Wazuh agent class

class wazuh::agent

Active-Response variables

$configure_active_response

Enables rootcheck section render on this host.

Default true

$active_response_disabled

Toggles the active-response capability on and off.

Default no

$active_response_ca_verification

This option enables or disables the WPK validation using the root CA certificate. If this parameter is set to no the agent will accept any WPK package coming from the manager.

Default yes

$active_response_location

Indicates which system(s) the command should be executed on.

Default undef

$active_response_level

Defines a minimum severity level required for the command to be executed.

Default undef

$active_response_agent_id

Specifies the ID of the agent on which to execute the active response command (used when defined-agent is set).

Default undef

$active_response_rules_id

Defines the rule group that a rule must belong to one for the command to be executed.

Default []

$active_response_timeout

Specifies how long in seconds before the reverse command is executed. When repeated_offenders is used, timeout only applies to the first offense.

Default undef

$active_response_repeated_offenders

Sets timeouts in minutes for repeat offenders. This is a list of increasing timeouts that can contain a maximum of 5 entries.

Default []

Agent enrollment variables

$wazuh_enrollment_enabled

Enables/disables agent enrollment.

Default undef

$wazuh_enrollment_manager_address

Hostname or IP of the manager where the agent will be enrolled.

Default undef

$wazuh_enrollment_port

Specifies the port on the manager to send enrollment request.

Default undef

$wazuh_enrollment_agent_name

Agent name that will be used for enrollment.

Default undef

$wazuh_enrollment_groups

Groups name to which the agent belongs.

Default undef

$wazuh_enrollment_agent_address

Force IP address from the agent. If this is not set manager will extract source IP from enrollment message.

Default undef

$wazuh_enrollment_ssl_cipher

Override SSL used ciphers.

Default undef

$wazuh_enrollment_server_ca_path

Used for manager verification. If no CA certificate is set server will not be verified.

Default undef

$wazuh_enrollment_agent_cert_path

Required when agent verification is enabled in the manager.

Default undef

$wazuh_enrollment_agent_key_path

Required when agent verification is enabled in the manager.

Default undef

$wazuh_enrollment_auth_pass

Enrollment password.

Default undef

$wazuh_enrollment_auth_pass_path

Required when enrollment is using password verification.

Default ‘/var/ossec/etc/authd.pass’

$wazuh_enrollment_auto_method

Auto negotiates the most secure common SSL/TLS method with the manager, use “yes” for auto negotiate or “no” for TLS v1.2 only.

Default undef

$wazuh_delay_after_enrollment

Time that agentd should wait after a successful registration.

Default undef

$wazuh_enrollment_use_source_ip

Force manager to compute IP from agent message.

Default undef

Client variables

$wazuh_reporting_endpoint

Specifies the IP address or the hostname of the Wazuh manager to report.

$wazuh_register_endpoint

Specifies the IP address or the hostname of the Wazuh manager to register against.

$ossec_port

Specifies the port to send events to the manager. This must match the associated listening port configured on the Wazuh manager.

Default 1514

$ossec_protocol

Specifies the protocol to use when connecting to the manager.

Default tcp

$wazuh_max_retries

Number of connection retries.

Default 5

$wazuh_retry_interval

Time interval between connection attempts (seconds).

Default 5

$ossec_notify_time

Specifies the time in seconds between agent check-ins to the manager.

Default 10

$ossec_time_reconnect

Specifies the time in seconds before a reconnection is attempted. This should be set to a higher number than the notify_time parameter.

Default 60

$ossec_auto_restart

Toggles on and off the automatic restart of agents when a new valid configuration is received from the manager.

Default yes

$ossec_crypto_method

Choose the encryption of the messages that the agent sends to the manager.

Default aes

$client_buffer_queue_size

Sets the capacity of the agent buffer in number of events.

Default 5000

$client_buffer_events_per_second

Specifies the number of events that can be sent to the manager per second.

Default 500

$ossec_config_profiles

Specify the agent.conf profile(s) to be used by the agent.

Localfile variables

$ossec_local_files

Files list for log analysis

This files are listed in params_agent.pp in section $default_local_files

Rootcheck variables

$configure_rootcheck

Enables rootcheck section render on this host.

Default true

$ossec_rootcheck_disabled

Disable rootcheck on this host (Linux).

Default no

$ossec_rootcheck_check_files

Enable rootcheck checkfiles option.

Default yes

$ossec_rootcheck_check_trojans

Enable rootcheck checktrojans option.

Default yes

$ossec_rootcheck_check_dev

Enable rootcheck checkdev option.

Default yes

$ossec_rootcheck_check_sys

Enable rootcheck checksys option.

Default yes

$ossec_rootcheck_check_pids

Enable rootcheck checkpids option.

Default yes

$ossec_rootcheck_check_ports

Enable rootcheck checkports option.

Default yes

$ossec_rootcheck_check_if

Enable rootcheck checkif option.

Default yes

$ossec_rootcheck_frequency

How often the rootcheck scan will run (in seconds).

Default 36000

$ossec_rootcheck_ignore_list

List of files or directories to be ignored. These files and directories will be ignored during scans.

Default []

$ossec_rootcheck_rootkit_files

Change the location of the rootkit files database.

Default ‘/var/ossec/etc/shared/rootkit_files.txt’

$ossec_rootcheck_rootkit_trojans

Change the location of the rootkit trojans database.

Default ‘/var/ossec/etc/shared/rootkit_trojans.txt’

$ossec_rootcheck_skip_nfs

Enable or disable the scanning of network mounted filesystems (Works on Linux and FreeBSD). Currently, skip_nfs will exclude checking files on CIFS or NFS mounts.

Default yes

$ossec_rootcheck_system_audit

Specifies the path to an audit definition file for Unix-like systems.

Default []

$ossec_rootcheck_windows_disabled

Disables rootcheck if host has Windows OS.

Default no

$ossec_rootcheck_windows_windows_apps

Specifies the path to a Windows application definition file.

Default ‘./shared/win_applications_rcl.txt’

$ossec_rootcheck_windows_windows_malware

Specifies the path to a Windows malware definitions file.

Default ‘./shared/win_malware_rcl.txt’

SCA variables

$configure_sca

Enables SCA section render on this host.

Default true

$configure_sca

Enables sca section render on this host.

Default true

$sca_amazon_enabled

Enable SCA on this host (Amazon Linux 2).

Default yes

$sca_amazon_scan_on_start

The SCA module will perform the scan immediately when started (Amazon Linux 2).

Default yes

$sca_amazon_interval

Interval between module executions.

Default 12h

$sca_amazon_skip_nfs

Enable or disable the scanning of network mounted filesystems (Works on Linux and FreeBSD). Currently, skip_nfs will exclude checking files on CIFS or NFS mounts.

Default yes

$sca_amazon_policies

A list of policies to run assessments can be included in this section.

Default []

$sca_rhel_enabled

Enable SCA on this host (RHEL).

Default yes

$sca_rhel_scan_on_start

The SCA module will perform the scan immediately when started (RHEL).

Default yes

$sca_rhel_interval

Interval between module executions.

Default 12h

$sca_rhel_skip_nfs

Enable or disable the scanning of network mounted filesystems (Works on Linux and FreeBSD). Currently, skip_nfs will exclude checking files on CIFS or NFS mounts.

Default yes

$sca_rhel_policies

A list of policies to run assessments can be included in this section.

Default []

$sca_else_enabled

Enable SCA on this host (Linux).

Default yes

$sca_else_scan_on_start

The SCA module will perform the scan immediately when started (Linux).

Default yes

$sca_else_interval

Interval between module executions.

Default 12h

$sca_else_skip_nfs

Enable or disable the scanning of network mounted filesystems (Works on Linux and FreeBSD). Currently, skip_nfs will exclude checking files on CIFS or NFS mounts.

Default yes

$sca_else_policies

A list of policies to run assessments can be included in this section.

Default []

Syscheck variables

$configure_syscheck

Enables syscheck section render on this host.

Default true

$ossec_syscheck_disabled

Disable syscheck on this host.

Default no

$ossec_syscheck_frequency

Enables syscheck section render on this host.

Default true

$ossec_syscheck_scan_on_start

Specifies if syscheck scans immediately when started.

Default yes

$ossec_syscheck_auto_ignore

Specifies whether or not syscheck will ignore files that change too many times (manager only).

Default undef

$ossec_syscheck_directories_1

List of directories to be monitored. The directories should be comma-separated

Default ‘/etc,/usr/bin,/usr/sbin’

$ossec_syscheck_realtime_directories_1

This will enable real-time/continuous monitoring on directories listed on ossec_syscheck_directories_1. Real time only works with directories, not individual files.

Default no

$ossec_syscheck_whodata_directories_1

This will enable who-data monitoring on directories listed on ossec_syscheck_directories_1.

Default no

$ossec_syscheck_report_changes_directories_1

Report file changes. This is limited to text files at this time.

Default no

$ossec_syscheck_directories_2

List of directories to be monitored. The directories should be comma-separated

Default ‘/etc,/usr/bin,/usr/sbin’

$ossec_syscheck_realtime_directories_2

This will enable real-time/continuous monitoring on directories listed on ossec_syscheck_directories_2. Real time only works with directories, not individual files.

Default no

$ossec_syscheck_whodata_directories_2

This will enable who-data monitoring on directories listed on ossec_syscheck_directories_2.

Default no

$ossec_syscheck_report_changes_directories_2

Report file changes. This is limited to text files at this time.

Default no

$ossec_syscheck_ignore_list

List of files or directories to be ignored. Ignored files and directories are still scanned, but the results are not reported.

Default [‘/etc/mtab’,’/etc/hosts.deny’,’/etc/mail/statistics’,’/etc/random-seed’,’/etc/random.seed’,’/etc/adjtime’,’/etc/httpd/logs’,’/etc/utmpx’,’/etc/wtmpx’,’/etc/cups/certs’,’/etc/dumpdates’,’/etc/svc/volatile’,’/sys/kernel/security’,’/sys/kernel/debug’,’/dev/core’,]

$ossec_syscheck_ignore_type_1

Simple regex pattern to filter out files.

Default ‘^/proc’

$ossec_syscheck_ignore_type_2

Another simple regex pattern to filter out files.

Default ‘.log$|.swp$’

$ossec_syscheck_max_eps

Sets the maximum event reporting throughput. Events are messages that will produce an alert.

Default 100

$ossec_syscheck_process_priority

Sets the nice value for Syscheck process.

Default 10

$ossec_syscheck_synchronization_enabled

Specifies whether there will be periodic inventory synchronizations or not.

Default yes

$ossec_syscheck_synchronization_interval

Specifies the initial number of seconds between every inventory synchronization. If synchronization fails the value will be duplicated until it reaches the value of max_interval.

Default 5m

$ossec_syscheck_synchronization_max_eps

Sets the maximum synchronization message throughput.

Default 10

$ossec_syscheck_synchronization_max_interval

Specifies the maximum number of seconds between every inventory synchronization.

Default 1h

$ossec_syscheck_skip_nfs

Specifies if syscheck should scan network mounted filesystems. This option works on Linux and FreeBSD systems. Currently, skip_nfs will exclude checking files on CIFS or NFS mounts.

Default yes

Wodle OpenSCAP

$configure_wodle_openscap

Enables Wodle OpenSCAP section render on this host.

Default true

$wodle_openscap_disabled

Disables the OpenSCAP wodle.

Default yes

$wodle_openscap_timeout

Timeout for each evaluation.

Default 1800

$wodle_openscap_interval

Interval between OpenSCAP executions.

Default 1d

$wodle_openscap_scan_on_start

Run evaluation immediately when service is started.

Default yes

Wodle CIS-CAT

$configure_wodle_cis_cat

Enables Wodle CIS-CAT section render on this host.

Default true

$wodle_ciscat_disabled

Disables the CIS-CAT wodle.

Default yes

$wodle_ciscat_timeout

Timeout for each evaluation. In case the execution takes longer that the specified timeout, it stops.

Default 1800

$wodle_ciscat_interval

Interval between CIS-CAT executions.

Default 1d

$wodle_ciscat_scan_on_start

Run evaluation immediately when service is started.

Default yes

$wodle_ciscat_java_path

Define where Java is located. If this parameter is not set, the wodle will search for the Java location in the default environment variable $PATH.

Default ‘wodles/java’

$wodle_ciscat_ciscat_path

Define where CIS-CAT is located.

Default ‘wodles/ciscat’

Wodle osquery variables

$configure_wodle_osquery

Enables Wodle osquery section render on this host.

Default true

$wodle_osquery_disabled

Disable the osquery wodle.

Default yes

$wodle_osquery_run_daemon

Makes the module run osqueryd as a subprocess or lets the module monitor the results log without running Osquery.

Default yes

$wodle_osquery_log_path

Full path to the results log written by Osquery.

Default ‘/var/log/osquery/osqueryd.results.log’

$wodle_osquery_config_path

Path to the Osquery configuration file. This path can be relative to the folder where the Wazuh agent is running.

Default ‘/etc/osquery/osquery.conf’

$wodle_osquery_add_labels

Add the agent labels defined as decorators.

Default yes

Wodle Syscollector

$wodle_syscollector_disabled

Disable the Syscollector wodle.

Default no

$wodle_syscollector_interval

Time between system scans.

Default 1h

$wodle_syscollector_scan_on_start

Run a system scan immediately when service is started.

Default yes

$wodle_syscollector_hardware

Enables the hardware scan.

Default yes

$wodle_syscollector_os

Enables the OS scan.

Default yes

$wodle_syscollector_network

Enables the network scan.

Default yes

$wodle_syscollector_packages

Enables the packages scan.

Default yes

$wodle_syscollector_ports

Enables the ports scan.

Default yes

$wodle_syscollector_processes

Enables the processes scan.

Default yes

Misc Variables

$agent_package_name

Define package name defined in params_agent.pp

$agent_package_version

Define package version

Default 4.0.0-1

$ossec_service_provider

This option associates Operative System Family

Default []

$selinux

Whether to install a SELinux policy to allow rotation of OSSEC logs.

Default false

$agent_name

Configure agent name.

Default $::hostname

$manage_repo

Install Wazuh through Wazuh repositories.

Default true

$manage_client_keys

Manage client keys option.

Default export

$agent_auth_password

Define password for agent-auth

Default undef

function wazuh::addlog

$log_name

Configure Wazuh log name

$agent_log

Path to log file.

Default false

$logfile

Path to log file.

$logtype

The OSSEC log_format of the file.

Default syslog