forked from antoniobarbaro/ansible-role-ossec-wazuh
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Gustavo Folga
committed
Apr 15, 2017
1 parent
bd9f816
commit dfd2d50
Showing
8 changed files
with
230 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| --- | ||
|
|
||
| - name: enable integrator | ||
| command: /var/ossec/bin/ossec-control enable integrator |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,194 @@ | ||
| <ossec_config> | ||
| <global> | ||
| <jsonout_output>yes</jsonout_output> | ||
| {% if ossec_enable_email == "y" %} | ||
| <email_notification>yes</email_notification> | ||
| <email_to>{{ ossec_email_address }}</email_to> | ||
| <smtp_server>{{ ossec_smtp_server }}</smtp_server> | ||
| <email_from>{{ ossec_email_from }}</email_from> | ||
| {% else %} | ||
| <email_notification>no</email_notification> | ||
| {% endif %} | ||
| </global> | ||
|
|
||
| {% if ossec_wazuh_integrator_slack_hook_url is defined %} | ||
| <integration> | ||
| <name>slack</name> | ||
| <hook_url>{{ ossec_wazuh_integrator_slack_hook_url }}</hook_url> | ||
| <level>{{ ossec_wazuh_integrator_slack_level }}</level> | ||
| </integration> | ||
| {% endif %} | ||
| {% if ossec_wazuh_integrator_pagerduty_api_key is defined %} | ||
| <integration> | ||
| <name>pagerduty</name> | ||
| <api_key>{{ ossec_wazuh_integrator_pagerduty_api_key }}</api_key> | ||
| <level>{{ ossec_wazuh_integrator_pagerduty_level }}</level> | ||
| </integration> | ||
| {% endif %} | ||
|
|
||
| <rules> | ||
| <decoder_dir>etc/ossec_decoders</decoder_dir> | ||
| <decoder_dir>etc/wazuh_decoders</decoder_dir> | ||
| <include>rules_config.xml</include> | ||
| <include>pam_rules.xml</include> | ||
| <include>sshd_rules.xml</include> | ||
| <include>telnetd_rules.xml</include> | ||
| <include>syslog_rules.xml</include> | ||
| <include>arpwatch_rules.xml</include> | ||
| <include>symantec-av_rules.xml</include> | ||
| <include>symantec-ws_rules.xml</include> | ||
| <include>pix_rules.xml</include> | ||
| <include>named_rules.xml</include> | ||
| <include>smbd_rules.xml</include> | ||
| <include>vsftpd_rules.xml</include> | ||
| <include>pure-ftpd_rules.xml</include> | ||
| <include>proftpd_rules.xml</include> | ||
| <include>ms_ftpd_rules.xml</include> | ||
| <include>ftpd_rules.xml</include> | ||
| <include>hordeimp_rules.xml</include> | ||
| <include>roundcube_rules.xml</include> | ||
| <include>wordpress_rules.xml</include> | ||
| <include>cimserver_rules.xml</include> | ||
| <include>vpopmail_rules.xml</include> | ||
| <include>vmpop3d_rules.xml</include> | ||
| <include>courier_rules.xml</include> | ||
| <include>web_rules.xml</include> | ||
| <include>web_appsec_rules.xml</include> | ||
| <include>apache_rules.xml</include> | ||
| <include>nginx_rules.xml</include> | ||
| <include>php_rules.xml</include> | ||
| <include>mysql_rules.xml</include> | ||
| <include>postgresql_rules.xml</include> | ||
| <include>ids_rules.xml</include> | ||
| <include>squid_rules.xml</include> | ||
| <include>firewall_rules.xml</include> | ||
| <include>apparmor_rules.xml</include> | ||
| <include>cisco-ios_rules.xml</include> | ||
| <include>netscreenfw_rules.xml</include> | ||
| <include>sonicwall_rules.xml</include> | ||
| <include>postfix_rules.xml</include> | ||
| <include>sendmail_rules.xml</include> | ||
| <include>imapd_rules.xml</include> | ||
| <include>mailscanner_rules.xml</include> | ||
| <include>dovecot_rules.xml</include> | ||
| <include>ms-exchange_rules.xml</include> | ||
| <include>racoon_rules.xml</include> | ||
| <include>vpn_concentrator_rules.xml</include> | ||
| <include>spamd_rules.xml</include> | ||
| <include>msauth_rules.xml</include> | ||
| <include>mcafee_av_rules.xml</include> | ||
| <include>trend-osce_rules.xml</include> | ||
| <include>ms-se_rules.xml</include> | ||
| <!-- <include>policy_rules.xml</include> --> | ||
| <include>zeus_rules.xml</include> | ||
| <include>solaris_bsm_rules.xml</include> | ||
| <include>vmware_rules.xml</include> | ||
| <include>ms_dhcp_rules.xml</include> | ||
| <include>asterisk_rules.xml</include> | ||
| <include>ossec_rules.xml</include> | ||
| <include>attack_rules.xml</include> | ||
| <include>openbsd_rules.xml</include> | ||
| <include>clam_av_rules.xml</include> | ||
| <include>dropbear_rules.xml</include> | ||
| <include>sysmon_rules.xml</include> | ||
| <include>auditd_rules.xml</include> | ||
| <include>opensmtpd_rules.xml</include> | ||
| <include>local_rules.xml</include> | ||
| </rules> | ||
|
|
||
| <syscheck> | ||
| <!-- Frequency that syscheck is executed - default to every 22 hours --> | ||
| <frequency>79200</frequency> | ||
|
|
||
| <!-- Directories to check (perform all possible verifications) --> | ||
| <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> | ||
| <directories check_all="yes">/bin,/sbin,/boot</directories> | ||
|
|
||
| <!-- Files/directories to ignore --> | ||
| <ignore>/etc/mtab</ignore> | ||
| <ignore>/etc/mnttab</ignore> | ||
| <ignore>/etc/hosts.deny</ignore> | ||
| <ignore>/etc/mail/statistics</ignore> | ||
| <ignore>/etc/random-seed</ignore> | ||
| <ignore>/etc/adjtime</ignore> | ||
| <ignore>/etc/httpd/logs</ignore> | ||
| <ignore>/etc/utmpx</ignore> | ||
| <ignore>/etc/wtmpx</ignore> | ||
| <ignore>/etc/cups/certs</ignore> | ||
| <ignore>/etc/dumpdates</ignore> | ||
| <ignore>/etc/svc/volatile</ignore> | ||
|
|
||
| <!-- Windows files to ignore --> | ||
| <ignore>C:\WINDOWS/System32/LogFiles</ignore> | ||
| <ignore>C:\WINDOWS/Debug</ignore> | ||
| <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> | ||
| <ignore>C:\WINDOWS/iis6.log</ignore> | ||
| <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> | ||
| <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> | ||
| <ignore>C:\WINDOWS/Prefetch</ignore> | ||
| <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> | ||
| <ignore>C:\WINDOWS/SoftwareDistribution</ignore> | ||
| <ignore>C:\WINDOWS/Temp</ignore> | ||
| <ignore>C:\WINDOWS/system32/config</ignore> | ||
| <ignore>C:\WINDOWS/system32/spool</ignore> | ||
| <ignore>C:\WINDOWS/system32/CatRoot</ignore> | ||
| </syscheck> | ||
|
|
||
| <rootcheck> | ||
| <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> | ||
| <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> | ||
| <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> | ||
| <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> | ||
| <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> | ||
| <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> | ||
| </rootcheck> | ||
|
|
||
| <active-response> | ||
| <disabled>yes</disabled> | ||
| </active-response> | ||
|
|
||
|
|
||
| <remote> | ||
| <connection>syslog</connection> | ||
| </remote> | ||
|
|
||
| <remote> | ||
| <connection>secure</connection> | ||
| </remote> | ||
|
|
||
| <alerts> | ||
| <log_alert_level>1</log_alert_level> | ||
| <email_alert_level>7</email_alert_level> | ||
| </alerts> | ||
| <!-- Files to monitor (localfiles) --> | ||
|
|
||
| <localfile> | ||
| <log_format>syslog</log_format> | ||
| <location>/var/log/messages</location> | ||
| </localfile> | ||
|
|
||
| <localfile> | ||
| <log_format>syslog</log_format> | ||
| <location>/var/log/secure</location> | ||
| </localfile> | ||
|
|
||
| <localfile> | ||
| <log_format>syslog</log_format> | ||
| <location>/var/log/maillog</location> | ||
| </localfile> | ||
|
|
||
| <localfile> | ||
| <log_format>command</log_format> | ||
| <command>df -P</command> | ||
| </localfile> | ||
|
|
||
| <localfile> | ||
| <log_format>full_command</log_format> | ||
| <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command> | ||
| </localfile> | ||
|
|
||
| <localfile> | ||
| <log_format>full_command</log_format> | ||
| <command>last -n 5</command> | ||
| </localfile> | ||
| </ossec_config> |