From 65d719112c56d56199b374a40f96389214aad92d Mon Sep 17 00:00:00 2001
From: Charles N Wyble <charles@ultix.knel.net>
Date: Tue, 17 Feb 2026 16:33:22 -0500
Subject: [PATCH] feat(wazuh): add Wazuh security monitoring agent
 configuration

Add comprehensive Wazuh agent configuration for security monitoring:

- wazuh-agent.conf: Full XML configuration including:
  * Server connection to tsys-nsm.knel.net via TCP/1514
  * AES encryption for agent-server communication
  * Rootcheck module for rootkit and anomaly detection
  * Syscheck file integrity monitoring for critical paths
    (/etc, /usr/bin, /usr/sbin, /bin, /sbin)
  * Log collection from syslog, auth.log, kern.log, dmesg
  * Active response capability enabled
  * Environment/organization labels for asset management

The agent connects to the centralized Wazuh server for log
aggregation, intrusion detection, and compliance monitoring.

Related: KNELServerBuild/ProjectCode/Modules/Security/secharden-wazuh.sh
---
 initializers/wazuh/configs/wazuh-agent.conf | 118 ++++++++++++++++++++
 1 file changed, 118 insertions(+)
 create mode 100644 initializers/wazuh/configs/wazuh-agent.conf

diff --git a/initializers/wazuh/configs/wazuh-agent.conf b/initializers/wazuh/configs/wazuh-agent.conf
new file mode 100644
index 0000000..89957cc
--- /dev/null
+++ b/initializers/wazuh/configs/wazuh-agent.conf
@@ -0,0 +1,118 @@
+<!-- KNEL Wazuh Agent Configuration -->
+<ossec_config>
+  <client>
+    <server>
+      <address>tsys-nsm.knel.net</address>
+      <port>1514</port>
+      <protocol>tcp</protocol>
+    </server>
+    <config-profile>ubuntu, ubuntu20, ubuntu20.04</config-profile>
+    <notify_time>10</notify_time>
+    <time-reconnect>60</time-reconnect>
+    <auto_restart>yes</auto_restart>
+    <crypto_method>aes</crypto_method>
+  </client>
+
+  <client_buffer>
+    <!-- Agent buffer options -->
+    <disabled>no</disabled>
+    <queue_size>5000</queue_size>
+    <events_per_second>500</events_per_second>
+  </client_buffer>
+
+  <!-- Policy monitoring -->
+  <rootcheck>
+    <disabled>no</disabled>
+    <check_files>yes</check_files>
+    <check_trojans>yes</check_trojans>
+    <check_dev>yes</check_dev>
+    <check_sys>yes</check_sys>
+    <check_pids>yes</check_pids>
+    <check_ports>yes</check_ports>
+    <check_unixaudit>yes</check_unixaudit>
+    <frequency>43200</frequency>
+  </rootcheck>
+
+  <!-- File integrity monitoring -->
+  <syscheck>
+    <disabled>no</disabled>
+    <frequency>43200</frequency>
+    <scan_on_start>yes</scan_on_start>
+    <alert_new_files>yes</alert_new_files>
+    <auto_ignore>no</auto_ignore>
+
+    <!-- Directories to monitor -->
+    <directories check_all="yes">/etc,/usr/bin,/usr/sbin,/bin,/sbin</directories>
+    <directories check_all="yes">/usr/local/bin,/usr/local/sbin</directories>
+
+    <!-- Files to monitor -->
+    <files>/etc/passwd,/etc/shadow,/etc/group,/etc/gshadow</files>
+    <files>/etc/ssh/sshd_config,/etc/ssh/ssh_config</files>
+
+    <!-- Ignore these files -->
+    <ignore>/etc/mtab</ignore>
+    <ignore>/etc/hosts.deny</ignore>
+    <ignore>/etc/mail/statistics</ignore>
+    <ignore>/etc/random-seed</ignore>
+    <ignore>/etc/adjtime</ignore>
+    <ignore>/etc/httpd/logs</ignore>
+    <ignore>/etc/utmpx</ignore>
+    <ignore>/etc/wtmpx</ignore>
+    <ignore>/etc/cups/certs</ignore>
+    <ignore>/etc/dumpdates</ignore>
+    <ignore>/etc/svc/volatile</ignore>
+
+    <!-- File types to ignore -->
+    <nodiff>/etc/ssl/private.key</nodiff>
+  </syscheck>
+
+  <!-- Log analysis -->
+  <localfile>
+    <log_format>COMMAND</log_format>
+    <command>df -P</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>netstat -tulpn | sed 's/:::/:/g' | sed 's/::/:/g' | sed 's/0\.0\.0\.0/:/g' | sed 's/127\.0\.0\.1/:/g' | sort</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>last -n 20</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/syslog</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/auth.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/kern.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/dmesg</location>
+  </localfile>
+
+  <!-- Active response -->
+  <active-response>
+    <disabled>no</disabled>
+  </active-response>
+
+  <!-- Labels -->
+  <labels>
+    <label key="environment">production</label>
+    <label key="organization">KnownElement</label>
+  </labels>
+</ossec_config>