afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
5d006cbc3a
wazuh-ansible-4.8.1/roles/wazuh/ansible-wazuh-agent/defaults/main.yml

307 lines
10 KiB
YAML
Executable File
Raw Blame History

---
wazuh_managers:
- address: 127.0.0.1
port: 1514
protocol: tcp
api_port: 55000
api_proto: 'http'
api_user: null
wazuh_profile: null
wazuh_auto_restart: 'yes'
wazuh_agent_authd:
enable: false
port: 1515
ssl_agent_ca: null
ssl_agent_cert: null
ssl_agent_key: null
ssl_auto_negotiate: 'no'
wazuh_notify_time: '10'
wazuh_time_reconnect: '60'
wazuh_crypto_method: 'aes'
wazuh_winagent_config:
install_dir: 'C:\Program Files\ossec-agent\'
install_dir_x86: 'C:\Program Files (x86)\ossec-agent\'
auth_path: C:\'Program Files'\ossec-agent\agent-auth.exe
auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe
version: '3.9.2'
revision: '1'
repo: https://packages.wazuh.com/3.x/windows/
md5: 43936e7bc7eb51bd186f47dac4a6f477
wazuh_agent_config:
active_response:
ar_disabled: 'no'
ca_store: '/var/ossec/etc/wpk_root.pem'
ca_store_win: 'wpk_root.pem'
ca_verification: 'yes'
log_format: 'plain'
client_buffer:
disable: 'no'
queue_size: '5000'
events_per_sec: '500'
syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
remove_old_diff: 'yes'
restart_audit: 'yes'
win_audit_interval: 300
skip_nfs: 'yes'
ignore:
- /etc/mtab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
- /sys/kernel/security
- /sys/kernel/debug
ignore_win:
- '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: 'check_all="yes"'
- dirs: /bin,/sbin
checks: 'check_all="yes"'
win_directories:
- dirs: '%WINDIR%\regedit.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\system.ini'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\win.ini'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\at.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\attrib.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\cacls.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\cmd.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\drivers\etc'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\eventcreate.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\ftp.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\lsass.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\net.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\net1.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\netsh.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\reg.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\regedt32.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\regsvr32.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\runas.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\sc.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\schtasks.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\sethc.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\subst.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\wbem\WMIC.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0\powershell.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\SysNative\winrm.vbs'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\at.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\attrib.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\cacls.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\cmd.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\drivers\etc'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\eventcreate.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\ftp.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\net.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\net1.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\netsh.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\reg.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\regedit.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\regedt32.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\regsvr32.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\runas.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\sc.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\schtasks.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\sethc.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\subst.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\wbem\WMIC.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe'
checks: 'check_all="yes"'
- dirs: '%WINDIR%\System32\winrm.vbs'
checks: 'check_all="yes"'
- dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup'
checks: 'check_all="yes" realtime="yes"'
windows_registry:
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Policies'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Security'
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'
- key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs'
- key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'
arch: "both"
windows_registry_ignore:
- key: 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets'
- key: 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'
- key: '\Enum$'
type: "sregex"
rootcheck:
frequency: 43200
openscap:
disable: 'no'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
osquery:
disable: 'yes'
run_daemon: 'yes'
bin_path_win: 'C:\ProgramData\osquery\osqueryd'
log_path: '/var/log/osquery/osqueryd.results.log'
log_path_win: 'C:\ProgramData\osquery\log\osqueryd.results.log'
config_path: '/etc/osquery/osquery.conf'
config_path_win: 'C:\ProgramData\osquery\osquery.conf'
add_labels: 'yes'
syscollector:
disable: 'no'
interval: '1h'
scan_on_start: 'yes'
hardware: 'yes'
os: 'yes'
network: 'yes'
packages: 'yes'
ports_no: 'yes'
processes: 'yes'
cis_cat:
disable: 'yes'
install_java: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
java_path_win: '\\server\jre\bin\java.exe'
ciscat_path: '/var/ossec/wodles/ciscat'
ciscat_path_win: 'C:\cis-cat'
content:
- type: 'xccdf'
path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
vuls:
disable: 'yes'
interval: '1d'
run_on_start: 'yes'
args:
- 'mincvss 5'
- 'antiquity-limit 20'
- 'updatenvd'
- 'nvd-year 2016'
- 'autoupdate'
localfiles:
debian:
- format: 'syslog'
location: '/var/log/auth.log'
- format: 'syslog'
location: '/var/log/syslog'
- format: 'syslog'
location: '/var/log/dpkg.log'
- format: 'syslog'
location: '/var/log/kern.log'
centos:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'audit'
location: '/var/log/audit/audit.log'
linux:
- format: 'syslog'
location: '/var/ossec/logs/active-responses.log'
- format: 'command'
command: df -P -x squashfs -x tmpfs -x devtmpfs
frequency: '360'
- format: 'full_command'
command: ss -nutal | awk '{print $1,$5,$6;}' | sort -b | column -t
alias: 'netstat listening ports'
frequency: '360'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
windows:
- format: 'eventlog'
location: 'Application'
- format: 'eventchannel'
location: 'Security'
query: 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]'
- format: 'eventlog'
location: 'System'
- format: 'syslog'
location: 'active-response\active-responses.log'
labels:
enable: false
list:
- key: Env
value: Production
Reference in New Issue View Git Blame Copy Permalink