - /etc/random.seed - /etc/adjtime - /etc/httpd/logs - /etc/utmpx - /etc/wtmpx - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile - /sys/kernel/security - /sys/kernel/debug ignore_win: - '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$' no_diff: - /etc/ssl/private.key directories: - dirs: /etc,/usr/bin,/usr/sbin checks: 'check_all="yes"' - dirs: /bin,/sbin checks: 'check_all="yes"' win_directories: - dirs: '%WINDIR%\regedit.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\system.ini' checks: 'check_all="yes"' - dirs: '%WINDIR%\win.ini' checks: 'check_all="yes"' - dirs: '%WINDIR%\SysNative\at.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\SysNative\attrib.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\SysNative\cacls.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\SysNative\cmd.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\SysNative\drivers\etc' checks: 'check_all="yes"' - dirs: '%WINDIR%\SysNative\eventcreate.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\SysNative\ftp.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\SysNative\lsass.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\SysNative\net.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\SysNative\net1.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\SysNative\netsh.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\SysNative\reg.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\SysNative\regedt32.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\SysNative\regsvr32.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\SysNative\runas.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\SysNative\sc.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\SysNative\schtasks.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\SysNative\sethc.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\SysNative\subst.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\SysNative\wbem\WMIC.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0\powershell.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\SysNative\winrm.vbs' checks: 'check_all="yes"' - dirs: '%WINDIR%\System32\at.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\System32\attrib.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\System32\cacls.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\System32\cmd.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\System32\drivers\etc' checks: 'check_all="yes"' - dirs: '%WINDIR%\System32\eventcreate.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\System32\ftp.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\System32\net.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\System32\net1.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\System32\netsh.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\System32\reg.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\System32\regedit.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\System32\regedt32.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\System32\regsvr32.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\System32\runas.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\System32\sc.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\System32\schtasks.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\System32\sethc.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\System32\subst.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\System32\wbem\WMIC.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe' checks: 'check_all="yes"' - dirs: '%WINDIR%\System32\winrm.vbs' checks: 'check_all="yes"' - dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup' checks: 'check_all="yes" realtime="yes"' windows_registry: - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' - key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile' - key: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile' - key: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile' - key: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile' - key: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects' - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory' - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder' - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols' arch: "both" - key: 'HKEY_LOCAL_MACHINE\Software\Policies' arch: "both" - key: 'HKEY_LOCAL_MACHINE\Security' - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' arch: "both" - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services' - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs' - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg' - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run' arch: "both" - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce' arch: "both" - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx' - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL' arch: "both" - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies' arch: "both" - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows' arch: "both" - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' arch: "both" - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components' arch: "both" windows_registry_ignore: - key: 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets' - key: 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users' - key: '\Enum$' type: "sregex" rootcheck: frequency: 43200 openscap: disable: 'no' timeout: 1800 interval: '1d' scan_on_start: 'yes' osquery: disable: 'yes' run_daemon: 'yes' bin_path_win: 'C:\ProgramData\osquery\osqueryd' log_path: '/var/log/osquery/osqueryd.results.log' log_path_win: 'C:\ProgramData\osquery\log\osqueryd.results.log' config_path: '/etc/osquery/osquery.conf' config_path_win: 'C:\ProgramData\osquery\osquery.conf' ad_labels: 'yes' syscollector: disable: 'no' interval: '1h' scan_on_start: 'yes' hardware: 'yes' os: 'yes' network: 'yes' packages: 'yes' ports_no: 'yes' processes: 'yes' cis_cat: disable: 'yes' install_java: 'yes' timeout: 1800 interval: '1d' scan_on_start: 'yes' java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin' java_path_win: '\\server\jre\bin\java.exe' ciscat_path: '/var/ossec/wodles/ciscat' ciscat_path_win: 'C:\cis-cat' content: - type: 'xccdf' path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml' profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server' vuls: disable: 'yes' interval: '1d' run_on_start: 'yes' args: - 'mincvss 5' - 'antiquity-limit 20' - 'updatenvd' - 'nvd-year 2016' - 'autoupdate' localfiles: debian: - format: 'syslog' location: '/var/log/auth.log' - format: 'syslog' location: '/var/log/syslog' - format: 'syslog' location: '/var/log/dpkg.log' - format: 'syslog' location: '/var/log/kern.log' centos: - format: 'syslog' location: '/var/log/messages' - format: 'syslog' location: '/var/log/secure' - format: 'syslog' location: '/var/log/maillog' - format: 'audit' location: '/var/log/audit/audit.log' linux: - format: 'syslog' location: '/var/ossec/logs/active-responses.log' - format: 'command' command: 'df -P' frequency: '360' - format: 'full_command' command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d alias: 'netstat listening ports' frequency: '360' - format: 'full_command' command: 'last -n 20' frequency: '360' windows: - format: 'eventlog' location: 'Application' - format: 'eventchannel' location: 'Security' query: 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]' - format: 'eventlog' location: 'System' - format: 'syslog' location: 'active-response\active-responses.log' labels: enable: false list: - key: Env value: Production