255 lines
9.3 KiB
Django/Jinja
255 lines
9.3 KiB
Django/Jinja
<!--
|
|
Wazuh - Manager - Default configuration
|
|
More info at: https://documentation.wazuh.com
|
|
Mailing list: https://groups.google.com/forum/#!forum/wazuh
|
|
-->
|
|
|
|
<ossec_config>
|
|
<global>
|
|
<jsonout_output>{{ wazuh_manager_config.json_output }}</jsonout_output>
|
|
<alerts_log>{{ wazuh_manager_config.alerts_log }}</alerts_log>
|
|
<logall>{{ wazuh_manager_config.logall }}</logall>
|
|
{% if wazuh_manager_config.email_notification | lower == "yes" %}
|
|
<email_notification>yes</email_notification>
|
|
{% else %}
|
|
<email_notification>no</email_notification>
|
|
{% endif %}
|
|
{% for to in wazuh_manager_config.mail_to %}
|
|
<email_to>{{ to }}</email_to>
|
|
{% endfor %}
|
|
<smtp_server>{{ wazuh_manager_config.mail_smtp_server }}</smtp_server>
|
|
<email_from>{{ wazuh_manager_config.mail_from }}</email_from>
|
|
</global>
|
|
|
|
{% if wazuh_manager_config.extra_emails is defined %}
|
|
{% for mail in wazuh_manager_config.extra_emails %}
|
|
<email_alerts>
|
|
<email_to>{{ mail.mail_to }}</email_to>
|
|
{% if mail.format is defined %}
|
|
<format>{{ mail.format }}</format>
|
|
{% endif %}
|
|
{% if mail.level is defined %}
|
|
<level>{{ mail.level }}</level>
|
|
{% endif %}
|
|
{% if mail.event_location is defined %}
|
|
<event_location>{{ mail.event_location }}</event_location>
|
|
{% endif %}
|
|
{% if mail.group is defined %}
|
|
<group>{{ mail.group }}</group>
|
|
{% endif %}
|
|
{% if mail.do_not_delay is defined and mail.do_not_delay == true %}
|
|
<do_not_delay />
|
|
{% endif %}
|
|
{% if mail.do_not_group is defined and mail.do_not_group == true %}
|
|
<do_not_group />
|
|
{% endif %}
|
|
{% if mail.rule_id is defined %}
|
|
<rule_id>{{ mail.rule_id }}</rule_id>
|
|
{% endif %}
|
|
</email_alerts>
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
{% if wazuh_manager_config.reports is defined %}
|
|
{% for report in wazuh_manager_config.reports %}
|
|
<reports>
|
|
<category>{{ report.category }}</category>
|
|
<title>{{ report.title }}</title>
|
|
<email_to>{{ report.email_to }}</email_to>
|
|
{% if report.location is defined %}<location>{{ report.location }}</location>{% endif %}
|
|
{% if report.group is defined %}<group>{{ report.group }}</group>{% endif %}
|
|
{% if report.rule is defined %}<rule>{{ report.rule }}</rule>{% endif %}
|
|
{% if report.level is defined %}<level>{{ report.level }}</level>{% endif %}
|
|
{% if report.srcip is defined %}<srcip>{{ report.srcip }}</srcip>{% endif %}
|
|
{% if report.user is defined %}<user>{{ report.user }}</user>{% endif %}
|
|
{% if report.showlogs is defined %}<showlogs>{{ report.showlogs }}</showlogs>{% endif %}
|
|
</reports>
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
<alerts>
|
|
<log_alert_level>{{ wazuh_manager_config.log_level }}</log_alert_level>
|
|
<email_alert_level>{{ wazuh_manager_config.email_level }}</email_alert_level>
|
|
</alerts>
|
|
|
|
<remote>
|
|
{% for connection in wazuh_manager_config.connection %}
|
|
<connection>{{ connection.type }}</connection>
|
|
<port>{{ connection.port }}</port>
|
|
<protocol>{{ connection.protocol }}</protocol>
|
|
{% endfor %}
|
|
</remote>
|
|
|
|
<rootcheck>
|
|
<disabled>no</disabled>
|
|
<check_unixaudit>yes</check_unixaudit>
|
|
<check_files>yes</check_files>
|
|
<check_trojans>yes</check_trojans>
|
|
<check_dev>yes</check_dev>
|
|
<check_sys>yes</check_sys>
|
|
<check_pids>yes</check_pids>
|
|
<check_ports>yes</check_ports>
|
|
<check_if>yes</check_if>
|
|
|
|
<!-- Frequency that rootcheck is executed - every 12 hours -->
|
|
<frequency>{{ wazuh_manager_config.rootcheck.frequency }}</frequency>
|
|
|
|
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
|
|
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
|
|
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
|
|
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
|
|
{% if cis_distribution_filename is defined %}
|
|
<system_audit>/var/ossec/etc/shared/{{ cis_distribution_filename }}</system_audit>
|
|
{% endif %}
|
|
|
|
<skip_nfs>yes</skip_nfs>
|
|
</rootcheck>
|
|
|
|
<syscheck>
|
|
<!-- Frequency that syscheck is executed -- default every 20 hours -->
|
|
<frequency>{{ wazuh_manager_config.syscheck.frequency }}</frequency>
|
|
<scan_on_start>{{ wazuh_manager_config.syscheck.scan_on_start }}</scan_on_start>
|
|
|
|
<!-- Directories to check (perform all possible verifications) -->
|
|
{% if wazuh_manager_config.syscheck.directories is defined %}
|
|
{% for directory in wazuh_manager_config.syscheck.directories %}
|
|
<directories {{ directory.checks }}>{{ directory.dirs }}</directories>
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
<!-- Files/directories to ignore -->
|
|
{% if wazuh_manager_config.syscheck.ignore is defined %}
|
|
{% for ignore in wazuh_manager_config.syscheck.ignore %}
|
|
<ignore>{{ ignore }}</ignore>
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
<!-- Files no diff -->
|
|
{% for no_diff in wazuh_manager_config.syscheck.no_diff %}
|
|
<nodiff>{{ no_diff }}</nodiff>
|
|
{% endfor %}
|
|
</syscheck>
|
|
|
|
<wodle name="open-scap">
|
|
<disabled>no</disabled>
|
|
<timeout>{{ wazuh_manager_config.openscap.timeout }}</timeout>
|
|
<interval>{{ wazuh_manager_config.openscap.interval }}</interval>
|
|
<scan-on-start>{{ wazuh_manager_config.openscap.scan_on_start }}</scan-on-start>
|
|
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'xenial' %}
|
|
<content type="xccdf" path="ssg-ubuntu-1604-ds.xml">
|
|
<profile>xccdf_org.ssgproject.content_profile_common</profile>
|
|
</content>
|
|
{% elif ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie' %}
|
|
<content type="xccdf" path="ssg-debian-8-ds.xml">
|
|
<profile>xccdf_org.ssgproject.content_profile_common</profile>
|
|
</content>
|
|
<content type="oval" path="cve-debian-oval.xml"/>
|
|
{% elif ansible_distribution == 'CentOS' %}
|
|
{% if ansible_distribution_major_version == '7' %}
|
|
<content type="xccdf" path="ssg-centos-7-ds.xml">
|
|
{% elif ansible_distribution_major_version == '6' %}
|
|
<content type="xccdf" path="ssg-centos-6-ds.xml">
|
|
{% endif %}
|
|
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
|
|
<profile>xccdf_org.ssgproject.content_profile_common</profile>
|
|
</content>
|
|
{% elif ansible_distribution == 'RedHat' %}
|
|
{% if ansible_distribution_major_version == '7' %}
|
|
<content type="xccdf" path="ssg-rhel-7-ds.xml">
|
|
{% elif ansible_distribution_major_version == '6' %}
|
|
<content type="xccdf" path="ssg-rhel-6-ds.xml">
|
|
{% endif %}
|
|
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
|
|
<profile>xccdf_org.ssgproject.content_profile_common</profile>
|
|
</content>
|
|
{% if ansible_distribution_major_version == '7' %}
|
|
<content type="oval" path="cve-redhat-7-ds.xml"/>
|
|
{% elif ansible_distribution_major_version == '6' %}
|
|
<content type="oval" path="cve-redhat-6-ds.xml"/>
|
|
{% endif %}
|
|
{% elif ansible_distribution == 'Fedora' %}
|
|
<content type="xccdf" path="ssg-fedora-ds.xml">
|
|
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
|
|
<profile>xccdf_org.ssgproject.content_profile_common</profile>
|
|
</content>
|
|
{% endif %}
|
|
</wodle>
|
|
|
|
{% if agentless_creeds is defined %}
|
|
{% for agentless in agentless_creeds %}
|
|
<agentless>
|
|
<type>{{ agentless.type }}</type>
|
|
<frequency>{{ agentless.frequency }}</frequency>
|
|
<host>{{ agentless.host }}</host>
|
|
<state>{{ agentless.state }}</state>
|
|
{% if agentless.arguments is defined %}
|
|
<arguments>{{ agentless.arguments }}</arguments>
|
|
{% endif %}
|
|
</agentless>
|
|
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
<global>
|
|
{% for white_list in wazuh_manager_config.globals %}
|
|
<white_list>{{ white_list }}</white_list>
|
|
{% endfor %}
|
|
</global>
|
|
|
|
{% for command in wazuh_manager_config.commands %}
|
|
<command>
|
|
<name>{{ command.name }}</name>
|
|
<executable>{{ command.executable }}</executable>
|
|
<expect>{{ command.expect }}</expect>
|
|
<timeout_allowed>{{ command.timeout_allowed }}</timeout_allowed>
|
|
</command>
|
|
{% endfor %}
|
|
|
|
|
|
<ruleset>
|
|
<!-- Default ruleset -->
|
|
<decoder_dir>ruleset/decoders</decoder_dir>
|
|
<rule_dir>ruleset/rules</rule_dir>
|
|
<rule_exclude>0215-policy_rules.xml</rule_exclude>
|
|
<list>etc/lists/audit-keys</list>
|
|
|
|
<!-- User-defined ruleset -->
|
|
<decoder_dir>etc/decoders</decoder_dir>
|
|
<rule_dir>etc/rules</rule_dir>
|
|
</ruleset>
|
|
|
|
<!-- Active Response Config -->
|
|
{% for response in wazuh_manager_config.active_responses %}
|
|
<active-response>
|
|
<command>{{ response.command }}</command>
|
|
<location>{{ response.location }}</location>
|
|
<level>{{ response.level }}</level>
|
|
<timeout>{{ response.timeout }}</timeout>
|
|
</active-response>
|
|
{% endfor %}
|
|
|
|
<!-- Files to monitor (localfiles) -->
|
|
{% for localfile in wazuh_manager_config.localfiles %}
|
|
<localfile>
|
|
<log_format>{{ localfile.format }}</log_format>
|
|
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
|
|
<command>{{ localfile.command }}</command>
|
|
<frequency>{{ localfile.frequency }}</frequency>
|
|
{% else %}
|
|
<location>{{ localfile.location }}</location>
|
|
{% endif %}
|
|
</localfile>
|
|
{% endfor %}
|
|
|
|
{% if wazuh_manager_config.syslog_outputs is defined %}
|
|
{% for syslog_output in wazuh_manager_config.syslog_outputs %}
|
|
<syslog_output>
|
|
<server>{{ syslog_output.server }}</server>
|
|
<port>{{ syslog_output.port }}</port>
|
|
<format>{{ syslog_output.format }}</format>
|
|
</syslog_output>
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
</ossec_config>
|