diff --git a/wazuh/certs/dashboard_http/generate_certs.sh b/wazuh/certs/dashboard_http/generate_certs.sh
deleted file mode 100755
index 6e84724..0000000
--- a/wazuh/certs/dashboard_http/generate_certs.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash
-
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
-cd $DIR
-
-openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem
diff --git a/wazuh/certs/indexer_cluster/generate_certs.sh b/wazuh/certs/indexer_cluster/generate_certs.sh
deleted file mode 100755
index ad59c81..0000000
--- a/wazuh/certs/indexer_cluster/generate_certs.sh
+++ /dev/null
@@ -1,85 +0,0 @@
-#!/bin/bash
-
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
-cd $DIR
-
-echo "Root CA"
-
-openssl genrsa -out root-ca-key.pem 2048
-
-openssl req -days 3650 -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem -subj "/C=US/L=California/O=Company/CN=root-ca"
-
-echo "Admin cert"
-
-echo "create: admin-key-temp.pem"
-
-openssl genrsa -out admin-key-temp.pem 2048
-
-echo "create: admin-key.pem"
-
-openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
-
-echo "create: admin.csr"
-
-openssl req -days 3650 -new -key admin-key.pem -out admin.csr -subj "/C=US/L=California/O=Company/CN=admin"
-
-echo "create: admin.pem"
-
-openssl x509 -req -days 3650 -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem
-
-
-echo "* Node cert"
-
-echo "create: node-key-temp.pem"
-
-openssl genrsa -out node-key-temp.pem 2048
-
-echo "create: node-key.pem"
-
-openssl pkcs8 -inform PEM -outform PEM -in node-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-key.pem
-
-echo "create: node.csr"
-
-openssl req -days 3650 -new -key node-key.pem -out node.csr -subj "/C=US/L=California/O=Company/CN=indexer"
-
-echo "create: node.pem"
-
-openssl x509 -req -days 3650 -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem
-
-echo "* dashboard cert"
-
-echo "create: dashboard-key-temp.pem"
-
-openssl genrsa -out dashboard-key-temp.pem 2048
-
-echo "create: dashboard-key.pem"
-
-openssl pkcs8 -inform PEM -outform PEM -in dashboard-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out dashboard-key.pem
-
-echo "create: dashboard.csr"
-
-openssl req -days 3650 -new -key dashboard-key.pem -out dashboard.csr -subj "/C=US/L=California/O=Company/CN=dashboard"
-
-echo "create: dashboard.pem"
-
-openssl x509 -req -days 3650 -in dashboard.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out dashboard.pem
-
-
-
-echo "* Filebeat cert"
-
-echo "create: filebeat-key-temp.pem"
-
-openssl genrsa -out filebeat-key-temp.pem 2048
-
-echo "create: filebeat-key.pem"
-
-openssl pkcs8 -inform PEM -outform PEM -in filebeat-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out filebeat-key.pem
-
-echo "create: filebeat.csr"
-
-openssl req -days 3650 -new -key filebeat-key.pem -out filebeat.csr -subj "/C=US/L=California/O=Company/CN=filebeat"
-
-echo "create: filebeat.pem"
-
-openssl x509 -req -days 3650 -in filebeat.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out filebeat.pem
diff --git a/wazuh/config.yml b/wazuh/config.yml
new file mode 100644
index 0000000..3398c8a
--- /dev/null
+++ b/wazuh/config.yml
@@ -0,0 +1,14 @@
+nodes:
+ # Wazuh indexer nodes
+ indexer:
+ - name: indexer
+ ip: "127.0.0.1"
+
+ server:
+ - name: filebeat
+ ip: "127.0.0.1"
+
+ # Wazuh dashboard nodes
+ dashboard:
+ - name: dashboard
+ ip: "127.0.0.1"
\ No newline at end of file
diff --git a/wazuh/indexer_stack/wazuh-dashboard/dashboard-deploy.yaml b/wazuh/indexer_stack/wazuh-dashboard/dashboard-deploy.yaml
index dc409dd..bb894b2 100644
--- a/wazuh/indexer_stack/wazuh-dashboard/dashboard-deploy.yaml
+++ b/wazuh/indexer_stack/wazuh-dashboard/dashboard-deploy.yaml
@@ -38,27 +38,23 @@ spec:
cpu: 500m
memory: 1Gi
volumeMounts:
- - name: config
- mountPath: /usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
- subPath: opensearch_dashboards.yml
- readOnly: false
- name: dashboard-certs
- mountPath: /usr/share/wazuh-dashboard/certs/cert.pem
+ mountPath: /usr/share/wazuh-dashboard/config/certs/dashboard.pem
readOnly: true
- subPath: cert.pem
+ subPath: dashboard.pem
- name: dashboard-certs
- mountPath: /usr/share/wazuh-dashboard/certs/key.pem
+ mountPath: /usr/share/wazuh-dashboard/config/certs/dashboard-key.pem
readOnly: true
- subPath: key.pem
+ subPath: dashboard-key.pem
- name: dashboard-certs
- mountPath: /usr/share/wazuh-dashboard/certs/root-ca.pem
+ mountPath: /usr/share/wazuh-dashboard/config/certs/root-ca.pem
subPath: root-ca.pem
readOnly: true
ports:
- - containerPort: 5601
+ - containerPort: 443
name: dashboard
env:
- - name: INDEXER_URL
+ - name: OPENSEARCH_HOSTS
value: 'https://indexer:9200'
- name: INDEXER_USERNAME
valueFrom:
@@ -83,11 +79,11 @@ spec:
- name: SERVER_SSL_ENABLED
value: "true"
- name: SERVER_SSL_CERTIFICATE
- value: /usr/share/wazuh-dashboard/certs/cert.pem
+ value: /usr/share/wazuh-dashboard/config/certs/dashboard.pem
- name: SERVER_SSL_KEY
- value: /usr/share/wazuh-dashboard/certs/key.pem
+ value: /usr/share/wazuh-dashboard/config/certs/dashboard-key.pem
- name: WAZUH_API_URL
- value: https://wazuh-manager-master-0.wazuh-cluster
+ value: https://wazuh-manager-master-0.wazuh
- name: API_USERNAME
valueFrom:
secretKeyRef:
diff --git a/wazuh/indexer_stack/wazuh-dashboard/dashboard-svc.yaml b/wazuh/indexer_stack/wazuh-dashboard/dashboard-svc.yaml
index ee59999..d082617 100644
--- a/wazuh/indexer_stack/wazuh-dashboard/dashboard-svc.yaml
+++ b/wazuh/indexer_stack/wazuh-dashboard/dashboard-svc.yaml
@@ -27,4 +27,4 @@ spec:
ports:
- name: dashboard
port: 443
- targetPort: 5601
+ targetPort: 443
diff --git a/wazuh/indexer_stack/wazuh-dashboard/dashboard_conf/opensearch_dashboards.yml b/wazuh/indexer_stack/wazuh-dashboard/dashboard_conf/opensearch_dashboards.yml
deleted file mode 100644
index 5820b06..0000000
--- a/wazuh/indexer_stack/wazuh-dashboard/dashboard_conf/opensearch_dashboards.yml
+++ /dev/null
@@ -1,17 +0,0 @@
-
-server.host: 0.0.0.0
-server.port: 5601
-opensearch.hosts: https://indexer:9200
-opensearch.ssl.verificationMode: none
-opensearch.requestHeadersAllowlist: [ authorization,securitytenant ]
-opensearch_security.multitenancy.enabled: false
-opensearch_security.readonly_mode.roles: ["kibana_read_only"]
-server.ssl.enabled: true
-server.ssl.key: "/usr/share/wazuh-dashboard/certs/key.pem"
-server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/cert.pem"
-opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem"]
-uiSettings.overrides.defaultRoute: /app/wz-home
-# Session expiration settings
-opensearch_security.cookie.ttl: 900000
-opensearch_security.session.ttl: 900000
-opensearch_security.session.keepalive: true
diff --git a/wazuh/indexer_stack/wazuh-indexer/cluster/indexer-sts.yaml b/wazuh/indexer_stack/wazuh-indexer/cluster/indexer-sts.yaml
index fe07d8e..9449f4f 100644
--- a/wazuh/indexer_stack/wazuh-indexer/cluster/indexer-sts.yaml
+++ b/wazuh/indexer_stack/wazuh-indexer/cluster/indexer-sts.yaml
@@ -32,10 +32,6 @@ spec:
secret:
secretName: indexer-certs
defaultMode: 0600
- - name: indexer-conf
- configMap:
- name: indexer-conf
- defaultMode: 0600
initContainers:
- name: volume-mount-hack
image: busybox
@@ -69,16 +65,22 @@ spec:
cpu: 500m
memory: 1564Mi
env:
+ - name: bootstrap.memory_lock
+ value: "true"
+ - name: cluster.name
+ value: wazuh
+ - name: network.host
+ value: "0.0.0.0"
+ - name: node.name
+ value: wazuh-indexer-0
+ - name: cluster.initial_cluster_manager_nodes
+ value: wazuh-indexer-0
+ - name: plugins.security.allow_default_init_securityindex
+ value: "true"
+ - name: NODES_DN
+ value: CN=wazuh-indexer-0,OU=Wazuh,O=Wazuh,L=California,C=US
- name: OPENSEARCH_JAVA_OPTS
value: '-Xms1g -Xmx1g -Dlog4j2.formatMsgNoLookups=true'
- - name: CLUSTER_NAME
- value: wazuh
- - name: NETWORK_HOST
- value: "0.0.0.0"
- - name: NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- name: DISCOVERY_SERVICE
value: wazuh-indexer
- name: KUBERNETES_NAMESPACE
@@ -96,12 +98,12 @@ spec:
- name: wazuh-indexer
mountPath: /var/lib/wazuh-indexer
- name: indexer-certs
- mountPath: /usr/share/wazuh-indexer/config/certs/node-key.pem
- subPath: node-key.pem
+ mountPath: /usr/share/wazuh-indexer/config/certs/indexer-key.pem
+ subPath: indexer-key.pem
readOnly: true
- name: indexer-certs
- mountPath: /usr/share/wazuh-indexer/config/certs/node.pem
- subPath: node.pem
+ mountPath: /usr/share/wazuh-indexer/config/certs/indexer.pem
+ subPath: indexer.pem
readOnly: true
- name: indexer-certs
mountPath: /usr/share/wazuh-indexer/config/certs/root-ca.pem
@@ -115,14 +117,6 @@ spec:
mountPath: /usr/share/wazuh-indexer/config/certs/admin-key.pem
subPath: admin-key.pem
readOnly: true
- - name: indexer-conf
- mountPath: /usr/share/wazuh-indexer/config/opensearch.yml
- subPath: opensearch.yml
- readOnly: true
- - name: indexer-conf
- mountPath: /usr/share/wazuh-indexer/config/opensearch-security/internal_users.yml
- subPath: internal_users.yml
- readOnly: true
ports:
- containerPort: 9200
name: indexer-rest
diff --git a/wazuh/indexer_stack/wazuh-indexer/indexer_conf/internal_users.yml b/wazuh/indexer_stack/wazuh-indexer/indexer_conf/internal_users.yml
deleted file mode 100644
index d9f05b3..0000000
--- a/wazuh/indexer_stack/wazuh-indexer/indexer_conf/internal_users.yml
+++ /dev/null
@@ -1,56 +0,0 @@
----
-# This is the internal user database
-# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
-
-_meta:
- type: "internalusers"
- config_version: 2
-
-# Define your internal users here
-
-## Demo users
-
-admin:
- hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO"
- reserved: true
- backend_roles:
- - "admin"
- description: "Demo admin user"
-
-kibanaserver:
- hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
- reserved: true
- description: "Demo kibanaserver user"
-
-kibanaro:
- hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
- reserved: false
- backend_roles:
- - "kibanauser"
- - "readall"
- attributes:
- attribute1: "value1"
- attribute2: "value2"
- attribute3: "value3"
- description: "Demo kibanaro user"
-
-logstash:
- hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
- reserved: false
- backend_roles:
- - "logstash"
- description: "Demo logstash user"
-
-readall:
- hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
- reserved: false
- backend_roles:
- - "readall"
- description: "Demo readall user"
-
-snapshotrestore:
- hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
- reserved: false
- backend_roles:
- - "snapshotrestore"
- description: "Demo snapshotrestore user"
diff --git a/wazuh/indexer_stack/wazuh-indexer/indexer_conf/opensearch.yml b/wazuh/indexer_stack/wazuh-indexer/indexer_conf/opensearch.yml
deleted file mode 100644
index 46222c2..0000000
--- a/wazuh/indexer_stack/wazuh-indexer/indexer_conf/opensearch.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-cluster.name: ${CLUSTER_NAME}
-node.name: ${NODE_NAME}
-network.host: ${NETWORK_HOST}
-discovery.seed_hosts: wazuh-indexer-0.wazuh-indexer
-cluster.initial_cluster_manager_nodes:
- - wazuh-indexer-0
-
-node.max_local_storage_nodes: "3"
-path.data: /var/lib/wazuh-indexer
-path.logs: /var/log/wazuh-indexer
-plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/config/certs/node.pem
-plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/config/certs/node-key.pem
-plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/config/certs/root-ca.pem
-plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/config/certs/node.pem
-plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/config/certs/node-key.pem
-plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/config/certs/root-ca.pem
-plugins.security.ssl.http.enabled: true
-plugins.security.ssl.transport.enforce_hostname_verification: false
-plugins.security.ssl.transport.resolve_hostname: false
-plugins.security.authcz.admin_dn:
- - CN=admin,O=Company,L=California,C=US
-plugins.security.check_snapshot_restore_write_privileges: true
-plugins.security.enable_snapshot_restore_privilege: true
-plugins.security.nodes_dn:
- - CN=indexer,O=Company,L=California,C=US
-plugins.security.restapi.roles_enabled:
-- "all_access"
-- "security_rest_api_access"
-plugins.security.allow_default_init_securityindex: true
-cluster.routing.allocation.disk.threshold_enabled: false
\ No newline at end of file
diff --git a/wazuh/kustomization.yml b/wazuh/kustomization.yml
index 27347c3..7317a2f 100644
--- a/wazuh/kustomization.yml
+++ b/wazuh/kustomization.yml
@@ -14,33 +14,20 @@ namespace: wazuh
secretGenerator:
- name: indexer-certs
files:
- - certs/indexer_cluster/root-ca.pem
- - certs/indexer_cluster/node.pem
- - certs/indexer_cluster/node-key.pem
- - certs/indexer_cluster/dashboard.pem
- - certs/indexer_cluster/dashboard-key.pem
- - certs/indexer_cluster/admin.pem
- - certs/indexer_cluster/admin-key.pem
- - certs/indexer_cluster/filebeat.pem
- - certs/indexer_cluster/filebeat-key.pem
+ - wazuh-certificates/root-ca.pem
+ - wazuh-certificates/indexer.pem
+ - wazuh-certificates/indexer-key.pem
+ - wazuh-certificates/dashboard.pem
+ - wazuh-certificates/dashboard-key.pem
+ - wazuh-certificates/admin.pem
+ - wazuh-certificates/admin-key.pem
+ - wazuh-certificates/filebeat.pem
+ - wazuh-certificates/filebeat-key.pem
- name: dashboard-certs
files:
- - certs/dashboard_http/cert.pem
- - certs/dashboard_http/key.pem
- - certs/indexer_cluster/root-ca.pem
-
-configMapGenerator:
- - name: indexer-conf
- files:
- - indexer_stack/wazuh-indexer/indexer_conf/opensearch.yml
- - indexer_stack/wazuh-indexer/indexer_conf/internal_users.yml
- - name: wazuh-conf
- files:
- - wazuh_managers/wazuh_conf/master.conf
- - wazuh_managers/wazuh_conf/worker.conf
- - name: dashboard-conf
- files:
- - indexer_stack/wazuh-dashboard/dashboard_conf/opensearch_dashboards.yml
+ - wazuh-certificates/dashboard.pem
+ - wazuh-certificates/dashboard-key.pem
+ - wazuh-certificates/root-ca.pem
resources:
- base/wazuh-ns.yaml
diff --git a/wazuh/secrets/indexer-cred-secret.yaml b/wazuh/secrets/indexer-cred-secret.yaml
index 3f159c5..9eaea27 100644
--- a/wazuh/secrets/indexer-cred-secret.yaml
+++ b/wazuh/secrets/indexer-cred-secret.yaml
@@ -12,5 +12,5 @@ kind: Secret
metadata:
name: indexer-cred
data:
- username: YWRtaW4= # string "admin" base64 encoded
- password: U2VjcmV0UGFzc3dvcmQ= # string "SecretPassword" base64 encoded
+ username: YWRtaW4= # string "admin" base64 encoded
+ password: YWRtaW4= # string "admin" base64 encoded
diff --git a/wazuh/secrets/wazuh-api-cred-secret.yaml b/wazuh/secrets/wazuh-api-cred-secret.yaml
index b6628f9..c9dc75b 100644
--- a/wazuh/secrets/wazuh-api-cred-secret.yaml
+++ b/wazuh/secrets/wazuh-api-cred-secret.yaml
@@ -13,5 +13,5 @@ metadata:
name: wazuh-api-cred
namespace: wazuh
data:
- username: d2F6dWgtd3Vp # string "wazuh-wui" base64 encoded
+ username: d2F6dWgtd3Vp # string "wazuh-wui" base64 encoded
password: TXlTM2NyMzdQNDUwci4qLQ== # string "MyS3cr37P450r.*-" base64 encoded
diff --git a/wazuh/wazuh_managers/wazuh-master-sts.yaml b/wazuh/wazuh_managers/wazuh-master-sts.yaml
index 953f87d..dfa9cc6 100644
--- a/wazuh/wazuh_managers/wazuh-master-sts.yaml
+++ b/wazuh/wazuh_managers/wazuh-master-sts.yaml
@@ -28,9 +28,6 @@ spec:
name: wazuh-manager-master
spec:
volumes:
- - name: config
- configMap:
- name: wazuh-conf
- name: filebeat-certs
secret:
secretName: indexer-certs
@@ -50,10 +47,6 @@ spec:
capabilities:
add: ["SYS_CHROOT"]
volumeMounts:
- - name: config
- mountPath: /wazuh-config-mount/etc/ossec.conf
- subPath: master.conf
- readOnly: true
- name: filebeat-certs
mountPath: /etc/ssl/root-ca.pem
readOnly: true
diff --git a/wazuh/wazuh_managers/wazuh-worker-sts.yaml b/wazuh/wazuh_managers/wazuh-worker-sts.yaml
index af517ed..1294af6 100644
--- a/wazuh/wazuh_managers/wazuh-worker-sts.yaml
+++ b/wazuh/wazuh_managers/wazuh-worker-sts.yaml
@@ -38,9 +38,6 @@ spec:
app: wazuh-manager
node-type: worker
volumes:
- - name: config
- configMap:
- name: wazuh-conf
- name: filebeat-certs
secret:
secretName: indexer-certs
@@ -57,10 +54,6 @@ spec:
capabilities:
add: ["SYS_CHROOT"]
volumeMounts:
- - name: config
- mountPath: /wazuh-config-mount/etc/ossec.conf
- subPath: worker.conf
- readOnly: true
- name: filebeat-certs
mountPath: /etc/ssl/root-ca.pem
readOnly: true
diff --git a/wazuh/wazuh_managers/wazuh_conf/master.conf b/wazuh/wazuh_managers/wazuh_conf/master.conf
deleted file mode 100644
index f1b22b9..0000000
--- a/wazuh/wazuh_managers/wazuh_conf/master.conf
+++ /dev/null
@@ -1,324 +0,0 @@
-
-
-
- yes
- yes
- no
- no
- no
- smtp.example.wazuh.com
- ossecm@example.wazuh.com
- recipient@example.wazuh.com
- 12
- alerts.log
- 131072
- 20s
- 100s
-
-
-
-
- plain
-
-
-
- secure
- 1514
- tcp
- 131072
-
-
-
-
- no
- yes
- yes
- yes
- yes
- yes
- yes
- yes
- yes
-
-
- 43200
-
- /var/ossec/etc/rootcheck/rootkit_files.txt
- /var/ossec/etc/rootcheck/rootkit_trojans.txt
-
- /var/ossec/etc/rootcheck/system_audit_rcl.txt
- /var/ossec/etc/rootcheck/system_audit_ssh.txt
-
- yes
-
-
-
- yes
- 1800
- 1d
- yes
-
-
-
- yes
- 1800
- 1d
- yes
-
- wodles/java
- wodles/ciscat
-
-
-
-
- yes
- yes
- /var/log/osquery/osqueryd.results.log
- /etc/osquery/osquery.conf
- yes
-
-
-
-
- no
- 1h
- yes
- yes
- yes
- yes
- yes
- yes
- yes
-
-
-
- yes
- yes
- 60m
-
-
-
- yes
-
- https://indexer:9200
-
-
-
- /etc/ssl/root-ca.pem
-
- /etc/ssl/filebeat.pem
- /etc/ssl/filebeat.key
-
-
-
-
-
- no
-
-
- 43200
-
- yes
-
-
- yes
-
-
- no
-
-
- /etc,/usr/bin,/usr/sbin
- /bin,/sbin,/boot
-
-
- /etc/mtab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
- /sys/kernel/security
- /sys/kernel/debug
-
-
- /etc/ssl/private.key
-
- yes
-
-
- yes
-
-
- yes
-
-
-
-
- 127.0.0.1
- ^localhost.localdomain$
- 10.66.0.2
-
-
-
- disable-account
- disable-account.sh
- user
- yes
-
-
-
- restart-ossec
- restart-ossec.sh
-
-
-
-
- firewall-drop
- firewall-drop
- yes
-
-
-
- host-deny
- host-deny.sh
- srcip
- yes
-
-
-
- route-null
- route-null.sh
- srcip
- yes
-
-
-
- win_route-null
- route-null.cmd
- srcip
- yes
-
-
-
- win_route-null-2012
- route-null-2012.cmd
- srcip
- yes
-
-
-
- netsh
- netsh.cmd
- srcip
- yes
-
-
-
- netsh-win-2016
- netsh-win-2016.cmd
- srcip
- yes
-
-
-
-
-
-
- command
- df -P
- 360
-
-
-
- full_command
- netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
- netstat listening ports
- 360
-
-
-
- full_command
- last -n 20
- 360
-
-
-
-
- ruleset/decoders
- ruleset/rules
- 0215-policy_rules.xml
- etc/lists/audit-keys
- etc/lists/amazon/aws-sources
- etc/lists/amazon/aws-eventnames
- etc/lists/malicious-ioc/malicious-ip
- etc/lists/malicious-ioc/malicious-domains
- etc/lists/malicious-ioc/malware-hashes
-
-
- etc/decoders
- etc/rules
-
-
-
-
- no
- 1515
- no
-
- yes
- yes
- 1h
- 1h
-
- no
- yes
- HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
-
- no
- /var/ossec/etc/sslmanager.cert
- /var/ossec/etc/sslmanager.key
- no
-
-
-
- wazuh
- wazuh-manager-master
- master
- to_be_replaced_by_cluster_key
- 1516
- 0.0.0.0
-
- wazuh-manager-master-0.wazuh-cluster.wazuh
-
- no
- no
-
-
-
-
-
- syslog
- /var/ossec/logs/active-responses.log
-
-
-
diff --git a/wazuh/wazuh_managers/wazuh_conf/worker.conf b/wazuh/wazuh_managers/wazuh_conf/worker.conf
deleted file mode 100644
index 7b3f957..0000000
--- a/wazuh/wazuh_managers/wazuh_conf/worker.conf
+++ /dev/null
@@ -1,324 +0,0 @@
-
-
-
- yes
- yes
- no
- no
- no
- smtp.example.wazuh.com
- ossecm@example.wazuh.com
- recipient@example.wazuh.com
- 12
- alerts.log
- 131072
- 20s
- 100s
-
-
-
-
- plain
-
-
-
- secure
- 1514
- tcp
- 131072
-
-
-
-
- no
- yes
- yes
- yes
- yes
- yes
- yes
- yes
- yes
-
-
- 43200
-
- /var/ossec/etc/rootcheck/rootkit_files.txt
- /var/ossec/etc/rootcheck/rootkit_trojans.txt
-
- /var/ossec/etc/rootcheck/system_audit_rcl.txt
- /var/ossec/etc/rootcheck/system_audit_ssh.txt
-
- yes
-
-
-
- yes
- 1800
- 1d
- yes
-
-
-
- yes
- 1800
- 1d
- yes
-
- wodles/java
- wodles/ciscat
-
-
-
-
- yes
- yes
- /var/log/osquery/osqueryd.results.log
- /etc/osquery/osquery.conf
- yes
-
-
-
-
- no
- 1h
- yes
- yes
- yes
- yes
- yes
- yes
- yes
-
-
-
- yes
- yes
- 60m
-
-
-
- yes
-
- https://indexer:9200
-
-
-
- /etc/ssl/root-ca.pem
-
- /etc/ssl/filebeat.pem
- /etc/ssl/filebeat.key
-
-
-
-
-
- no
-
-
- 43200
-
- yes
-
-
- yes
-
-
- no
-
-
- /etc,/usr/bin,/usr/sbin
- /bin,/sbin,/boot
-
-
- /etc/mtab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
- /sys/kernel/security
- /sys/kernel/debug
-
-
- /etc/ssl/private.key
-
- yes
-
-
- yes
-
-
- yes
-
-
-
-
- 127.0.0.1
- ^localhost.localdomain$
- 10.66.0.2
-
-
-
- disable-account
- disable-account.sh
- user
- yes
-
-
-
- restart-ossec
- restart-ossec.sh
-
-
-
-
- firewall-drop
- firewall-drop
- yes
-
-
-
- host-deny
- host-deny.sh
- srcip
- yes
-
-
-
- route-null
- route-null.sh
- srcip
- yes
-
-
-
- win_route-null
- route-null.cmd
- srcip
- yes
-
-
-
- win_route-null-2012
- route-null-2012.cmd
- srcip
- yes
-
-
-
- netsh
- netsh.cmd
- srcip
- yes
-
-
-
- netsh-win-2016
- netsh-win-2016.cmd
- srcip
- yes
-
-
-
-
-
-
- command
- df -P
- 360
-
-
-
- full_command
- netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
- netstat listening ports
- 360
-
-
-
- full_command
- last -n 20
- 360
-
-
-
-
- ruleset/decoders
- ruleset/rules
- 0215-policy_rules.xml
- etc/lists/audit-keys
- etc/lists/amazon/aws-sources
- etc/lists/amazon/aws-eventnames
- etc/lists/malicious-ioc/malicious-ip
- etc/lists/malicious-ioc/malicious-domains
- etc/lists/malicious-ioc/malware-hashes
-
-
- etc/decoders
- etc/rules
-
-
-
-
- no
- 1515
- no
-
- yes
- yes
- 1h
- 1h
-
- no
- yes
- HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
-
- no
- /var/ossec/etc/sslmanager.cert
- /var/ossec/etc/sslmanager.key
- no
-
-
-
- wazuh
- to_be_replaced_by_hostname
- worker
- to_be_replaced_by_cluster_key
- 1516
- 0.0.0.0
-
- wazuh-manager-master-0.wazuh-cluster.wazuh
-
- no
- no
-
-
-
-
-
- syslog
- /var/ossec/logs/active-responses.log
-
-
-