Wazuh server class

class wazuh::server

$smtp_server
SMTP mail server.
$ossec_emailto
Email to address. ['user1@mycompany.com','user2@mycompany.com']
$ossec_emailfrom

Email from address.

Default ossec@${domain}

$ossec_active_response

Enable or disable active-response.

Default true

$ossec_rootcheck

Enable rootcheck.

Default true

$ossec_rootcheck_frequency

Frequency that the rootcheck is going to be executed (in seconds).

Default 36000

$ossec_rootcheck_checkports

Look for the presence of hidden ports.

Default true

$ossec_rootcheck_checkfiles

Scan the whole filesystem looking for unusual files and permission problems.

Default true

$ossec_global_host_information_level

Alerting level for the events generated by the host change monitor (from 0 to 16).

Default 8

$ossec_global_stat_level

Alerting level for the events generated by the statistical analysis (from 0 to 16).

Default 8

$ossec_email_alert_level

Threshold defining minimum severity for a rule to fire an email alert. Some rules circumvent this threshold (alert_email option).

Default 7

$ossec_ignorepaths

Specify paths to ignore ossec scan

Default []

$ossec_scanpaths
Define paths to ossec scan
$ossec_white_list

Allow white listing of IP addresses.

Default []

$ossec_extra_rules_config

Using it, after enabling the Wazuh ruleset (either manually or via the automated script), take a look at the changes made to the ossec.conf file. You will need to put these same changes into the “$ossec_extra_rules_config” array parameter when calling the wazuh::server class.

Default []

$ossec_local_files
Define path log files to scan with ossec
$ossec_emailnotification

Whether or not to send email notifications.

Default yes

$ossec_email_maxperhour

Global Configuration with maximum number of emails per hour.

Default 12

$ossec_email_idsname

Define email ID name

Default undef

$ossec_syscheck_frequency

Frequency that syscheck is executed default every 22 hours

Default 79200

$ossec_auto_ignore

Specifies if syscheck will ignore files that change too often (after the third change)

Default yes

$ossec_prefilter

Command to run to prevent prelinking from creating false positives.

Note

This option can potentially impact performance negatively. The configured command will be run for each and every file checked.

Default false

$ossec_service_provider

Set service provider to Redhat on Redhat systems.

Default $::ossec::params::ossec_service_provide

$ossec_server_port

Port to allow communication between manager and agents.

Default: ‘1514’

$server_package_version

Modified client.pp and server.pp to accept package versions as a parameter.

Default installed

$manage_repos

Install Wazuh through Wazuh repositories.

Default true

$manage_epel_repo

Install epel repo and inotify-tools

Default true

$manage_client_keys

Manage client keys option.

Default true

$agent_auth_password

Define password for agent-auth

Default undef

$ar_repeated_offenders

A comma separated list of increasing timeouts in minutes for repeat offenders.

There can be a maximum of 5 entries.

Default empty

$syslog_output

Allows a Wazuh manager to send the OSSEC alerts to one or more syslog servers

Default false

$syslog_output_server

The IP Address of the syslog server.

Default undef

$syslog_output_format

Format of alert output.

Default undef

$enable_wodle_openscap

Enable openscap configuration in ossec.conf

Default false

$local_decoder_template

Allow to use a custom local_decoder.xml in the manager.

Default wazuh/local_decoder.xml.erb

$local_rules_template

Allow to use a custom local_rules.xml in the manager.

Default wazuh/local_rules.xml.erb

$shared_agent_template

Enable the configuration to deploy through agent.conf

Default `wazuh/ossec_shared_agent.conf.erb

$manage_paths

Follow the instructions on ossec-scanpaths.

Default [ {‘path’ => ‘/etc,/usr/bin,/usr/sbin’, ‘report_changes’ => ‘no’, ‘realtime’ => ‘no’}, {‘path’ => ‘/bin,/sbin’, ‘report_changes’ => ‘yes’, ‘realtime’ => ‘yes’} ]

Note

Consequently, if you add or remove any of the Wazuh rules later on, you’ll need to ensure you add/remove the appropriate bits in the $ossec_extra_rules_config array parameter as well.

function wazuh::email_alert

$alert_email
Email to send to.
$alert_group

An array of rule group names.

Default false

Note

No email will be sent for alerts with a severity below the global $ossec_email_alert_level, unless the rule has alert_email set.

function wazuh::command

$command_name
Human readable name for wazuh::activeresponse usage.
$command_executable
Name of the executable. OSSEC comes preloaded with disable-account.sh, host-deny.sh, ipfw.sh, pf.sh, route-null.sh, firewall-drop.sh, ipfw_mac.sh, ossec-tweeter.sh, restart-ossec.sh.
$command_expect
Default srcip
$timeout_allowed
Default true

function wazuh::activeresponse

$command_name
Human readable name for wazuh::activeresponse usage.
$ar_location

It can be set to local, server, defined-agent, all.

Default local

$ar_level

Can take values between 0 and 16.

Default 7

$ar_rules_id

List of rule IDs.

Default []

$ar_timeout

Usually active response blocks for a certain amount of time.

Default 300

$ar_repeated_offenders

A comma separated list of increasing timeouts in minutes for repeat offenders. There can be a maximum of 5 entries.

Default empty

function wazuh::addlog

$log_name
Configure Wazuh log name
$agent_log

Path to log file.

Default false

$logfile
Path to log file.
$logtype

The OSSEC log_format of the file.

Default syslog