afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
45a14c128c
wazuh-ansible-4.8.1/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
Manuel J. Bernal 45a14c128c WIP: Adapting to v4.0
2020-08-12 19:45:46 +02:00

438 lines
11 KiB
YAML
Raw Blame History

---
wazuh_manager_version: 3.13.1-1
wazuh_manager_fqdn: "wazuh-server"
wazuh_manager_package_state: present
# Custom packages installation
wazuh_custom_packages_installation_manager_enabled: false
wazuh_custom_packages_installation_manager_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/"
wazuh_custom_packages_installation_manager_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/"
wazuh_custom_packages_installation_api_enabled: false
wazuh_custom_packages_installation_api_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/"
wazuh_custom_packages_installation_api_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/"
# Sources installation
wazuh_manager_sources_installation:
enabled: false
branch: "v3.13.1"
user_language: "en"
user_no_stop: "y"
user_install_type: "server"
user_dir: "/var/ossec"
user_delete_dir: null
user_enable_active_response: null
user_enable_syscheck: "y"
user_enable_rootcheck: "y"
user_enable_openscap: "n"
user_enable_authd: "y"
user_generate_authd_cert: null
user_update: "y"
user_binaryinstall: null
user_enable_email: "n"
user_auto_start: "y"
user_email_address: null
user_email_smpt: null
user_enable_syslog: "n"
user_white_list: "n"
user_ca_store: null
threads: "2"
wazuh_api_sources_installation:
enabled: false
branch: "v3.13.1"
update: "y"
remove: "y"
directory: null
port: 55000
https: "n"
authd: null
proxy: null
country: null
state: null
locality: null
org_name: null
org_unit: null
common_name: null
password: null
wazuh_api_user:
- "foo:$apr1$/axqZYWQ$Xo/nz/IG3PdwV82EnfYKh/"
wazuh_manager_config:
repo:
apt: 'deb https://packages.wazuh.com/3.x/apt/ stable main'
yum: 'https://packages.wazuh.com/3.x/yum/'
gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145'
json_output: 'yes'
alerts_log: 'yes'
logall: 'no'
logall_json: 'no'
log_format: 'plain'
api:
bind_addr: '0.0.0.0'
port: 55000
https: 'no'
basic_auth: 'yes'
behind_proxy_server: 'no'
https_cert: '/var/ossec/etc/sslmanager.cert'
https_key: '/var/ossec/etc/sslmanager.key'
https_use_ca: 'no'
https_ca: ''
use_only_authd: 'false'
drop_privileges: 'true'
experimental_features: 'false'
secure_protocol: 'TLSv1_2_method'
honor_cipher_order: 'true'
ciphers: ''
cluster:
disable: 'yes'
name: 'wazuh'
node_name: 'manager_01'
node_type: 'master'
key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa'
port: '1516'
bind_addr: '0.0.0.0'
nodes:
- 'manager'
hidden: 'no'
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
authd:
enable: true
port: 1515
use_source_ip: 'no'
force_insert: 'yes'
force_time: 0
purge: 'yes'
use_password: 'no'
limit_maxagents: 'yes'
ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH'
ssl_agent_ca: null
ssl_verify_host: 'no'
ssl_manager_cert: 'sslmanager.cert'
ssl_manager_key: 'sslmanager.key'
ssl_auto_negotiate: 'no'
email_notification: 'no'
mail_to:
- 'admin@example.net'
mail_smtp_server: smtp.example.wazuh.com
mail_from: ossecm@example.wazuh.com
mail_maxperhour: 12
mail_queue_size: 131072
email_log_source: 'alerts.log'
extra_emails:
- enable: false
mail_to: 'recipient@example.wazuh.com'
format: full
level: 7
event_location: null
group: null
do_not_delay: false
do_not_group: false
rule_id: null
reports:
- enable: false
category: 'syscheck'
title: 'Daily report: File changes'
email_to: 'recipient@example.wazuh.com'
location: null
group: null
rule: null
level: null
srcip: null
user: null
showlogs: null
syscheck:
disable: 'no'
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
ignore:
- /etc/mtab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
ignore_linux_type:
- '.log$|.swp$'
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: ''
- dirs: /bin,/sbin,/boot
checks: ''
auto_ignore_frequency:
frequency: 'frequency="10"'
timeframe: 'timeframe="3600"'
value: 'no'
skip_nfs: 'yes'
skip_dev: 'yes'
skip_proc: 'yes'
skip_sys: 'yes'
process_priority: 10
max_eps: 100
sync_enabled: 'yes'
sync_interval: '5m'
sync_max_interval: '1h'
sync_max_eps: 10
rootcheck:
frequency: 43200
openscap:
disable: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
cis_cat:
disable: 'yes'
install_java: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
ciscat_path: 'wodles/ciscat'
osquery:
disable: 'yes'
run_daemon: 'yes'
log_path: '/var/log/osquery/osqueryd.results.log'
config_path: '/etc/osquery/osquery.conf'
ad_labels: 'yes'
syscollector:
disable: 'no'
interval: '1h'
scan_on_start: 'yes'
hardware: 'yes'
os: 'yes'
network: 'yes'
packages: 'yes'
ports_no: 'yes'
processes: 'yes'
sca:
enabled: 'yes'
scan_on_start: 'yes'
interval: '12h'
skip_nfs: 'yes'
day: ''
wday: ''
time: ''
vulnerability_detector:
enabled: 'no'
interval: '5m'
ignore_time: '6h'
run_on_start: 'yes'
providers:
- enabled: 'no'
os:
- 'trusty'
- 'xenial'
- 'bionic'
update_interval: '1h'
name: '"canonical"'
- enabled: 'no'
os:
- 'wheezy'
- 'stretch'
- 'jessie'
- 'buster'
update_interval: '1h'
name: '"debian"'
- enabled: 'no'
update_from_year: '2010'
update_interval: '1h'
name: '"redhat"'
- enabled: 'no'
update_from_year: '2010'
update_interval: '1h'
name: '"nvd"'
vuls:
disable: 'yes'
interval: '1d'
run_on_start: 'yes'
args:
- 'mincvss 5'
- 'antiquity-limit 20'
- 'updatenvd'
- 'nvd-year 2016'
- 'autoupdate'
log_level: 3
email_level: 12
localfiles:
common:
- format: 'command'
command: df -P
frequency: '360'
- format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
- format: 'syslog'
location: '/var/ossec/logs/active-responses.log'
debian:
- format: 'syslog'
location: '/var/log/auth.log'
- format: 'syslog'
location: '/var/log/syslog'
- format: 'syslog'
location: '/var/log/dpkg.log'
- format: 'syslog'
location: '/var/log/kern.log'
centos:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'audit'
location: '/var/log/audit/audit.log'
globals:
- '127.0.0.1'
- '^localhost.localdomain$'
- '127.0.0.53'
commands:
- name: 'disable-account'
executable: 'disable-account.sh'
expect: 'user'
timeout_allowed: 'yes'
- name: 'restart-ossec'
executable: 'restart-ossec.sh'
expect: ''
- name: 'firewall-drop'
executable: 'firewall-drop.sh'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'host-deny'
executable: 'host-deny.sh'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'route-null'
executable: 'route-null.sh'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'win_route-null'
executable: 'route-null.cmd'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'win_route-null-2012'
executable: 'route-null-2012.cmd'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'netsh'
executable: 'netsh.cmd'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'netsh-win-2016'
executable: 'netsh-win-2016.cmd'
expect: 'srcip'
timeout_allowed: 'yes'
ruleset:
rules_path: 'custom_ruleset/rules/'
decoders_path: 'custom_ruleset/decoders/'
cdb_lists:
- 'audit-keys'
- 'security-eventchannel'
- 'amazon/aws-eventnames'
rule_exclude:
- '0215-policy_rules.xml'
syslog_outputs:
- server: null
port: null
format: null
integrations:
#slack
- name: null
hook_url: '<hook_url>'
alert_level: 10
alert_format: 'json'
rule_id: null
#pagerduty
- name: null
api_key: '<api_key>'
alert_level: 12
monitor_aws:
disabled: 'yes'
interval: '10m'
run_on_start: 'yes'
skip_on_error: 'yes'
s3:
- name: null
bucket_type: null
path: null
only_logs_after: null
access_key: null
secret_key: null
labels:
enable: false
list:
- key: Env
value: Production
# shared_agent_config:
# - type: os
# type_value: Linux
# syscheck:
# frequency: 43200
# scan_on_start: 'yes'
# ignore:
# - /etc/mtab
# - /etc/mnttab
# - /etc/hosts.deny
# - /etc/mail/statistics
# - /etc/svc/volatile
# no_diff:
# - /etc/ssl/private.key
# rootcheck:
# frequency: 43200
# cis_distribution_filename: null
# localfiles:
# - format: 'syslog'
# location: '/var/log/messages'
# - format: 'syslog'
# location: '/var/log/secure'
# - format: 'syslog'
# location: '/var/log/maillog'
# - format: 'apache'
# location: '/var/log/httpd/error_log'
# - format: 'apache'
# location: '/var/log/httpd/access_log'
# - format: 'apache'
# location: '/var/ossec/logs/active-responses.log'
# - type: os
# type_value: Windows
# syscheck:
# frequency: 43200
# scan_on_start: 'yes'
# auto_ignore: 'no'
# windows_registry:
# - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
# arch: 'both'
# - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
# localfiles:
# - location: 'Security'
# format: 'eventchannel'
# - location: 'System'
# format: 'eventlog'
nodejs:
repo_dict:
debian: "deb"
redhat: "rpm"
repo_url_ext: "nodesource.com/setup_10.x"
agent_groups: [] # groups to create
Reference in New Issue View Git Blame Copy Permalink