afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
da2442ca06
wazuh-ansible-4.8.1/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
Rshad Zhran da2442ca06 Adapt agent installation to the default
2019-12-05 17:03:50 +01:00

373 lines
15 KiB
Django/Jinja
Raw Blame History

#jinja2: lstrip_blocks: True
<!-- {{ ansible_managed }} -->
<!--
Wazuh - Agent
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->
<ossec_config>
<client>
{% for manager in wazuh_managers %}
<server>
<address>{{ manager.address }}</address>
{% if manager.port is defined %}
<port>{{ manager.port }}</port>
{% endif %}
{% if manager.protocol is defined %}
<protocol>{{ manager.protocol }}</protocol>
{% endif %}
</server>
{% endfor %}
{% if wazuh_profile is not none %}
<config-profile>{{ wazuh_profile }}</config-profile>
{% endif %}
{% if wazuh_notify_time is not none and wazuh_time_reconnect is not none %}
<notify_time>{{ wazuh_notify_time }}</notify_time>
<time-reconnect>{{ wazuh_time_reconnect }}</time-reconnect>
{% endif %}
<auto_restart>{{ wazuh_auto_restart }}</auto_restart>
<crypto_method>{{ wazuh_crypto_method }}</crypto_method>
</client>
<client_buffer>
<!-- Agent buffer options -->
<disabled>{{ wazuh_agent_config.client_buffer.disable }}</disabled>
<queue_size>{{ wazuh_agent_config.client_buffer.queue_size }}</queue_size>
<events_per_second>{{ wazuh_agent_config.client_buffer.events_per_sec }}</events_per_second>
</client_buffer>
<logging>
<log_format>{{ wazuh_agent_config.log_format }}</log_format>
</logging>
<active-response>
<disabled>{{ wazuh_agent_config.active_response.ar_disabled|default('no') }}</disabled>
<ca_store>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.active_response.ca_store_win }}{% else %}{{ wazuh_agent_config.active_response.ca_store }}{% endif %}</ca_store>
<ca_verification>{{ wazuh_agent_config.active_response.ca_verification }}</ca_verification>
</active-response>
{% if wazuh_agent_config.rootcheck is defined %}
<rootcheck>
<disabled>no</disabled>
{% if ansible_system == "Linux" %}
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>{{ wazuh_agent_config.rootcheck.frequency }}</frequency>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
{% endif %}
{% if ansible_os_family == "Windows" %}
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
{% endif %}
</rootcheck>
{% endif %}
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_agent_config.syscheck is defined %}
<syscheck>
<disabled>no</disabled>
<!-- <alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files> -->
<!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
{% if ansible_system == "Linux" %}
<!-- <directories check_all="yes" realtime="yes" restrict="^/var/ossec/etc/shared/agent.conf$">/var/ossec/etc/shared</directories> -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<auto_ignore>{{ wazuh_agent_config.syscheck.auto_ignore }}</auto_ignore>
<scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start>
{% endif %}
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_agent_config.syscheck.directories is defined and ansible_system == "Linux" %}
{% for directory in wazuh_agent_config.syscheck.directories %}
<directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% endif %}
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_agent_config.syscheck.win_directories is defined and ansible_system == "Windows" %}
{% for directory in wazuh_agent_config.syscheck.win_directories %}
<directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% endif %}
<!-- Files/directories to ignore -->
{% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Linux" %}
{% for ignore in wazuh_agent_config.syscheck.ignore %}
<ignore>{{ ignore }}</ignore>
{% endfor %}
{% endif %}
<!-- File types to ignore -->
{% if wazuh_agent_config.syscheck.ignore is defined and ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7' %}
{% for ignore in wazuh_agent_config.syscheck.ignore_linux_type %}
<ignore type="sregex">{{ ignore }}</ignore>
{% endfor %}
{% endif %}
{% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Windows" %}
{% for ignore in wazuh_agent_config.syscheck.ignore_win %}
<ignore type="sregex">{{ ignore }}</ignore>
{% endfor %}
{% endif %}
{% if ansible_system == "Linux" %}
<!-- Files no diff -->
{% for no_diff in wazuh_agent_config.syscheck.no_diff %}
<nodiff>{{ no_diff }}</nodiff>
{% endfor %}
<skip_nfs>{{ wazuh_agent_config.syscheck.skip_nfs }}</skip_nfs>
{% endif %}
{% if ansible_os_family == "Windows" %}
{% for registry_key in wazuh_agent_config.syscheck.windows_registry %}
{% if registry_key.arch is defined %}
<windows_registry arch="{{ registry_key.arch }}">{{ registry_key.key }}</windows_registry>
{% else %}
<windows_registry>{{ registry_key.key }}</windows_registry>
{% endif %}
{% endfor %}
{% endif %}
{% if ansible_os_family == "Windows" %}
{% for registry_key in wazuh_agent_config.syscheck.windows_registry_ignore %}
{% if registry_key.type is defined %}
<registry_ignore type="{{ registry_key.type }}">{{ registry_key.key }}</registry_ignore>
{% else %}
<registry_ignore>{{ registry_key.key }}</registry_ignore>
{% endif %}
{% endfor %}
{% endif %}
{% if ansible_os_family == "Windows" %}
<!-- Frequency for ACL checking (seconds) -->
<windows_audit_interval>{{ wazuh_agent_config.syscheck.win_audit_interval }}</windows_audit_interval>
{% endif %}
</syscheck>
{% endif %}
{% if ansible_system == "Linux" and wazuh_agent_config.openscap.disable == 'no' %}
<wodle name="open-scap">
<disabled>no</disabled>
<timeout>{{ wazuh_agent_config.openscap.timeout }}</timeout>
<interval>{{ wazuh_agent_config.openscap.interval }}</interval>
<scan-on-start>{{ wazuh_agent_config.openscap.scan_on_start }}</scan-on-start>
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'xenial' %}
<content type="xccdf" path="ssg-ubuntu-1604-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% elif ansible_distribution == 'Debian' %}
{% if ansible_distribution_release == 'jessie' %}
{% if openscap_version_valid.stdout == "0" %}
<content type="xccdf" path="ssg-debian-8-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
<content type="oval" path="cve-debian-8-oval.xml"/>
{% endif %}
{% elif ansible_distribution_release == 'stretch' %}
<content type="oval" path="cve-debian-9-oval.xml"/>
{% endif %}
{% elif ansible_distribution == 'CentOS' %}
{% if ansible_distribution_major_version == '7' %}
<content type="xccdf" path="ssg-centos-7-ds.xml">
{% elif ansible_distribution_major_version == '6' %}
<content type="xccdf" path="ssg-centos-6-ds.xml">
{% endif %}
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% elif ansible_distribution == 'RedHat' %}
{% if ansible_distribution_major_version == '7' %}
<content type="xccdf" path="ssg-rhel-7-ds.xml">
{% elif ansible_distribution_major_version == '6' %}
<content type="xccdf" path="ssg-rhel-6-ds.xml">
{% endif %}
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% if ansible_distribution_major_version == '7' %}
<content type="oval" path="cve-redhat-7-ds.xml"/>
{% elif ansible_distribution_major_version == '6' %}
<content type="oval" path="cve-redhat-6-ds.xml"/>
{% endif %}
{% elif ansible_distribution == 'Fedora' %}
<content type="xccdf" path="ssg-fedora-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% endif %}
</wodle>
{% endif %}
{% if wazuh_agent_config.cis_cat.disable == 'no' %}
<wodle name="cis-cat">
<disabled>no</disabled>
<timeout>{{ wazuh_agent_config.cis_cat.timeout }}</timeout>
<interval>{{ wazuh_agent_config.cis_cat.interval }}</interval>
<scan-on-start>{{ wazuh_agent_config.cis_cat.scan_on_start }}</scan-on-start>
{% if wazuh_agent_config.cis_cat.install_java == 'yes' and ansible_system == "Linux" %}
<java_path>/usr/bin</java_path>
{% elif ansible_os_family == "Windows" %}
<java_path>{{ wazuh_agent_config.cis_cat.java_path_win }}</java_path>
{% else %}
<java_path>{{ wazuh_agent_config.cis_cat.java_path }}</java_path>
{% endif %}
<ciscat_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.cis_cat.ciscat_path_win }}{% else %}{{ wazuh_agent_config.cis_cat.ciscat_path }}{% endif %}</ciscat_path>
</wodle>
{% endif %}
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>{{ wazuh_agent_config.osquery.disable }}</disabled>
<run_daemon>{{ wazuh_agent_config.osquery.run_daemon }}</run_daemon>
{% if ansible_os_family == "Windows" %}
<bin_path>{{ wazuh_agent_config.osquery.bin_path_win }}</bin_path>
{% endif %}
<log_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.osquery.log_path_win }}{% else %}{{ wazuh_agent_config.osquery.log_path }}{% endif %}</log_path>
<config_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.osquery.config_path_win }}{% else %}{{ wazuh_agent_config.osquery.config_path }}{% endif %}</config_path>
<add_labels>{{ wazuh_agent_config.osquery.add_labels }}</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>{{ wazuh_agent_config.syscollector.disable }}</disabled>
<interval>{{ wazuh_agent_config.syscollector.interval }}</interval>
<scan_on_start>{{ wazuh_agent_config.syscollector.scan_on_start }}</scan_on_start>
<hardware>{{ wazuh_agent_config.syscollector.hardware }}</hardware>
<os>{{ wazuh_agent_config.syscollector.os }}</os>
<network>{{ wazuh_agent_config.syscollector.network }}</network>
<packages>{{ wazuh_agent_config.syscollector.packages }}</packages>
<ports all="no">{{ wazuh_agent_config.syscollector.ports_no }}</ports>
<processes>{{ wazuh_agent_config.syscollector.processes }}</processes>
</wodle>
<sca>
{% if wazuh_agent_config.sca.enabled | length > 0 %}
<enabled>{{ wazuh_agent_config.sca.enabled }}</enabled>
{% endif %}
{% if wazuh_agent_config.sca.scan_on_start | length > 0 %}
<scan_on_start>{{ wazuh_agent_config.sca.scan_on_start }}</scan_on_start>
{% endif %}
{% if wazuh_agent_config.sca.interval | length > 0 %}
<interval>{{ wazuh_agent_config.sca.interval }}</interval>
{% endif %}
{% if wazuh_agent_config.sca.skip_nfs | length > 0 %}
<skip_nfs>yes</skip_nfs>
{% endif %}
{% if wazuh_agent_config.sca.day | length > 0 %}
<day>yes</day>
{% endif %}
{% if wazuh_agent_config.sca.wday | length > 0 %}
<wday>yes</wday>
{% endif %}
{% if wazuh_agent_config.sca.time | length > 0 %}
<time>yes</time>
{% endif %}
</sca>
{% if ansible_system == "Linux" and wazuh_agent_config.vuls.disable == 'no' %}
<wodle name="command">
<disabled>no</disabled>
<tag>Wazuh-VULS</tag>
<command>/usr/bin/python /var/ossec/wodles/vuls/vuls.py{% for arg in wazuh_agent_config.vuls.args %} --{{ arg }}{% endfor %}</command>
<interval>{{ wazuh_agent_config.vuls.interval }}</interval>
<ignore_output>yes</ignore_output>
<run_on_start>{{ wazuh_agent_config.vuls.run_on_start }}</run_on_start>
</wodle>
{% endif %}
<!-- Files to monitor (localfiles) -->
{% if ansible_system == "Linux" %}
{% for localfile in wazuh_agent_config.localfiles.linux %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
{% endif %}
</localfile>
{% endfor %}
{% endif %}
{% if ansible_os_family == "Debian" %}
{% for localfile in wazuh_agent_config.localfiles.debian %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
{% endif %}
</localfile>
{% endfor %}
{% endif %}
{% if ansible_os_family == "RedHat" %}
{% for localfile in wazuh_agent_config.localfiles.centos %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
{% endif %}
</localfile>
{% endfor %}
{% endif %}
{% if ansible_os_family == "Windows" %}
{% for localfile in wazuh_agent_config.localfiles.windows %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'eventchannel' %}
<location>{{ localfile.location }}</location>
<query>{{ localfile.query}}</query>
{% else %}
<location>{{ localfile.location }}</location>
{% endif %}
</localfile>
{% endfor %}
{% endif %}
{% if wazuh_agent_config.labels.enable == true %}
<labels>
{% for label in wazuh_agent_config.labels.list %}
<label key="{{ label.key }}"{% if label.hidden is defined %} hidden="{{ label.hidden }}"{% endif %}>{{ label.value }}</label>
{% endfor %}
</labels>
{% endif %}
</ossec_config>
Reference in New Issue View Git Blame Copy Permalink