feat(wazuh): add Wazuh security monitoring agent configuration
Add comprehensive Wazuh agent configuration for security monitoring:
- wazuh-agent.conf: Full XML configuration including:
* Server connection to tsys-nsm.knel.net via TCP/1514
* AES encryption for agent-server communication
* Rootcheck module for rootkit and anomaly detection
* Syscheck file integrity monitoring for critical paths
(/etc, /usr/bin, /usr/sbin, /bin, /sbin)
* Log collection from syslog, auth.log, kern.log, dmesg
* Active response capability enabled
* Environment/organization labels for asset management
The agent connects to the centralized Wazuh server for log
aggregation, intrusion detection, and compliance monitoring.
Related: KNELServerBuild/ProjectCode/Modules/Security/secharden-wazuh.sh
This commit is contained in:
Charles N Wyble
118
initializers/wazuh/configs/wazuh-agent.conf
Normal file
118
initializers/wazuh/configs/wazuh-agent.conf
Normal file
@@ -0,0 +1,118 @@
|
||||
<!-- KNEL Wazuh Agent Configuration -->
|
||||
<ossec_config>
|
||||
<client>
|
||||
<server>
|
||||
<address>tsys-nsm.knel.net</address>
|
||||
<port>1514</port>
|
||||
<protocol>tcp</protocol>
|
||||
</server>
|
||||
<config-profile>ubuntu, ubuntu20, ubuntu20.04</config-profile>
|
||||
<notify_time>10</notify_time>
|
||||
<time-reconnect>60</time-reconnect>
|
||||
<auto_restart>yes</auto_restart>
|
||||
<crypto_method>aes</crypto_method>
|
||||
</client>
|
||||
|
||||
<client_buffer>
|
||||
<!-- Agent buffer options -->
|
||||
<disabled>no</disabled>
|
||||
<queue_size>5000</queue_size>
|
||||
<events_per_second>500</events_per_second>
|
||||
</client_buffer>
|
||||
|
||||
<!-- Policy monitoring -->
|
||||
<rootcheck>
|
||||
<disabled>no</disabled>
|
||||
<check_files>yes</check_files>
|
||||
<check_trojans>yes</check_trojans>
|
||||
<check_dev>yes</check_dev>
|
||||
<check_sys>yes</check_sys>
|
||||
<check_pids>yes</check_pids>
|
||||
<check_ports>yes</check_ports>
|
||||
<check_unixaudit>yes</check_unixaudit>
|
||||
<frequency>43200</frequency>
|
||||
</rootcheck>
|
||||
|
||||
<!-- File integrity monitoring -->
|
||||
<syscheck>
|
||||
<disabled>no</disabled>
|
||||
<frequency>43200</frequency>
|
||||
<scan_on_start>yes</scan_on_start>
|
||||
<alert_new_files>yes</alert_new_files>
|
||||
<auto_ignore>no</auto_ignore>
|
||||
|
||||
<!-- Directories to monitor -->
|
||||
<directories check_all="yes">/etc,/usr/bin,/usr/sbin,/bin,/sbin</directories>
|
||||
<directories check_all="yes">/usr/local/bin,/usr/local/sbin</directories>
|
||||
|
||||
<!-- Files to monitor -->
|
||||
<files>/etc/passwd,/etc/shadow,/etc/group,/etc/gshadow</files>
|
||||
<files>/etc/ssh/sshd_config,/etc/ssh/ssh_config</files>
|
||||
|
||||
<!-- Ignore these files -->
|
||||
<ignore>/etc/mtab</ignore>
|
||||
<ignore>/etc/hosts.deny</ignore>
|
||||
<ignore>/etc/mail/statistics</ignore>
|
||||
<ignore>/etc/random-seed</ignore>
|
||||
<ignore>/etc/adjtime</ignore>
|
||||
<ignore>/etc/httpd/logs</ignore>
|
||||
<ignore>/etc/utmpx</ignore>
|
||||
<ignore>/etc/wtmpx</ignore>
|
||||
<ignore>/etc/cups/certs</ignore>
|
||||
<ignore>/etc/dumpdates</ignore>
|
||||
<ignore>/etc/svc/volatile</ignore>
|
||||
|
||||
<!-- File types to ignore -->
|
||||
<nodiff>/etc/ssl/private.key</nodiff>
|
||||
</syscheck>
|
||||
|
||||
<!-- Log analysis -->
|
||||
<localfile>
|
||||
<log_format>COMMAND</log_format>
|
||||
<command>df -P</command>
|
||||
<frequency>360</frequency>
|
||||
</localfile>
|
||||
|
||||
<localfile>
|
||||
<log_format>full_command</log_format>
|
||||
<command>netstat -tulpn | sed 's/:::/:/g' | sed 's/::/:/g' | sed 's/0\.0\.0\.0/:/g' | sed 's/127\.0\.0\.1/:/g' | sort</command>
|
||||
<frequency>360</frequency>
|
||||
</localfile>
|
||||
|
||||
<localfile>
|
||||
<log_format>full_command</log_format>
|
||||
<command>last -n 20</command>
|
||||
<frequency>360</frequency>
|
||||
</localfile>
|
||||
|
||||
<localfile>
|
||||
<log_format>syslog</log_format>
|
||||
<location>/var/log/syslog</location>
|
||||
</localfile>
|
||||
|
||||
<localfile>
|
||||
<log_format>syslog</log_format>
|
||||
<location>/var/log/auth.log</location>
|
||||
</localfile>
|
||||
|
||||
<localfile>
|
||||
<log_format>syslog</log_format>
|
||||
<location>/var/log/kern.log</location>
|
||||
</localfile>
|
||||
|
||||
<localfile>
|
||||
<log_format>syslog</log_format>
|
||||
<location>/var/log/dmesg</location>
|
||||
</localfile>
|
||||
|
||||
<!-- Active response -->
|
||||
<active-response>
|
||||
<disabled>no</disabled>
|
||||
</active-response>
|
||||
|
||||
<!-- Labels -->
|
||||
<labels>
|
||||
<label key="environment">production</label>
|
||||
<label key="organization">KnownElement</label>
|
||||
</labels>
|
||||
</ossec_config>
|
||||
Reference in New Issue
Block a user