Variables references
ThreatLockDown indexer
Variable:
indexer_cluster_nameDescription: Name of the Indexer cluster.
Default value:
wazuhVariable:
indexer_node_nameDescription: Name of the Indexer node.
Default value:
node-1Variable:
indexer_http_portDescription: Indexer listening port.
Default value:
9200Variable:
indexer_network_hostDescription: Indexer listening IP address.
Default value:
127.0.0.1Variable:
indexer_jvm_xmsDescription: JVM heap size.
Default value:
nullThreatLockDown dashboard
Variable:
indexer_http_portDescription: Indexer node port.
Default value:
9200Variable:
indexer_network_hostDescription: IP address or hostname of Indexer node.
Default value:
127.0.0.1Variable:
dashboard_server_hostDescription: Listening IP address of the ThreatLockDown dashboard.
Default value:
0.0.0.0Variable:
dashboard_server_portDescription: Listening port of the ThreatLockDown dashboard.
Default value:
443Variable:
wazuh_versionDescription: ThreatLockDown APP compatible version to install.
Default value:
4.9.0Filebeat
Variable:
filebeat_versionDescription: Filebeat version to install.
Default value:
7.10.2Variable:
filebeat_create_configDescription: Generate or not Filebeat config.
Default value:
trueVariable:
filebeat_output_indexer_hostsDescription: Indexer node(s) to send output.
Example:
filebeat_output_indexer_hosts:
- "localhost:9200"
- "10.1.1.10:9200"
Variable:
filebeat_ssl_dirDescription: Set the folder containing SSL certs.
Default value:
/etc/pki/rootThreatLockDown Manager
Variable:
wazuh_manager_fqdnDescription: Set ThreatLockDown Manager fqdn hostname.
Default value:
wazuh-managerVariable:
wazuh_manager_config_overlayDescription: Indicates if the role(s) should perform a
hash_behaviour=merge at role runtime, similar to role-distributed ansible.cfg. This provides support for a partially defined wazuh_manager_config while also moving on from the deprecated hash_behaviour.Default value:
trueVariable:
wazuh_manager_json_outputDescription: Configures the jsonout_output section in
ossec.conf. This is a string, not a bool.Default value:
yesVariable:
wazuh_manager_alerts_logDescription: Configures the alerts_log section in
ossec.conf. This is a string, not a bool.Default value:
yesVariable:
wazuh_manager_logallDescription: Configures the logall section in
ossec.conf. This is a string, not a bool.Default value:
yesVariable:
wazuh_manager_email_notificationDescription: Configures the email_notification section in
ossec.conf. This is a string, not a bool.Default value:
yesVariable:
wazuh_manager_mailtoDescription: Configures the email_to items in
ossec.conf.Default value:
[‘admin@example.net’]Variable:
wazuh_manager_email_smtp_serverDescription: Configures the smtp_server section in
ossec.conf.Default value:
smtp.example.wazuh.comVariable:
wazuh_manager_email_fromDescription: Configures the email_from section in
ossec.conf.Default value:
wazuh@example.wazuh.comVariable:
wazuh_manager_email_maxperhourDescription: Configures the email_maxperhour section in
ossec.conf.Default value:
12Variable:
wazuh_manager_email_queue_sizeDescription: Configures the queue_size section from
ossec.conf.Default value:
131072Variable:
wazuh_manager_email_log_sourceDescription: Configures the email_log_source section from
ossec.conf.Default value:
alerts.logVariable:
wazuh_manager_globalsDescription: Configures the white_list section from
ossec.conf.Default values:
wazuh_manager_globals:
- '127.0.0.1'
- '^localhost.localdomain$'
- '127.0.0.53'
Variable:
wazuh_manager_log_levelDescription: Configures the log_alert_level section from
ossec.conf.Default value:
3Variable:
wazuh_manager_email_levelDescription: Configures the email_alert_level section from
ossec.conf.Default value:
12Variable:
wazuh_manager_log_formatDescription: Configures log_format inside logging section from
ossec.conf.Default value:
plainVariable:
wazuh_manager_extra_emailsDescription: Configures one or more email_alerts sections from
ossec.conf.Default values:
wazuh_manager_extra_emails:
- enable: false
mail_to: 'recipient@example.wazuh.com'
format: full
level: 7
event_location: null
group: null
do_not_delay: false
do_not_group: false
rule_id: null
Variable:
wazuh_manager_connectionDescription: Configures one or more remote sections from
ossec.conf.Default values:
wazuh_manager_connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
Variable:
wazuh_manager_reportsDescription: Configures one or more reports sections from
ossec.conf.Default values:
wazuh_manager_reports:
- enable: false
category: 'syscheck'
title: 'Daily report: File changes'
email_to: 'recipient@example.wazuh.com'
location: null
group: null
rule: null
level: null
srcip: null
user: null
showlogs: null
Variable:
wazuh_manager_rootcheckDescription: Configures the rootcheck section from
ossec.conf.Default value:
wazuh_manager_rootcheck:
frequency: 43200
Variable:
wazuh_manager_openscapDefault values:
wazuh_manager_openscap:
disable: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
Variable:
wazuh_manager_ciscatDefault value:
wazuh_manager_ciscat:
disable: 'yes'
install_java: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
ciscat_path: 'wodles/ciscat'
Variable:
wazuh_manager_osqueryDefault values:
wazuh_manager_osquery:
disable: 'yes'
run_daemon: 'yes'
log_path: '/var/log/osquery/osqueryd.results.log'
config_path: '/etc/osquery/osquery.conf'
ad_labels: 'yes'
Variable:
wazuh_manager_syscollectorDefault values:
wazuh_manager_syscollector:
disable: 'no'
interval: '1h'
scan_on_start: 'yes'
hardware: 'yes'
os: 'yes'
network: 'yes'
packages: 'yes'
ports_no: 'yes'
processes: 'yes'
Variable:
wazuh_manager_monitor_awsDefault values:
wazuh_manager_monitor_aws:
disabled: 'yes'
interval: '10m'
run_on_start: 'yes'
skip_on_error: 'yes'
s3:
- name: null
bucket_type: null
path: null
only_logs_after: null
access_key: null
secret_key: null
Variable:
wazuh_manager_scaDescription: Configures the sca section from
ossec.conf.Default values:
wazuh_manager_sca:
enabled: 'yes'
scan_on_start: 'yes'
interval: '12h'
skip_nfs: 'yes'
day: ''
wday: ''
time: ''
Variable:
wazuh_manager_vulnerability_detectorDescription: Configures the vulnerability-detector section from
ossec.conf.Default values:
wazuh_manager_vulnerability_detector:
enabled: 'no'
interval: '5m'
min_full_scan_interval: '6h'
run_on_start: 'yes'
providers:
- enabled: 'no'
os:
- 'trusty'
- 'xenial'
- 'bionic'
- 'focal'
- 'jammy'
update_interval: '1h'
name: '"canonical"'
- enabled: 'no'
os:
- 'buster'
- 'bullseye'
- 'bookworm'
update_interval: '1h'
name: '"debian"'
- enabled: 'no'
os:
- 'amazon-linux'
- 'amazon-linux-2'
- 'amazon-linux-2023'
update_interval: '1h'
name: '"alas"'
- enabled: 'no'
update_interval: '1h'
name: '"redhat"'
- enabled: 'no'
update_interval: '1h'
name: '"nvd"'
Variable:
wazuh_manager_syscheckDescription: Configures the syscheck section from
ossec.conf.Default values:
wazuh_manager_syscheck:
disable: 'no'
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
ignore:
- /etc/mtab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
ignore_linux_type:
- '.log$|.swp$'
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: ''
- dirs: /bin,/sbin,/boot
checks: ''
auto_ignore_frequency:
frequency: 'frequency="10"'
timeframe: 'timeframe="3600"'
value: 'no'
skip_nfs: 'yes'
skip_dev: 'yes'
skip_proc: 'yes'
skip_sys: 'yes'
process_priority: 10
max_eps: 50
sync_enabled: 'yes'
sync_interval: '5m'
sync_max_interval: '1h'
sync_max_eps: 10
Variable:
wazuh_manager_commandsDescription: Configures the command section from
ossec.conf.Default values:
wazuh_manager_commands:
- name: 'disable-account'
executable: 'disable-account'
timeout_allowed: 'yes'
- name: 'restart-wazuh'
executable: 'restart-wazuh'
- name: 'firewall-drop'
executable: 'firewall-drop'
timeout_allowed: 'yes'
- name: 'host-deny'
executable: 'host-deny'
timeout_allowed: 'yes'
- name: 'route-null'
executable: 'route-null'
timeout_allowed: 'yes'
- name: 'win_route-null'
executable: 'route-null.exe'
timeout_allowed: 'yes'
- name: 'netsh'
executable: 'netsh.exe'
timeout_allowed: 'yes'
- name: 'netsh-win-2016'
executable: 'netsh-win-2016.cmd'
timeout_allowed: 'yes'
Variable:
wazuh_manager_localfilesDescription: Configures the localfile section from
ossec.conf for each platform.Default values:
wazuh_manager_localfiles:
common:
- format: 'command'
command: df -P
frequency: '360'
- format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
- format: 'syslog'
location: '/var/ossec/logs/active-responses.log'
debian:
- format: 'syslog'
location: '/var/log/auth.log'
- format: 'syslog'
location: '/var/log/syslog'
- format: 'syslog'
location: '/var/log/dpkg.log'
- format: 'syslog'
location: '/var/log/kern.log'
centos:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'audit'
location: '/var/log/audit/audit.log'
Variable:
wazuh_manager_syslog_outputsDescription: Configures the syslog_output section from
ossec.conf.Default values:
wazuh_manager_syslog_outputs:
- server: null
port: null
format: null
Variable:
wazuh_manager_integrationsDescription: Configures the integration section from
ossec.conf.Default values:
wazuh_manager_integrations:
# slack
- name: null
hook_url: '<hook_url>'
alert_level: 10
alert_format: 'json'
rule_id: null
# pagerduty
- name: null
api_key: '<api_key>'
alert_level: 12
Variable:
wazuh_manager_labelsDescription: Configures the labels section from
ossec.conf.Default values:
wazuh_manager_labels:
enable: false
list:
- key: Env
value: Production
Variable:
wazuh_manager_rulesetDescription: Configures the ruleset section from
ossec.conf.Default values:
wazuh_manager_ruleset:
rules_path: 'custom_ruleset/rules/'
decoders_path: 'custom_ruleset/decoders/'
cdb_lists:
- 'audit-keys'
- 'security-eventchannel'
- 'amazon/aws-eventnames'
Variable:
wazuh_manager_rule_excludeDescription: Configures the rule_exclude section from
ossec.conf.Default values:
wazuh_manager_rule_exclude:
- '0215-policy_rules.xml'
Variable:
wazuh_manager_authdDescription: Configures the auth section from
ossec.conf.Default values:
wazuh_manager_authd:
enable: true
port: 1515
use_source_ip: 'no'
force_insert: 'yes'
force_time: 0
purge: 'yes'
use_password: 'no'
limit_maxagents: 'yes'
ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH'
ssl_agent_ca: null
ssl_verify_host: 'no'
ssl_manager_cert: 'sslmanager.cert'
ssl_manager_key: 'sslmanager.key'
ssl_auto_negotiate: 'no'
wazuh_manager_cluster:
disable: 'yes'
name: 'wazuh'
node_name: 'manager_01'
node_type: 'master'
key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa'
port: '1516'
bind_addr: '0.0.0.0'
nodes:
- 'manager'
hidden: 'no'
Variable:
wazuh_manager_apiDescription: Configures the ThreatLockDown API file called
api.yaml.Default values:
wazuh_manager_api:
bind_addr: 0.0.0.0
port: 55000
https: yes
https_key: "server.key"
https_cert: "server.crt"
https_use_ca: False
https_ca: "ca.crt"
logging_level: "info"
cors: no
cors_source_route: "*"
cors_expose_headers: "*"
cors_allow_headers: "*"
cors_allow_credentials: no
cache: yes
cache_time: 0.750
access_max_login_attempts: 5
access_block_time: 300
access_max_request_per_minute: 300
drop_privileges: yes
experimental_features: no
Variable:
wazuh_api_userDescription: ThreatLockDown API credentials.
Example:
wazuh_api_user:
- foo:$apr1$/axqZYWQ$Xo/nz/IG3PdwV82EnfYKh/
- bar:$apr1$hXE97ag.$8m0koHByattiGKUKPUgcZ1
Warning
We recommend the use of Ansible Vault to protect ThreatLockDown agentless and authd credentials.
Variable:
wazuh_manager_configDescription: Stores the ThreatLockDown Manager configuration. This variable is provided for backward compatibility. Newer deployments should use the newly introduced variables described above.
Example:
wazuh_manager_config:
json_output: 'yes'
alerts_log: 'yes'
logall: 'no'
log_format: 'plain'
cluster:
disable: 'yes'
name: 'wazuh'
node_name: 'manager_01'
node_type: 'master'
key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa'
interval: '2m'
port: '1516'
bind_addr: '0.0.0.0'
nodes:
- '172.17.0.2'
- '172.17.0.3'
- '172.17.0.4'
hidden: 'no'
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
authd:
enable: true
port: 1515
use_source_ip: 'no'
force_insert: 'yes'
force_time: 0
purge: 'no'
use_password: 'no'
ssl_agent_ca: null
ssl_verify_host: 'no'
ssl_manager_cert: 'etc/sslmanager.cert'
ssl_manager_key: 'etc/sslmanager.key'
ssl_auto_negotiate: 'no'
email_notification: 'no'
mail_to:
- 'admin@example.net'
mail_smtp_server: localhost
mail_from: wazuh-manager@example.com
extra_emails:
- enable: false
mail_to: 'admin@example.net'
format: full
level: 7
event_location: null
group: null
do_not_delay: false
do_not_group: false
rule_id: null
reports:
- enable: false
category: 'syscheck'
title: 'Daily report: File changes'
email_to: 'admin@example.net'
location: null
group: null
rule: null
level: null
srcip: null
user: null
showlogs: null
syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
ignore:
- /etc/mtab
- /etc/mnttab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: 'check_all="yes"'
- dirs: /bin,/sbin
checks: 'check_all="yes"'
rootcheck:
frequency: 43200
openscap:
disable: 'no'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
cis_cat:
disable: 'yes'
install_java: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
ciscat_path: '/var/ossec/wodles/ciscat'
content:
- type: 'xccdf'
path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
log_level: 1
email_level: 12
localfiles:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'command'
command: 'df -P'
frequency: '360'
- format: 'full_command'
command: 'netstat -tln | grep -v 127.0.0.1 | sort'
frequency: '360'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
globals:
- '127.0.0.1'
- '192.168.2.1'
commands:
- name: 'disable-account'
executable: 'disable-account'
timeout_allowed: 'yes'
- name: 'restart-wazuh'
executable: 'restart-wazuh'
timeout_allowed: 'no'
- name: 'win_restart-wazuh'
executable: 'restart-wazuh.exe'
timeout_allowed: 'no'
- name: 'firewall-drop'
executable: 'firewall-drop'
timeout_allowed: 'yes'
- name: 'host-deny'
executable: 'host-deny'
timeout_allowed: 'yes'
- name: 'route-null'
executable: 'route-null'
timeout_allowed: 'yes'
- name: 'win_route-null'
executable: 'route-null.exe'
timeout_allowed: 'yes'
active_responses:
- command: 'restart-wazuh'
location: 'local'
rules_id: '100002'
- command: 'win_restart-wazuh'
location: 'local'
rules_id: '100003'
- command: 'host-deny'
location: 'local'
level: 6
timeout: 600
syslog_outputs:
- server: null
port: null
format: null
Variable:
wazuh_agent_configsDescription: This stores the different settings and profiles for centralized agent configuration via ThreatLockDown Manager.
Example:
- type: os
type_value: Linux
syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
ignore:
- /etc/mtab
- /etc/mnttab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/svc/volatile
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: 'check_all="yes"'
- dirs: /bin,/sbin
checks: 'check_all="yes"'
rootcheck:
frequency: 43200
cis_distribution_filename: null
localfiles:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'apache'
location: '/var/log/httpd/error_log'
- format: 'apache'
location: '/var/log/httpd/access_log'
- format: 'apache'
location: '/var/ossec/logs/active-responses.log'
- type: os
type_value: Windows
syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes'
windows_registry:
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
arch: 'both'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
localfiles:
- format: 'Security'
location: 'eventchannel'
- format: 'System'
location: 'eventlog'
Variable:
cdb_listsDescription: Configure CDB lists used by the ThreatLockDown Manager.
Example:
cdb_lists:
- name: 'audit-keys'
content: |
audit-wazuh-w:write
audit-wazuh-r:read
audit-wazuh-a:attribute
audit-wazuh-x:execute
audit-wazuh-c:command
Warning
We recommend the use of Ansible Vault to protect ThreatLockDown agentless and authd credentials.
Variable:
agentless_credsDescription: Credentials and host(s) to be used by agentless feature.
Example:
agentless_creds:
- type: ssh_integrity_check_linux
frequency: 3600
host: root@example.net
state: periodic
arguments: '/bin /etc/ /sbin'
passwd: qwerty
Warning
We recommend the use of Ansible Vault to protect ThreatLockDown agentless and authd credentials.
Variable:
authd_passDescription: ThreatLockDown authd service password.
Example:
authd_pass: foobar
ThreatLockDown Agent
Variable:
wazuh_managersDescription: Set the ThreatLockDown Manager servers IP address, protocol, and port to be used by the agent. If a specific manager is used for registration, we can indicate which one it is by adding the register option set to true. If the register option is missing, the first manager on the list will be used for registration.
Example:
wazuh_managers:
- address: 172.16.24.56
protocol: udp
api_port: 55000
api_proto: https
api_user: wazuh
max_retries: 5
retry_interval: 5
- address: 192.168.10.15
port: 1514
protocol: tcp
api_port: 55000
api_proto: https
api_user: wazuh
max_retries: 5
retry_interval: 5
register: yes
Variable:
wazuh_custom_packages_installation_agent_enabled:Description: Configures the installation from custom packages.
Default value:
falseVariable:
wazuh_agent_sources_installation:Description: Configures the installation via sources as an alternative to the installation from packages.
Example:
wazuh_agent_sources_installation:
enabled: false
branch: "v4.7.1"
user_language: "y"
user_no_stop: "y"
user_install_type: "agent"
user_dir: "/var/ossec"
user_delete_dir: "y"
user_enable_active_response: "y"
user_enable_syscheck: "y"
user_enable_rootcheck: "y"
user_enable_openscap: "n"
user_enable_sca: "y"
user_enable_authd: "y"
user_generate_authd_cert: "n"
user_update: "y"
user_binaryinstall: null
user_agent_server_ip: 172.16.24.56
user_agent_server_name: null
user_agent_config_profile: null
user_ca_store: /var/ossec/wpk_root.pem"
Variable:
wazuh_agent_nolog_sensible:Description: This variable indicates if the nolog option should be added to tasks which output sensitive information (like tokens).
Default value:
yesVariable:
wazuh_agent_config_overlay:Description: This variable apply an additional configuration combined with the default configuration.
Default value:
yesVariable:
wazuh_agent_api_validateDescription: After registering the agent through the REST API, validate that registration is correct.
Default value:
yesVariable:
wazuh_agent_addressDescription: Establish which IP address we want to associate with this agent. It can be an address or “any” This variable will supersede wazuh_agent_nat.
Default value:
ansible_default_ipv4.addressVariable:
wazuh_profile_centosDescription: Configure what profiles this agent will have in case of CentOS systems.
Default value:
centos7, centos7, centos7.7Multiple profiles can be included, separated by a comma and a space, for example:
wazuh_profile: "centos7, centos7"
Variable:
wazuh_profile_ubuntuDescription: Configure what profiles this agent will have in case of Ubuntu systems.
Default value:
ubuntu, ubuntu18, ubuntu18.04Multiple profiles can be included, separated by a comma and a space, for example:
wazuh_profile: "ubuntu, ubuntu18"
Variable:
wazuh_agent_authdDescription: Set the agent-authd facility. This will enable or not the automatic agent registration, you could set various options in accordance with the authd service configured in the ThreatLockDown Manager. This Ansible role will use the address defined on
registration_address as the authd registration server.Example:
wazuh_agent_authd:
registration_address: 10.1.1.12
enable: false
port: 1515
agent_name: null
groups: []
ssl_agent_ca: null
ssl_agent_cert: null
ssl_agent_key: null
ssl_auto_negotiate: 'no'
Variable:
wazuh_auto_restartDescription: Set the
<auto_restart> option in the agent.Default value:
nullVariable:
wazuh_notify_timeDescription: Set the
<notify_time> option in the agent.Default value:
nullVariable:
wazuh_crypto_methodDescription: Set
<crypto_method> option in the agent.Default value:
nullVariable:
wazuh_time_reconnectDescription: Set
<time-reconnect> option in the agent.Default value:
nullVariable:
wazuh_winagent_configDescription: Set the ThreatLockDown Agent installation regarding Windows hosts.
Example:
wazuh_winagent_config:
download_dir: C:\
install_dir: C:\Program Files\ossec-agent\
install_dir_x86: C:\Program Files (x86)\ossec-agent\
auth_path: C:\Program Files\ossec-agent\agent-auth.exe
auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe
check_sha512: True
Variable:
wazuh_agent_enrollmentDescription: Configures the enrollment section in the agent
ossec.conf.Example:
wazuh_agent_enrollment:
enabled: ''
manager_address: ''
port: 1515
agent_name: 'testname'
groups: ''
agent_address: ''
ssl_cipher: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
server_ca_path: ''
agent_certificate_path: ''
agent_key_path: ''
authorization_pass_path: /var/ossec/etc/authd.pass
auto_method: 'no'
delay_after_enrollment: 20
use_source_ip: 'no'
Variable:
wazuh_agent_client_bufferDescription: Configures the client_buffer section from agent
ossec.conf.Example:
wazuh_agent_client_buffer:
disable: 'no'
queue_size: '5000'
events_per_sec: '500'
Variable:
wazuh_agent_rootcheckDescription: Configures the rootcheck section from agent
ossec.conf.Example:
wazuh_agent_rootcheck:
frequency: 43200
Variable:
wazuh_agent_openscapDefault values:
wazuh_agent_openscap:
disable: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
Variable:
wazuh_agent_cis_catDefault values:
wazuh_agent_cis_cat:
disable: 'yes'
install_java: 'no'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: 'wodles/java'
java_path_win: '\\server\jre\bin\java.exe'
ciscat_path: 'wodles/ciscat'
ciscat_path_win: 'C:\cis-cat'
Variable:
wazuh_agent_osqueryDefault values:
wazuh_agent_osquery:
disable: 'yes'
run_daemon: 'yes'
bin_path_win: 'C:\Program Files\osquery\osqueryd'
log_path: '/var/log/osquery/osqueryd.results.log'
log_path_win: 'C:\Program Files\osquery\log\osqueryd.results.log'
config_path: '/etc/osquery/osquery.conf'
config_path_win: 'C:\Program Files\osquery\osquery.conf'
add_labels: 'yes'
Variable:
wazuh_agent_syscollectorDefault values:
wazuh_agent_syscollector:
disable: 'no'
interval: '1h'
scan_on_start: 'yes'
hardware: 'yes'
os: 'yes'
network: 'yes'
packages: 'yes'
ports_no: 'yes'
processes: 'yes'
wazuh_agent_sca:
enabled: 'yes'
scan_on_start: 'yes'
interval: '12h'
skip_nfs: 'yes'
day: ''
wday: ''
time: ''
Variable:
wazuh_agent_syscheckDescription: Configures the syscheck section from
ossec.conf.Default values:
wazuh_agent_syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
win_audit_interval: 60
skip_nfs: 'yes'
skip_dev: 'yes'
skip_proc: 'yes'
skip_sys: 'yes'
process_priority: 10
max_eps: 50
sync_enabled: 'yes'
sync_interval: '5m'
sync_max_interval: '1h'
sync_max_eps: 10
ignore:
- /etc/mtab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
ignore_linux_type:
- '.log$|.swp$'
ignore_win:
- '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: ''
- dirs: /bin,/sbin,/boot
checks: ''
win_directories:
- dirs: '%WINDIR%'
checks: 'recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$"'
- dirs: '%WINDIR%\SysNative'
checks: >-
recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|
net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$"
- dirs: '%WINDIR%\SysNative\drivers\etc%'
checks: 'recursion_level="0"'
- dirs: '%WINDIR%\SysNative\wbem'
checks: 'recursion_level="0" restrict="WMIC.exe$"'
- dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0'
checks: 'recursion_level="0" restrict="powershell.exe$"'
- dirs: '%WINDIR%\SysNative'
checks: 'recursion_level="0" restrict="winrm.vbs$"'
- dirs: '%WINDIR%\System32'
checks: >-
recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|
netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$"
- dirs: '%WINDIR%\System32\drivers\etc'
checks: 'recursion_level="0"'
- dirs: '%WINDIR%\System32\wbem'
checks: 'recursion_level="0" restrict="WMIC.exe$"'
- dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0'
checks: 'recursion_level="0" restrict="powershell.exe$"'
- dirs: '%WINDIR%\System32'
checks: 'recursion_level="0" restrict="winrm.vbs$"'
- dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup'
checks: 'realtime="yes"'
windows_registry:
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Policies'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Security'
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'
- key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs'
- key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'
arch: "both"
windows_registry_ignore:
- key: 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets'
- key: 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'
- key: '\Enum$'
type: "sregex"
Variable:
wazuh_agent_localfilesDescription: Configures the localfile section from
ossec.conf.Default values:
wazuh_agent_localfiles:
debian:
- format: 'syslog'
location: '/var/log/auth.log'
- format: 'syslog'
location: '/var/log/syslog'
- format: 'syslog'
location: '/var/log/dpkg.log'
- format: 'syslog'
location: '/var/log/kern.log'
centos:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'audit'
location: '/var/log/audit/audit.log'
linux:
- format: 'syslog'
location: '/var/ossec/logs/active-responses.log'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
- format: 'command'
command: df -P
frequency: '360'
- format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
windows:
- format: 'eventlog'
location: 'Application'
- format: 'eventchannel'
location: 'Security'
query: 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]'
- format: 'eventlog'
location: 'System'
- format: 'syslog'
location: 'active-response\active-responses.log'
Variable:
wazuh_agent_labelsDescription: Configures the labels section from
ossec.conf.Default values:
wazuh_agent_labels:
enable: false
list:
- key: Env
value: Production
Variable:
wazuh_agent_active_responseDescription: Configures the active-response section from
ossec.conf.Default values:
wazuh_agent_active_response:
ar_disabled: 'no'
ca_store: '/var/ossec/etc/wpk_root.pem'
ca_store_win: 'wpk_root.pem'
ca_verification: 'yes'
Variable:
wazuh_agent_log_formatDescription: Configures the log_format section from
ossec.conf.Default value:
plainVariable:
wazuh_agent_config_defaultsDescription: ThreatLockDown Agent related configuration. This variable is provided for backward compatibility. Newer deployments should use the newly introduced variables described above.
Example:
wazuh_agent_config_defaults:
repo: '{{ wazuh_repo }}'
active_response: '{{ wazuh_agent_active_response }}'
log_format: '{{ wazuh_agent_log_format }}'
client_buffer: '{{ wazuh_agent_client_buffer }}'
syscheck: '{{ wazuh_agent_syscheck }}'
rootcheck: '{{ wazuh_agent_rootcheck }}'
openscap: '{{ wazuh_agent_openscap }}'
osquery: '{{ wazuh_agent_osquery }}'
syscollector: '{{ wazuh_agent_syscollector }}'
sca: '{{ wazuh_agent_sca }}'
cis_cat: '{{ wazuh_agent_cis_cat }}'
localfiles: '{{ wazuh_agent_localfiles }}'
labels: '{{ wazuh_agent_labels }}'
enrollment: '{{ wazuh_agent_enrollment }}'
Warning
We recommend the use of Ansible Vault to protect authd credentials.
Variable:
authd_passDescription: ThreatLockDown authd credentials for agent registration.
Example:
authd_pass: foobar