ce-provision/roles/debian/wazuh/defaults/main.yml at c1b7b2966d4a8f33de5991b9e8bbe41edc4afd15 · codeenigma/ce-provision · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
---
wazuh_agent_sources_installation:
  enabled: true
wazuh:
  path: wazuh
  #roles_directory: "/path/to/roles" # defaults to /home/controller/.ansible/roles/wazuh-ansible
  branch: "v4.7.2" # wazuh-ansible git branch to checkout - not to be confused with wazuh_version!
  # Agent variables, installed locally by default
  # Role defaults - https://github.com/wazuh/wazuh-ansible/blob/master/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
  agent:
    install: true
    managers: [] # list of manager servers, e.g.
    #  - address: 10.0.0.1
    #    port: 1514
    #    protocol: tcp
    #    api_port: 55000
    #    api_proto: 'http'
    #    api_user: ansible
    #    max_retries: 5
    #    retry_interval: 5
    # Automated enrolment variables
    # See docs - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/client.html
    wazuh_agent_enrollment:
      enabled: "yes"
      agent_name: ""
      groups: "" # comma-separated list of group names corresponding to `agent_groups` under manager config below
      agent_address: ""
      ssl_ciphers: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
  # Indexer variables, default to single node mode
  # Role defaults - https://github.com/wazuh/wazuh-ansible/blob/master/roles/wazuh/wazuh-indexer/defaults/main.yml
  indexer:
    install: false # install the indexer packages
    single_node: true
    domain_name: indexer.example.com # possible to use "{{ _domain_name }}" in local variables, but not defaults
    indexer_cluster_name: wazuh
    indexer_node_name: node-1 # this server name
    indexer_network_host: 127.0.0.1
    indexer_http_port: 9200
    indexer_api_protocol: https
    indexer_custom_user: ""
    indexer_custom_user_role: "admin"
    indexer_admin_password: changeme
    minimum_master_nodes: 1
    indexer_node_master: true
    indexer_node_data: true
    indexer_node_ingest: true
    indexer_start_timeout: 90
    indexer_cluster_nodes:
      - 127.0.0.1
    indexer_discovery_nodes:
      - 127.0.0.1
    # dicts of instances for use in indexer templates
    indexer_primary: # primary instance
      node-1:
        name: node-1
        ip: 127.0.0.1
        role: indexer
    indexer_instances: # dict of all available instances - matches index_primary when single_node is `true`
      node-1:
        name: node-1
        ip: 127.0.0.1
        role: indexer
  # Filebeat variables, default to Wazuh stack on a single server
  # Role defaults - https://github.com/wazuh/wazuh-ansible/blob/master/roles/wazuh/ansible-filebeat-oss/defaults/main.yml
  filebeat:
    install: false # install the filebeat packages
    filebeat_version: 7.10.2
    filebeat_node_name: node-1
    filebeat_output_indexer_hosts:
      - "127.0.0.1:9200" # make sure the specified port matches indexer.indexer_http_port
    filebeat_module_package_url: https://packages.wazuh.com/4.x/filebeat
    filebeat_module_package_name: wazuh-filebeat-0.2.tar.gz
    indexer_security_user: admin
    indexer_security_password: changeme
  # Manager variables
  # Role defaults - https://github.com/wazuh/wazuh-ansible/blob/master/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
  manager:
    install: false # install the manager packages
    wazuh_manager_mailto:
      - admin@example.net
    wazuh_manager_email_smtp_server: localhost
    wazuh_manager_email_notification: "no"
    wazuh_manager_email_from: wazuh@example.net
    wazuh_manager_email_maxperhour: 12
    wazuh_manager_email_queue_size: 131072
    wazuh_manager_email_log_source: alerts.log
    wazuh_manager_log_level: 3
    wazuh_manager_email_level: 12
    wazuh_manager_config:
      decoder_dir: "ruleset/decoders"
      rule_dir: "ruleset/rules"
      active_responses:
        - command: "firewall-drop"
          location: "all"
          rules_id: "31151,5712,104130,101071,101132,101238,101251,103011"
          repeated_offenders: "30,60,120"
          timeout: 600
        - command: "firewall-drop"
          location: "all"
          rules_id: "100205"
          repeated_offenders: "30,60,120"
          timeout: 3600
      authd:
        enabled: false
        use_password: false
    wazuh_manager_globals:
      - '1.1.1.1'
    agent_groups: [] # maps to `groups` string in agent config above
    wazuh_manager_extra_emails: [] # list of additional emails to send, e.g.
      #- enable: true
      #  mail_to: 'recipient@example.wazuh.com'
      #  format: full
      #  level: 7
      #  event_location: null
      #  group: null
      #  do_not_delay: false
      #  do_not_group: false
      #  rule_id: null
    wazuh_manager_reports: [] # list of reports to send, e.g.
      #- enable: true
      #  category: 'syscheck'
      #  title: 'Daily report: File changes'
      #  email_to: admin@example.net
      #  location: null
      #  group: null
      #  rule: null
      #  level: null
      #  srcip: null
      #  user: null
      #  showlogs: null
    wazuh_manager_api:
      bind_addr: 0.0.0.0
      port: 55000
      behind_proxy_server: "no"
      https: "yes"
      https_key: "api/configuration/ssl/server.key"
      https_cert: "api/configuration/ssl/server.crt"
      https_use_ca: false
      https_ca: "api/configuration/ssl/ca.crt"
      logging_level: "info"
      logging_path: "logs/api.log"
      cors: "no"
      cors_source_route: "*"
      cors_expose_headers: "*"
      cors_allow_headers: "*"
      cors_allow_credentials: "no"
      cache: "yes"
      cache_time: 0.750
      access_max_login_attempts: 5
      access_block_time: 300
      access_max_request_per_minute: 300
      drop_privileges: "yes"
      experimental_features: "no"
      remote_commands_localfile: "yes"
      remote_commands_localfile_exceptions: []
      remote_commands_wodle: "yes"
      remote_commands_wodle_exceptions: []
      #wazuh_api_users:
      #  - username: custom-user
      #    password: .S3cur3Pa55w0rd*- # Must comply with requirements (8+ length, uppercase, lowercase, specials chars)
  # Dashboard variables, default to Wazuh stack on a single server
  # Role defaults - https://github.com/wazuh/wazuh-ansible/blob/master/roles/wazuh/wazuh-dashboard/defaults/main.yml
  dashboard:
    install: false # install the dashboard packages
    dashboard_node_name: node-1
    dashboard_server_host: "0.0.0.0"
    dashboard_server_port: "443" # if you want to use provided SSL certificates install a web server and proxy to Wazuh
    dashboard_server_name: dashboard.example.com # possible to use "{{ _domain_name }}" in local variables, but not defaults
    dashboard_conf_path: "/etc/wazuh-dashboard/"
    wazuh_api_credentials:
      - id: "default"
        url: "https://localhost" # localhost when the Wazuh stack is on a single server
        port: 55000 # must match wazuh_manager_api.port
        username: "wazuh" # these user attributes are required to stop the play failing, even if wazuh_api_users is not set
        password: "wazuh"
    dashboard_security: true
    dashboard_user: kibanaserver
    dashboard_password: changeme