An Ansible Role that installs OSSEC-wazuh
This role will work on Ubuntu. OSSEC doesn't do SMTP auth of any kind so if you want email alerts you should add local SMTP like sendmail.
The role uses the Ubuntu package defaults. The below all the options with their defaults as examples, but list items are truncated. Please view defaults/main.yml for a full list.
ossec_email_to: [email protected]
ossec_smtp_server: localhost
ossec_email_from: [email protected]Rules
ossec_rules:
- rules_config.xmlSyscheck
ossec_syscheck_frequency: 7200
ossec_syscheck_directories:
- check_all: yes
directories: /etc,/usr/bin,/usr/sbin
ossec_syscheck_ignore_directories:
- /etc/mtabRootcheck
ossec_rootcheck_rootkit_files: /var/ossec/etc/shared/rootkit_files.txt
ossec_rootcheck_rootkit_rojans: /var/ossec/etc/shared/rootkit_trojans.txtGlobal whitelist
ossec_global_white_lists:
- 127.0.0.1Alerts
ossec_alerts_log_alert_level: 1
ossec_alerts_email_alert_level: 7Commands
ossec_commands:
- name: host-deny
executable: host-deny.sh
expect: srcip
timeout_allowed: yesActive Responses
ossec_active_responses:
- command: host-deny
location: local
level: 6
timeout: 600Localfile
ossec_localfile:
- log_format: syslog
location: /var/log/messages- hosts: servers
vars:
ossec_email_from: [email protected]
ossec_email_to: [email protected]
roles:
- verygood.ossec-server
Official FAQ: http://ossec.github.io/docs/faq/index.html
Q: ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
A: check that agent has ben registered on the server, see contents of /var/ossec/etc/client.keys on agent and server, latest field is a key, it should be the same
BSD