-
Notifications
You must be signed in to change notification settings - Fork 0
/
audit_settings.yaml.example
351 lines (338 loc) · 8.85 KB
/
audit_settings.yaml.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
# This file defines the expected settings for each audit rule.
#
# Local service ACL exception rule (System > Administration > Device Access > Local service ACL exception)
access_acl:
hostgroups:
- Internal ACL
- External ACL
services:
- Ping
- HTTPS
- SSH
- UserPortal
- VPNPortal
# Central Management (System > Sophos Central)
central_management:
FWBackup: BackupEnable
JoinMethod: Manual
UseCentralReporting: Enable
CMStatus: Enable
# Device Access Profiles (System > Profiles > Device Access)
device_access_profile:
profiles:
- Administrator
- Audit Admin
- Crypto Admin
- HAProfile
- HelpdeskAdmin
- HelpdeskLimited
- ReadOnly
- Security Admin
# Check for enabled services on the WAN zone (enter [] for none)
admin_services:
services: []
# Authentication servers (Configure > Authentication > Servers)
authen_servers:
servers:
- SophosFirewallSSO
# Threat Protection settings (Protect > Active threat response > Sophos X-Ops threat feeds)
threat_protection:
state: Enable
policy: Log and Drop
# Malware protection settings (Configure > System services > Malware Protection)
malware_protection:
antivirus_engine: Sophos
# IPS Policies (Protect > Intrusion prevention > IPS policies)
ips_policies:
status: Enable
policies:
- DMZ TO LAN
- DMZ TO WAN
- General Policy
- LAN TO DMZ
- LAN TO WAN
- WAN TO DMZ
- WAN TO LAN
- dmzpolicy
- generalpolicy
- lantowan_general
- lantowan_strict
# Host groups - check host groups contain hosts listed here
host_groups:
groups:
- name: Isolated Subnets
hosts:
- NYC 172.16.4.0/24 Example_1
- SFO 172.16.10.0/24 Example_2
# Syslog settings (Configure > System services > Log settings)
syslog:
- name: Local_Server
LogSettings:
ATP:
ATPEvents: Enable
AntiSpam:
IMAP: Enable
IMAPS: Enable
POP3: Enable
POPS: Enable
SMTP: Enable
SMTPS: Enable
AntiVirus:
FTP: Enable
HTTP: Enable
HTTPS: Enable
IMAP: Enable
IMAPS: Enable
POP3: Enable
POPS: Enable
SMTP: Enable
SMTPS: Enable
ContentFiltering:
ApplicationFilter: Enable
SSLTLS: Enable
WebContentPolicy: Enable
WebFilter: Enable
Events:
AdminEvents: Enable
AuthenticationEvents: Enable
SystemEvents: Enable
Heartbeat:
EndpointStatus: Enable
IPS:
Anomaly: Enable
Signatures: Enable
SDWAN:
Profile: Enable
Route: Enable
SecurityPolicy:
BridgeACLs: Disable
DoSAttack: Disable
DroppedFragmentedTraffic: Disable
DroppedICMPRedirectedPacket: Disable
DroppedSourceRoutedPacket: Disable
Heartbeat: Enable
ICMPErrorMessage: Disable
IP-MACPairFiltering: Disable
IPSpoofPrevention: Disable
InvalidTraffic: Disable
LocalACLs: Disable
MACFiltering: Disable
PolicyRules: Enable
ProtectedApplicationServer: Disable
SSLVPNTunnel: Disable
WebServerProtection:
WAFEvents: Enable
ZeroDayProtection:
ZeroDayProtectionEvents: Enable
- name: Central_Reporting
LogSettings:
ATP:
ATPEvents: Enable
AntiSpam:
IMAP: Enable
IMAPS: Enable
POP3: Enable
POPS: Enable
SMTP: Enable
SMTPS: Enable
AntiVirus:
FTP: Enable
HTTP: Enable
HTTPS: Enable
IMAP: Enable
IMAPS: Enable
POP3: Enable
POPS: Enable
SMTP: Enable
SMTPS: Enable
ContentFiltering:
ApplicationFilter: Enable
SSLTLS: Enable
WebContentPolicy: Enable
WebFilter: Enable
Events:
AdminEvents: Enable
AuthenticationEvents: Enable
SystemEvents: Enable
Heartbeat:
EndpointStatus: Enable
IPS:
Anomaly: Enable
Signatures: Enable
SDWAN:
Profile: Enable
Route: Enable
SLA: Enable
SecurityPolicy:
BridgeACLs: Enable
DoSAttack: Enable
DroppedFragmentedTraffic: Enable
DroppedICMPRedirectedPacket: Enable
DroppedSourceRoutedPacket: Enable
Heartbeat: Enable
ICMPErrorMessage: Enable
IP-MACPairFiltering: Enable
IPSpoofPrevention: Enable
InvalidTraffic: Disable
LocalACLs: Enable
MACFiltering: Enable
PolicyRules: Enable
ProtectedApplicationServer: Enable
SSLVPNTunnel: Enable
SystemHealth:
Usage: Enable
WebServerProtection:
WAFEvents: Enable
Wireless:
AccessPoints_SSID: Enable
ZeroDayProtection:
ZeroDayProtectionEvents: Enable
# Notification settings (System > Administration > Notification settings)
notifications:
SenderAddress: "{{ firewall_hostname }}@example.com"
AuthenticationRequired: Enable
Port: "587"
ConnectionSecurity: STARTTLS
MailServer: mail.aol.com
Recepient: alerts@xample.com
Username: smtpuser
ManagementInterface:
# Notification List settings (Configure > System services > Notification list)
notification_list:
SendEmail: Enable
SendSnmp: Enable
SignInEmail: Disable
SignInSnmp: Disable
TooManyLoginEmail: Disable
TooManyLoginSnmp: Disable
InterfaceEmail: Enable
InterfaceSnmp: Enable
ApplianceUnpluggedEmail: Enable
ApplianceUnpluggedSnmp: Enable
CriticalEmail: Disable
CriticalSnmp: Disable
MajorEmail: Disable
MajorSnmp: Disable
ModerateEmail: Disable
ModerateSnmp: Disable
MinorEmail: Disable
MinorSnmp: Disable
WarningEmail: Disable
WarningSnmp: Disable
AlertATPEmail: Disable
AlertATPSnmp: Disable
DropATPEmail: Disable
DropATPSnmp: Disable
ConfDiskExdEmail: Enable
ConfDiskExdSnmp: Disable
SigDiskExdEmail: Enable
SigDiskExdSnmp: Disable
ReportDiskExdEmail: Enable
ReportDiskExdSnmp: Disable
FirmwareReadyEmail: Enable
FirmwareReadySnmp: Disable
FirmwareInstalledEmail: Enable
FirmwareInstalledSnmp: Disable
FirmwareInstalledFailedEmail: Enable
FirmwareInstalledFailedSnmp: Enable
WebCatFailEmail: Disable
WebCatFailSnmp: Disable
IPSSigFailEmail: Enable
IPSSigFailSnmp: Disable
AVFailEmail: Enable
AVFailSnmp: Disable
SystemStartEmail: Disable
SystemStartSnmp: Disable
RedDownEmail: Enable
RedDownSnmp: Disable
RedUpgradeFailEmail: Disable
RedUpgradeFailSnmp: Disable
APOfflineEmail: Disable
APOfflineSnmp: Disable
APUpgradeFailEmail: Disable
APUpgradeFailSnmp: Disable
IPsecUPEmail: Disable
IPsecUPSnmp: Disable
IPsecDownEmail: Disable
IPsecDownSnmp: Disable
HighCpuEmail: Disable
HighCpuSnmp: Enable
GwUnrcblEmail: Disable
GwUnrcblSnmp: Disable
HttpVirusAlertEmail: Disable
HttpVirusAlertSnmp: Disable
FtpVirusAlertEmail: Disable
FtpVirusAlertSnmp: Disable
SmtpVirusAlertEmail: Disable
SmtpVirusAlertSnmp: Disable
Pop3VirusAlertEmail: Disable
Pop3VirusAlertSnmp: Disable
Imap4VirusAlertEmail: Disable
Imap4VirusAlertSnmp: Disable
IPSecFailoverFailbackEmail: Disable
IPSecFailoverFailbackSnmp: Disable
SSLVPNUPEmail: Disable
SSLVPNUPSnmp: Disable
SSLVPNDownEmail: Disable
SSLVPNDownSnmp: Disable
RedDeauthorizeEmail: Enable
RedDeauthorizeSnmp: Disable
RedUnlockCodeEmail: Enable
RedUnlockCodeSnmp: Disable
# Scheduled Backup Settings (System > Backup & firmware > Backup & restore)
scheduled_backup:
BackupMode: Mail # FTP/Mail/Local
FtpPath:
Username:
FTPServer:
EmailAddress: alerts@example.com
BackupFrequency: Weekly
Date:
Day: Sunday
Hour: "23"
Minute: "00"
# Reports retention (Monitory & Analyze > Reports > Report Settings > Data management)
# reports_retention:
# CA Certificate (System > Administration > Admin and user settings)
certificate:
WebAdminSettings:
Certificate: Webadmin-CA
HTTPSport: "4444"
UserPortalHTTPSPort: "4443"
VPNPortalHTTPSPort: "443"
PortalRedirectMode: ip
PortalCustomHostname:
# Login Security (System > Administration > Admin and user settings)
login_security:
LoginSecurity:
LogoutSession: Disable
BlockLogin: Enable
BlockLoginSettings:
UnsucccessfulAttempt: "3"
Duration: "30"
ForMinutes: "3"
PasswordComplexitySettings:
PasswordComplexityCheck: Disable
PasswordComplexity:
MinimumPasswordLength: Disable
IncludeSpecialCharacter: Disable
LoginDisclaimer: Disable
DefaultConfigurationLanguage: English
# DNS Servers (Configure > Network > DNS)
dns_servers:
- 4.2.2.1
- 4.2.2.2
# SNMPv3 (System > Administration > SNMP)
snmpv3:
Username: snmpv3_user
AcceptQueries: Enable
SendTraps: Enable
AuthorizedHosts:
- 10.1.100.101
- 10.1.100.102
# Time Settings (System > Administration > Time)
time:
timezone: Europe/Dublin
# SMTP Protection Settings (Protect > Email > General Settings)
smtp_protect:
mta_mode: "ON"