ThreatLockDown agent class

class wazuh::agent

This contains variables that can be used to configure the ThreatLockDown agent.

Active-Response variables

$configure_active_response

Enables active response on this host.

Default true

Type Boolean

$active_response_disabled

Toggles the active-response capability on and off.

Default no

Type String

$active_response_ca_verification

This option enables or disables the WPK validation using the root CA certificate. If this parameter is set to no, the agent will accept any WPK package coming from the manager.

Default yes

Type String

$active_response_repeated_offenders

Sets timeouts in minutes for repeat offenders. This is a list of increasing timeouts that can contain a maximum of 5 entries.

Default []

Agent enrollment variables

$wazuh_enrollment_enabled

Enables/disables agent enrollment. If this variable is not set to ‘yes’ the complete enrollment tag will not be added to ossec.conf.

Default undef

Type String

$wazuh_enrollment_manager_address

Hostname or IP address of the manager where the agent will be enrolled.

Default undef

Type String

$wazuh_enrollment_port

Specifies the port on the manager to send enrollment request.

Default undef

Type String

Depends on wazuh_enrollment_enabled

$wazuh_enrollment_agent_name

Agent name that will be used for enrollment.

Default undef

Type String

Depends on wazuh_enrollment_enabled

$wazuh_enrollment_groups

Groups name to which the agent belongs.

Default undef

Type String

Depends on wazuh_enrollment_enabled

$wazuh_enrollment_agent_address

Force IP address from the agent. If this is not set, the manager will extract the source IP address from the enrollment message.

Default undef

Type String

Depends on wazuh_enrollment_enabled

$wazuh_enrollment_ssl_cipher

Override SSL used ciphers.

Default undef

Type String

Depends on wazuh_enrollment_enabled

$wazuh_enrollment_server_ca_path

Used for manager verification. If no CA certificate is set server will not be verified.

Default undef

Type String

Depends on wazuh_enrollment_enabled

$wazuh_enrollment_agent_cert_path

Required when agent verification is enabled in the manager.

Default undef

Type String

Depends on wazuh_enrollment_enabled

$wazuh_enrollment_agent_key_path

Required when agent verification is enabled in the manager.

Default undef

Type String

Depends on wazuh_enrollment_enabled

$wazuh_enrollment_auth_pass

Enrollment password.

Default undef

Type String

Depends on wazuh_enrollment_enabled

$wazuh_enrollment_auth_pass_path

Required when enrollment is using password verification.

Default '/var/ossec/etc/authd.pass'

Type String

Depends on wazuh_enrollment_enabled

$wazuh_enrollment_auto_method

Auto negotiates the most secure common SSL/TLS method with the manager, use “yes” for auto negotiate or “no” for TLS v1.2 only.

Default undef

Type String

Depends on wazuh_enrollment_enabled

$wazuh_delay_after_enrollment

Specifies the time agents should wait after a successful registration.

Related parameter delay_after_enrollment

Default undef

Type String

Depends on wazuh_enrollment_enabled

$wazuh_enrollment_use_source_ip

Force manager to compute IP address from agent message.

Default undef

Type String

Depends on wazuh_enrollment_enabled

Client variables

$wazuh_reporting_endpoint

Specifies the IP address or the hostname of the ThreatLockDown manager to report.

Default undef

Type String

$wazuh_register_endpoint

Specifies the IP address or the hostname of the ThreatLockDown manager to register against. It is used to run the agent-auth tool.

Type String

$ossec_port

Specifies the port to send events to the manager. This must match the associated listening port configured on the ThreatLockDown manager.

Default 1514

Type String

$ossec_protocol

Specifies the protocol to use when connecting to the manager.

Default tcp

Type String

$wazuh_max_retries

The number of connection retries.

Default 5

Type String

$wazuh_retry_interval

Time interval between connection attempts (seconds).

Default 5

Type String

$ossec_notify_time

Specifies the time in seconds between agent check-ins to the manager.

Default 10

Type String

$ossec_time_reconnect

Specifies the time in seconds before a reconnection is attempted. This should be set to a higher number than the notify_time parameter.

Default 60

Type String

$ossec_auto_restart

Toggles on and off the automatic restart of agents when a new valid configuration is received from the manager.

Default yes

Type String

$ossec_crypto_method

Choose the encryption of the messages that the agent sends to the manager.

Default aes

Type String

$client_buffer_queue_size

Sets the capacity of the agent buffer in number of events.

Default 5000

$client_buffer_events_per_second

Specifies the number of events that can be sent to the manager per second.

Default 500

Type String

Localfile variables

$ossec_local_files

Files list for log analysis

These files are listed in params_agent.pp in section $default_local_files. If a change is needed it should be modified in the params_agent.pp.

Default depends on the OS family.

Rootcheck variables

$configure_rootcheck

Enables rootcheck section render on this host.

Default true

Type Boolean

$ossec_rootcheck_disabled

Disable rootcheck on this host (Linux).

Default no

Type String

$ossec_rootcheck_check_files

Enable rootcheck checkfiles option.

Default yes

Type String

$ossec_rootcheck_check_trojans

Enable rootcheck checktrojans option.

Default yes

Type String

$ossec_rootcheck_check_dev

Enable rootcheck checkdev option.

Default yes

Type String

$ossec_rootcheck_check_sys

Enable rootcheck checksys option.

Default yes

Type String

$ossec_rootcheck_check_pids

Enable rootcheck checkpids option.

Default yes

Type String

$ossec_rootcheck_check_ports

Enable rootcheck checkports option.

Default yes

Type String

$ossec_rootcheck_check_if

Enable rootcheck checkif option.

Default yes

Type String

$ossec_rootcheck_frequency

How often the rootcheck scan will run (in seconds).

Default 36000

Type String

$ossec_rootcheck_ignore_list

List of files or directories to be ignored. These files and directories will be ignored during scans.

Default []

Type List

$ossec_rootcheck_rootkit_files

Change the location of the rootkit files database.

Default '/var/ossec/etc/shared/rootkit_files.txt'

Type String

$ossec_rootcheck_rootkit_trojans

Change the location of the rootkit trojans database.

Default 'etc/shared/rootkit_trojans.txt'

Type String

$ossec_rootcheck_skip_nfs

Enable or disable the scanning of network mounted filesystems (Works on Linux and FreeBSD). Currently, skip_nfs will exclude checking files on CIFS or NFS mounts.

Default yes

Type String

$ossec_rootcheck_system_audit

Specifies the path to an audit definition file for Unix-like systems.

Default []

Type List

$ossec_rootcheck_windows_disabled

Disables rootcheck if host has Windows OS.

Default no

Type String

$ossec_rootcheck_windows_windows_apps

Specifies the path to a Windows application definition file.

Default './shared/win_applications_rcl.txt'

$ossec_rootcheck_windows_windows_malware

Specifies the path to a Windows malware definitions file.

Default './shared/win_applications_rcl.txt'

Type String

SCA variables

$configure_sca

Enables SCA section render on this host.

Default true

Type boolean

$sca_amazon_enabled

Enable SCA on this host (Amazon Linux 2).

Default yes

Depends on configure_sca and apply_template_os

$sca_amazon_scan_on_start

The SCA module will perform the scan immediately when started (Amazon Linux 2).

Default yes

Depends on configure_sca and apply_template_os

$sca_amazon_interval

The interval between module executions.

Default 12h

Depends on configure_sca and apply_template_os

$sca_amazon_skip_nfs

Enable or disable the scanning of network mounted filesystems (Works on Linux and FreeBSD). Currently, skip_nfs will exclude checking files on CIFS or NFS mounts.

Default yes

Depends on configure_sca and apply_template_os

$sca_amazon_policies

A list of policies to run assessments can be included in this section.

Default []

Depends on configure_sca and apply_template_os

$sca_rhel_enabled

Enable SCA on this host (RHEL).

Default true

Type Boolean

Depends on configure_sca and apply_template_os

$sca_rhel_scan_on_start

The SCA module will perform the scan immediately when started (RHEL).

Default yes

Type String

Depends on configure_sca and apply_template_os

$sca_rhel_interval

The interval between module executions.

Default 12h

Depends on configure_sca and apply_template_os

$sca_rhel_skip_nfs

Enable or disable the scanning of network mounted filesystems (Works on Linux and FreeBSD). Currently, skip_nfs will exclude checking files on CIFS or NFS mounts.

Default yes

Depends on configure_sca and apply_template_os

$sca_rhel_policies

A list of policies to run assessments can be included in this section.

Default []

Depends on configure_sca and apply_template_os

$sca_else_enabled

Enable SCA on this host (Linux).

Default yes

$sca_else_scan_on_start

The SCA module will perform the scan immediately when started (Linux).

Default yes

Depends on configure_sca and apply_template_os

$sca_else_interval

The interval between module executions.

Default 12h

Depends on configure_sca and apply_template_os

$sca_else_skip_nfs

Enable or disable the scanning of network mounted filesystems (Works on Linux and FreeBSD). Currently, skip_nfs will exclude checking files on CIFS or NFS mounts.

Default yes

Depends on configure_sca and apply_template_os

$sca_else_policies

A list of policies to run assessments can be included in this section.

Default []

Depends on configure_sca and apply_template_os

Syscheck variables

$configure_syscheck

Enables syscheck section rendering on this host. If this variable is not set to ‘true’ the complete syscheck tag will not be added to ossec.conf.

Default true

Type Boolean

$ossec_syscheck_disabled

Disable syscheck on this host.

Default no

Type String

$ossec_syscheck_frequency

Enables syscheck section rendering on this host.

Default 43200

Type String

$ossec_syscheck_scan_on_start

Specifies if syscheck scans immediately when started.

Default yes

Type String

$ossec_syscheck_auto_ignore

Specifies whether or not syscheck will ignore files that change too many times (manager only).

Default undef

Type String

$ossec_syscheck_directories_1

List of directories to be monitored. The directories should be comma-separated.

Default '/etc,/usr/bin,/usr/sbin'

Type String

$ossec_syscheck_realtime_directories_1

This will enable real-time/continuous monitoring on directories listed on ossec_syscheck_directories_1. Real time only works with directories, not individual files.

Default no

Type String

$ossec_syscheck_whodata_directories_1

This will enable who-data monitoring on directories listed on ossec_syscheck_directories_1.

Default no

Type String

$ossec_syscheck_directories_2

List of directories to be monitored. The directories should be comma-separated.

Default '/etc,/usr/bin,/usr/sbin'

Type String

$ossec_syscheck_realtime_directories_2

This will enable real-time/continuous monitoring on directories listed on ossec_syscheck_directories_2. Real time only works with directories, not individual files.

Default no

Type String

$ossec_syscheck_whodata_directories_2

This will enable who-data monitoring on directories listed on ossec_syscheck_directories_2.

Default no

Type String

$ossec_syscheck_report_changes_directories_2

Report file changes. This is limited to text files at this time.

Default no

Type String

$ossec_syscheck_ignore_list

List of files or directories to be ignored. Ignored files and directories are still being scanned, but the results are not reported.

[‘/etc/mtab’,’/etc/hosts.deny’,’/etc/mail/statistics’,’/etc/random-seed’,’/etc/random.seed’,’/etc/adjtime’,’/etc/httpd/logs’,’/etc/utmpx’,’/etc/wtmpx’,’/etc/cups/certs’,’/etc/dumpdates’,’/etc/svc/volatile’,’/sys/kernel/security’,’/sys/kernel/debug’,’/dev/core’,]

Type String

$ossec_syscheck_ignore_type_1

Simple regex pattern to filter out files.

Default '^/proc'

Type String

$ossec_syscheck_ignore_type_2

Another simple regex pattern to filter out files.

Default '.log$|.swp$'

Type String

$ossec_syscheck_process_priority

Sets the nice value for Syscheck process.

Default 10

Type String

$ossec_syscheck_synchronization_enabled

Specifies whether there will be periodic inventory synchronizations or not.

Default yes

Type String

$ossec_syscheck_synchronization_interval

Specifies the initial number of seconds between every inventory synchronization. If synchronization fails the value will be duplicated until it reaches the value of max_interval.

Default 5m

Type String

$ossec_syscheck_synchronization_max_eps

Sets the maximum synchronization message throughput.

Default 10

Type String

$ossec_syscheck_synchronization_max_interval

Specifies the maximum number of seconds between every inventory synchronization.

Default 1h

Type String

$ossec_syscheck_skip_nfs

Specifies if syscheck should scan network mounted filesystems. This option works on Linux and FreeBSD systems. Currently, skip_nfs will exclude checking files on CIFS or NFS mounts.

Default yes

Type String

Wodle OpenSCAP

$configure_wodle_openscap

Enables the Wodle OpenSCAP section rendering on this host. If this variable is not set to true the complete open-scap wodle tag will not be added to ossec.conf.

Default true

Type Boolean

$wodle_openscap_disabled

Disables the OpenSCAP wodle.

Default yes

Type String

$wodle_openscap_timeout

Timeout for each evaluation.

Default 1800

Type String

$wodle_openscap_interval

The interval between OpenSCAP executions.

Default 1d

Type String

$wodle_openscap_scan_on_start

Run evaluation immediately when service is started.

Default yes

Type String

Wodle CIS-CAT

$configure_wodle_cis_cat

Enables Wodle CIS-CAT section render on this host. If this variable is not set to true the complete cis-cat wodle tag will not be added to ossec.conf.

Default true

Type Boolean

$wodle_ciscat_disabled

Disables the CIS-CAT wodle.

Default yes

Type String

$wodle_ciscat_timeout

Timeout for each evaluation. In case the execution takes longer than the specified timeout, it stops.

Default 1800

Type String

$wodle_ciscat_interval

The interval between CIS-CAT executions.

Default 1d

Type String

$wodle_ciscat_scan_on_start

Run evaluation immediately when service is started.

Default yes

Type String

$wodle_ciscat_java_path

Define where Java is located. If this parameter is not set, the wodle will search for the Java location in the default environment variable $PATH.

Default 'wodles/java'

Type String

$wodle_ciscat_ciscat_path

Define where CIS-CAT is located.

Default 'wodles/ciscat'

Type String

Wodle osquery variables

$configure_wodle_osquery

Enables the Wodle osquery section rendering on this host. If this variable is not set to ‘true’, the complete osquery wodle tag will not be added to ossec.conf.

Default true

Type String

$wodle_osquery_disabled

Disable the osquery wodle.

Default yes

Type String

$wodle_osquery_run_daemon

Make the module run osqueryd as a subprocess or let the module monitor the results log without running Osquery.

Default yes

Type String

$wodle_osquery_log_path

Full path to the results log written by Osquery.

Default '/var/log/osquery/osqueryd.results.log'

Type String

$wodle_osquery_config_path

Path to the Osquery configuration file. This path can be relative to the folder where the ThreatLockDown agent is running.

Default '/etc/osquery/osquery.conf'

Type String

$wodle_osquery_add_labels

Add the agent labels defined as decorators.

Default yes

Type String

Wodle Syscollector

$wodle_syscollector_disabled

Disable the Syscollector wodle.

Default no

Type String

$wodle_syscollector_interval

Time between system scans.

Default 1h

Type String

$wodle_syscollector_scan_on_start

Run a system scan immediately when service is started.

Default yes

Type String

$wodle_syscollector_hardware

Enables the hardware scan.

Default yes

Type String

$wodle_syscollector_os

Enables the scan of the OS.

Default yes

Type String

$wodle_syscollector_network

Enables the network scan.

Default yes

Type String

$wodle_syscollector_packages

Enables the scan of the packages.

Default yes

Type String

$wodle_syscollector_ports

Enables the scan of the ports.

Default yes

Type String

$wodle_syscollector_processes

Enables the scan of the processes.

Default yes

Type String

Misc Variables

$agent_package_name

Define package name defined in params_agent.pp

Default wazuh-agent

Type String

$agent_package_version

Define package version

Default 4.9.0-1

Type String

$selinux

Whether to install a SELinux policy to allow rotation of OSSEC logs.

Default false

Type Boolean

$agent_name

Configure agent name.

Default undef

Type String

$manage_repo

Install ThreatLockDown through ThreatLockDown repositories.

Default true

Type Boolean

$manage_client_keys

Manage client keys option.

Default yes

Type String

$agent_auth_password

Define password for agent-auth

Default undef

Type String