wazuh-ansible-4.8.1/roles/wazuh/ansible-wazuh-agent/defaults/main.yml

---
wazuh_managers:
  - address: 127.0.0.1
    port: 1514
    protocol: tcp
    api_port: 55000
    api_proto: 'http'
    api_user: null
wazuh_profile: null
wazuh_auto_restart: 'yes'
wazuh_agent_authd:
  enable: false
  port: 1515
  ssl_agent_ca: null
  ssl_agent_cert: null
  ssl_agent_key: null
  ssl_auto_negotiate: 'no'
wazuh_notify_time: '10'
wazuh_time_reconnect: '60'
wazuh_crypto_method: 'aes'
wazuh_winagent_config:
  install_dir: 'C:\Program Files\ossec-agent\'
  install_dir_x86: 'C:\Program Files (x86)\ossec-agent\'
  auth_path: C:\'Program Files'\ossec-agent\agent-auth.exe
  auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe
  version: '3.7.0'
  revision: '1'
  repo: https://packages.wazuh.com/3.x/windows/
  md5: 43936e7bc7eb51bd186f47dac4a6f477
wazuh_agent_config:
  active_response:
     ar_disabled: 'no'
     ca_store: '/var/ossec/etc/wpk_root.pem'
     ca_verification: 'yes'
  log_format: 'plain'
  client_buffer:
    disable: 'no'
    queue_size: '5000'
    events_per_sec: '500'
  syscheck:
    frequency: 43200
    scan_on_start: 'yes'
    auto_ignore: 'no'
    alert_new_files: 'yes'
    remove_old_diff: 'yes'
    restart_audit: 'yes'
    skip_nfs: 'yes'
    ignore:
      - /etc/mtab
      #- /etc/mnttab
      - /etc/hosts.deny
      - /etc/mail/statistics
      - /etc/random-seed
      - /etc/random.seed
      - /etc/adjtime
      - /etc/httpd/logs
      - /etc/utmpx
      - /etc/wtmpx
      - /etc/cups/certs
      - /etc/dumpdates
      - /etc/svc/volatile
      - /sys/kernel/security
      - /sys/kernel/debug
    no_diff:
      - /etc/ssl/private.key
    directories:
      - dirs: /etc,/usr/bin,/usr/sbin
        checks: 'check_all="yes"'
      - dirs: /bin,/sbin
        checks: 'check_all="yes"'
    windows_registry:
      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
        arch: 'both'
      - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
  rootcheck:
    frequency: 43200
  openscap:
    disable: 'no'
    timeout: 1800
    interval: '1d'
    scan_on_start: 'yes'
  osquery:
    disable: 'yes'
    run_daemon: 'yes'
    log_path: '/var/log/osquery/osqueryd.results.log'
    config_path: '/etc/osquery/osquery.conf'
    ad_labels: 'yes'
  syscollector:
    disable: 'no'
    interval: '1h'
    scan_on_start: 'yes'
    hardware: 'yes'
    os: 'yes'
    network: 'yes'
    packages: 'yes'
    ports_no: 'yes'
    processes: 'yes'
  cis_cat:
    disable: 'yes'
    install_java: 'yes'
    timeout: 1800
    interval: '1d'
    scan_on_start: 'yes'
    java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
    ciscat_path: '/var/ossec/wodles/ciscat'
    content:
      - type: 'xccdf'
        path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
        profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server' 
  vuls:
    disable: 'yes'
    interval: '1d'
    run_on_start: 'yes'
    args:
      - 'mincvss 5'
      - 'antiquity-limit 20'
      - 'updatenvd'
      - 'nvd-year 2016'
      - 'autoupdate'
  localfiles:
    debian:
      - format: 'syslog'
        location: '/var/log/auth.log'
      - format: 'syslog'
        location: '/var/log/syslog'
      - format: 'syslog'
        location: '/var/log/dpkg.log'
      - format: 'syslog'
        location: '/var/log/kern.log'
    centos:
      - format: 'syslog'
        location: '/var/log/messages'
      - format: 'syslog'
        location: '/var/log/secure'
      - format: 'syslog' 
        location: '/var/log/maillog'
      - format: 'audit'
        location: '/var/log/audit/audit.log'
    common:
      - format: 'syslog'
        location: '/var/ossec/logs/active-responses.log'
      - format: 'command'
        command: 'df -P'
        frequency: '360'
      - format: 'full_command'
        command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d         
        alias: 'netstat listening ports'      
        frequency: '360'
      - format: 'full_command'
        command: 'last -n 20'
        frequency: '360'