Upload files to "configs"

2026-05-29 19:02:57 +00:00
commit 90fba40de4
5 changed files with 1149 additions and 0 deletions
@@ -0,0 +1,43 @@
 # Wazuh - Filebeat configuration file
 output.elasticsearch.hosts:
        - 127.0.0.1:9200
 #        - <elasticsearch_ip_node_2>:9200
 #        - <elasticsearch_ip_node_3>:9200
 output.elasticsearch:
  protocol: https
  username: ${username}
  password: ${password}
  ssl.certificate_authorities:
    - /etc/filebeat/certs/root-ca.pem
  ssl.certificate: "/etc/filebeat/certs/wazuh-server.pem"
  ssl.key: "/etc/filebeat/certs/wazuh-server-key.pem"
 setup.template.json.enabled: true
 setup.template.json.path: '/etc/filebeat/wazuh-template.json'
 setup.template.json.name: 'wazuh'
 setup.ilm.overwrite: true
 setup.ilm.enabled: false
 filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false
 logging.level: info
 logging.to_files: true
 logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644
 logging.metrics.enabled: false
 seccomp:
  default_action: allow
  syscalls:
  - action: allow
    names:
    - rseq
@@ -0,0 +1,494 @@
 # internal_options.conf, Daniel B. Cid (dcid @ ossec.net).
 #
 # DO NOT TOUCH THIS FILE. The default configuration
 # is at ossec.conf. More information at:
 # https://documentation.wazuh.com
 #
 # This file should be handled with care. It contain
 # run time modifications that can affect the use
 # of ossec. Only change it if you know what you
 # are doing. Again, look first at ossec.conf
 # for most of the things you want to change.
 # Analysisd default rule timeframe.
 analysisd.default_timeframe=360
 # Analysisd stats maximum diff.
 analysisd.stats_maxdiff=999000
 # Analysisd stats minimum diff.
 analysisd.stats_mindiff=1250
 # Analysisd stats percentage (how much to differ from average)
 analysisd.stats_percent_diff=150
 # Analysisd FTS list size.
 analysisd.fts_list_size=32
 # Analysisd FTS minimum string size.
 analysisd.fts_min_size_for_str=14
 # Analysisd Enable the firewall log (at logs/firewall/firewall.log)
 # 1 to enable, 0 to disable.
 analysisd.log_fw=1
 # Maximum number of fields in a decoder (order tag) [32..1024]
 analysisd.decoder_order_size=256
 # Output GeoIP data at JSON alerts
 analysisd.geoip_jsonout=0
 # Maximum label cache age (margin seconds with no reloading) [0..60]
 analysisd.label_cache_maxage=10
 # Show hidden labels on alerts
 analysisd.show_hidden_labels=0
 # Maximum number of file descriptor that Analysisd can open [1024..1048576]
 analysisd.rlimit_nofile=458752
 # Minimum output rotate interval. This limits rotation by time and size. [10..86400]
 analysisd.min_rotate_interval=600
 # Number of event decoder threads
 analysisd.event_threads=0
 # Number of syscheck decoder threads
 analysisd.syscheck_threads=0
 # Number of syscollector decoder threads
 analysisd.syscollector_threads=0
 # Number of rootcheck decoder threads
 analysisd.rootcheck_threads=0
 # Number of security configuration assessment decoder threads
 analysisd.sca_threads=0
 # Number of hostinfo decoder threads
 analysisd.hostinfo_threads=0
 # Number of Windows event decoder threads
 analysisd.winevt_threads=0
 # Number of rule matching threads
 analysisd.rule_matching_threads=0
 # Number of database synchronization dispatcher threads [0..32]
 analysisd.dbsync_threads=0
 # Decoder event queue size
 analysisd.decode_event_queue_size=16384
 # Decode syscheck queue size
 analysisd.decode_syscheck_queue_size=16384
 # Decode syscollector queue size
 analysisd.decode_syscollector_queue_size=16384
 # Decode rootcheck queue size
 analysisd.decode_rootcheck_queue_size=16384
 # Decode security configuration assessment queue size
 analysisd.decode_sca_queue_size=16384
 # Decode hostinfo queue size
 analysisd.decode_hostinfo_queue_size=16384
 # Decode winevt queue size
 analysisd.decode_winevt_queue_size=16384
 # Decode Output queue
 analysisd.decode_output_queue_size=16384
 # Archives log queue size
 analysisd.archives_queue_size=16384
 # Statistical log queue size
 analysisd.statistical_queue_size=16384
 # Alerts log queue size
 analysisd.alerts_queue_size=16384
 # Firewall log queue size
 analysisd.firewall_queue_size=16384
 # FTS log queue size
 analysisd.fts_queue_size=16384
 # Database synchronization message queue size [0..2000000]
 analysisd.dbsync_queue_size=16384
 # Upgrade message queue size
 analysisd.upgrade_queue_size=16384
 # Interval for analysisd status file updating (seconds) [0..86400]
 # 0 means disabled
 analysisd.state_interval=5
 # Logcollector file loop timeout (check every 2 seconds for file changes)
 logcollector.loop_timeout=2
 # Logcollector number of attempts to open a log file [2..998] (0=infinite)
 logcollector.open_attempts=0
 # Logcollector - If it should accept remote commands from the manager
 logcollector.remote_commands=0
 # Logcollector - File checking interval (seconds) [0..1024]
 logcollector.vcheck_files=64
 # Logcollector - Maximum number of lines to read from the same file [100..1000000]
 # 0. Disable line burst limitation
 logcollector.max_lines=10000
 # Logcollector - Maximum number of files to be monitored [1..100000]
 logcollector.max_files=1000
 # Time to reattempt a socket connection after a failure [1..3600]
 logcollector.sock_fail_time=300
 # Logcollector - Number of input threads for reading files
 logcollector.input_threads=4
 # Logcollector - Output queue size [128..220000]
 logcollector.queue_size=1024
 # Sample log length limit for errors about large message [1..4096]
 logcollector.sample_log_length=64
 # Maximum number of file descriptor that Logcollector can open [1024..1048576]
 # This value must be higher than logcollector.max_files
 logcollector.rlimit_nofile=1100
 # Force file handler reloading: close and reopen monitored files
 # 0: Disabled
 # 1: Enabled
 logcollector.force_reload=0
 # File reloading interval, in seconds, if force_reload=1 [1..86400]
 # This interval must be greater or equal than vcheck_files.
 logcollector.reload_interval=64
 # File reloading delay (between close and open), in milliseconds [0..30000]
 logcollector.reload_delay=1000
 # Excluded files refresh interval, in seconds [1..172800]
 logcollector.exclude_files_interval=86400
 # State generation updating interval, in seconds [0..3600]
 # 0 means state file creation and updating is disabled
 logcollector.state_interval=60
 # Logbuilder IP update interval [0..3600]
 logcollector.ip_update_interval=60
 # Remoted counter io flush.
 remoted.recv_counter_flush=128
 # Remoted compression averages printout.
 remoted.comp_average_printout=19999
 # Verify msg id (set to 0 to disable it)
 remoted.verify_msg_id=0
 # Don't exit when client.keys empty
 remoted.pass_empty_keyfile=1
 # Number of shared file sender threads
 remoted.sender_pool=8
 # Limit of parallel request dispatchers [1..4096]
 remoted.request_pool=1024
 # Timeout to reject a new request (seconds) [1..600]
 remoted.request_timeout=10
 # Timeout for request responses (seconds) [1..3600]
 remoted.response_timeout=60
 # Retransmission timeout seconds [0..60]
 remoted.request_rto_sec=1
 # Retransmission timeout milliseconds [0..999]
 remoted.request_rto_msec=0
 # Max. number of sending attempts [1..16]
 remoted.max_attempts=4
 # Shared files reloading interval (sec) [1..18000]
 remoted.shared_reload=10
 # Maximum number of file descriptor that Remoted can open [1024..1048576]
 remoted.rlimit_nofile=458752
 # Maximum time waiting for a client response in TCP (seconds) [1..60]
 remoted.recv_timeout=1
 # Merge shared configuration to be broadcasted to agents
 # 0. Disable
 # 1. Enable (default)
 remoted.merge_shared=1
 # Store the temporary shared configuration file on disk
 # 0. No, store in memory (default)
 # 1. Yes, store on disk
 remoted.disk_storage=0
 # Keys file reloading latency (seconds) [1..3600]
 remoted.keyupdate_interval=10
 # Number of parallel worker threads [1..16]
 remoted.worker_pool=4
 # Interval for remoted status file updating (seconds) [0..86400]
 # 0 means disabled
 remoted.state_interval=5
 # Guess the group to which the agent belongs
 # 0. No, do not guess (default)
 # 1. Yes, do guess
 remoted.guess_agent_group=0
 # Receiving chunk size for TCP. We suggest using powers of two. [1024..16384]
 remoted.receive_chunk=4096
 # Sending chunk size for TCP. We suggest using powers of two. [512..16384]
 remoted.send_chunk=4096
 # Send buffer size for queue messages to send. We suggest using powers of two. [65536..1048576]
 remoted.send_buffer_size=131072
 # Sleep time to retry delivery to a client in TCP (seconds) [1..60]
 remoted.send_timeout_to_retry=1
 # Deallocate network buffers after usage.
 # 0. Do not deallocate memory.
 # 1. Shrink memory to the reception chunk.
 # 2. Full memory deallocation.
 remoted.buffer_relax=1
 # Keepalive options
 # Time (in seconds) the connection needs to remain idle before TCP starts sending keepalive probes [1..7200]
 remoted.tcp_keepidle=30
 # The time (in seconds) between individual keepalive probes [1..100]
 remoted.tcp_keepintvl=10
 # Maximum number of keepalive probes TCP should send before dropping the connection [1..50]
 remoted.tcp_keepcnt=3
 # Save control messages queue size, in messages [1024..1048576]
 remoted.control_msg_queue_size=16384
 # Router forwarding - Enable or disable forwarding messages
 # 0. Enabled
 # 1. Disabled
 remoted.router_forwarding_disabled=0
 # Timeout to execute remote requests [1..3600]
 execd.request_timeout=60
 # Max timeout to lock the restart [0..3600]
 execd.max_restart_lock=600
 # Maild strict checking (0=disabled, 1=enabled)
 maild.strict_checking=1
 # Maild grouping (0=disabled, 1=enabled)
 # Groups alerts within the same e-mail.
 maild.grouping=1
 # Maild full subject (0=disabled, 1=enabled)
 maild.full_subject=0
 # Maild display GeoIP data (0=disabled, 1=enabled)
 maild.geoip=1
 # Monitord day_wait. Amount of seconds to wait before rotating/compressing/signing [0..600]
 # the files.
 monitord.day_wait=10
 # Monitord compress. (0=do not compress, 1=compress)
 monitord.compress=1
 # Monitord sign. (0=do not sign, 1=sign)
 monitord.sign=1
 # Monitord monitor_agents. (0=do not monitor, 1=monitor)
 monitord.monitor_agents=1
 # Rotate plain and JSON logs daily. (0=no, 1=yes)
 monitord.rotate_log=1
 # Days to keep old ossec.log files [0..500]
 monitord.keep_log_days=31
 # Size of internal log files to rotate them (Megabytes) [0..4096]
 monitord.size_rotate=512
 # Maximum number of rotations per day for internal logs [1..256]
 monitord.daily_rotations=12
 # Number of minutes for deleting a disconnected agent [0..9600]. (0=disabled)
 monitord.delete_old_agents=0
 # Syscheck perform a delay when dispatching real-time notifications so it avoids
 # triggering on some temporary files like vim edits. (ms) [0..1000]
 syscheck.rt_delay=5
 # Maximum number of directories monitored for realtime on windows [1..1024]
 syscheck.max_fd_win_rt=256
 # Maximum number of directories monitored for who-data on Linux [1..4096]
 syscheck.max_audit_entries=256
 # Maximum level of recursivity allowed [1..320]
 syscheck.default_max_depth=256
 # Check interval of the symbolic links configured in the directories section [1..2592000]
 syscheck.symlink_scan_interval=600
 # Maximum file size for calcuting integrity hashes in MBytes [0..4095]
 # A value of 0 MB means to disable this filter
 syscheck.file_max_size=1024
 # Rootcheck checking/usage speed. The default is to sleep 50 milliseconds
 # per each PID or suspictious port.
 rootcheck.sleep=50
 # Time since the agent buffer is full to consider events flooding
 agent.tolerance=15
 # Level of occupied capacity in Agent buffer to trigger a warning message
 agent.warn_level=90
 # Level of occupied capacity in Agent buffer to come back to normal state
 agent.normal_level=70
 # Minimum events per second, configurable at XML settings [1..1000]
 agent.min_eps=50
 # Interval for agent status file updating (seconds) [0..86400]
 # 0 means disabled
 agent.state_interval=5
 # Maximum time waiting for a server response in TCP (seconds) [1..600]
 agent.recv_timeout=60
 # Apply remote configuration
 # 0. Disabled
 # 1. Enabled
 agent.remote_conf=1
 # Database - maximum number of reconnect attempts
 dbd.reconnect_attempts=10
 # Wazuh modules - nice value for tasks. Lower value means higher priority
 wazuh_modules.task_nice=10
 # Wazuh modules - maximum number of events per second sent by each module [1..1000]
 wazuh_modules.max_eps=100
 # Wazuh modules - time for a process to quit before killing it [0..3600]
 # 0: Kill immediately
 wazuh_modules.kill_timeout=10
 # Maximum number of file descriptor that Wazuh modules can open [1024..1048576]
 wazuh_modules.rlimit_nofile=8192
 # Wazuh database module settings
 # Synchronize agent database with client.keys
 wazuh_database.sync_agents=1
 # Sync data in real time (supported on Linux only)
 # 0. Disabled
 # 1. Enabled (default)
 wazuh_database.real_time=1
 # Time interval between cycles (used only if real time disabled)
 # Default: 60 seconds (1 minute). Max: 86400 seconds (1 day)
 wazuh_database.interval=60
 # Maximum queued events (for inotify)
 # 0. Use system default
 wazuh_database.max_queued_events=0
 # Enable download module
 # 0. Disabled
 # 1. Enabled (default)
 wazuh_download.enabled=1
 # Number of worker threads (1..32)
 wazuh_db.worker_pool_size=8
 # Minimum time margin before committing (1..3600)
 wazuh_db.commit_time_min=10
 # Maximum time margin before committing (1..3600)
 wazuh_db.commit_time_max=60
 # Number of allowed open databases before closing (1..4096)
 wazuh_db.open_db_limit=64
 # Maximum number of file descriptor that WazuhDB can open [1024..1048576]
 wazuh_db.rlimit_nofile=458752
 # Indicates the max fragmentation allowed.
 # [0..100]
 wazuh_db.max_fragmentation=90
 # Indicates the allowed fragmentation threshold.
 # [0..100]
 wazuh_db.fragmentation_threshold=75
 # Indicates the allowed fragmentation difference between the last time the vacuum was performed and the current measurement.
 # [0..100]
 wazuh_db.fragmentation_delta=5
 # Indicates the minimum percentage of free pages present in a database that can trigger a vacuum. [0..99]
 wazuh_db.free_pages_percentage=0
 # Interval for database fragmentation check, in seconds [1..30758400]
 wazuh_db.check_fragmentation_interval=7200
 # Wazuh Command Module - If it should accept remote commands from the manager
 wazuh_command.remote_commands=0
 # Wazuh default stack size for child threads in KiB (2048..65536)
 wazuh.thread_stack_size=8192
 # Security Configuration Assessment DB request interval in minutes [0..60]
 # This option sets the maximum waiting time to resend a scan when the DB integrity check fails
 sca.request_db_interval=5
 # Enable it to accept execute commands from SCA policies pushed from the manager in the shared configuration
 # Local policies ignore this option
 sca.remote_commands=0
 # Default timeout for executed commands during a SCA scan in seconds [1..300]
 sca.commands_timeout=30
 # Network timeout for Authd clients
 auth.timeout_seconds=1
 auth.timeout_microseconds=0
 # Vulnerability detector LRUs size
 vulnerability-detection.translation_lru_size=2048
 vulnerability-detection.osdata_lru_size=1000
 vulnerability-detection.remediation_lru_size=2048
 # Vulnerability detector - Enable or disable the scan manager
 # 0. Enabled
 # 1. Disabled
 vulnerability-detection.disable_scan_manager=1
 # Vulnerability detector - report queue size [0..2147483647]
 # Unlimited = 0, Limited > 0
 vulnerability-detection.report_queue_size=262144
 # Debug options.
 # Debug 0 -> no debug
 # Debug 1 -> first level of debug
 # Debug 2 -> full debugging
 # Windows debug (used by the Windows agent)
 windows.debug=0
 # Syscheck (local, server and Unix agent)
 syscheck.debug=0
 # Remoted (server debug)
 remoted.debug=0
 # Analysisd (server or local)
 analysisd.debug=0
 # Auth daemon debug (server)
 authd.debug=0
 # Exec daemon debug (server, local or Unix agent)
 execd.debug=0
 # Monitor daemon debug (server, local or Unix agent)
 monitord.debug=0
 # Log collector (server, local or Unix agent)
 logcollector.debug=0
 # Integrator daemon debug (server, local or Unix agent)
 integrator.debug=0
 # Unix agentd
 agent.debug=0
 # Wazuh DB debug level
 wazuh_db.debug=0
 wazuh_modules.debug=0
 # Wazuh Cluster debug level
 wazuh_clusterd.debug=0
 # EOF
@@ -0,0 +1,75 @@
 <!-- Local Decoders -->
 <!-- Modify it at your will. -->
 <!-- Copyright (C) 2015, Wazuh Inc. -->
 <!--
  - Allowed static fields:
  - location   - where the log came from (only on FTS)
  - srcuser    - extracts the source username
  - dstuser    - extracts the destination (target) username
  - user       - an alias to dstuser (only one of the two can be used)
  - srcip      - source ip
  - dstip      - dst ip
  - srcport    - source port
  - dstport    - destination port
  - protocol   - protocol
  - id         - event id
  - url        - url of the event
  - action     - event action (deny, drop, accept, etc)
  - status     - event status (success, failure, etc)
  - extra_data - Any extra data
 -->
 <decoder name="pfsense-wrapped">
  <prematch>filterlog</prematch>
 </decoder>
 <decoder name="pfsense-wrapped-fields">
  <parent>pfsense-wrapped</parent>
  <regex>filterlog\S* \S*,\S*,\S*,(\S*),\S*,\S*,(\S*),</regex>
  <order>id,action</order>
 </decoder>
 <decoder name="pfsense-wrapped-fields">
  <parent>pfsense-wrapped</parent>
  <regex offset="after_regex">\S*,\S*,\S*,\S*,\S*,\S*,\S*,\S*,\S*,(\S*),\S*,(\S*),(\S*),</regex>
  <order>protocol,srcip,dstip</order>
 </decoder>
 <decoder name="pfsense-wrapped-fields">
  <parent>pfsense-wrapped</parent>
  <regex offset="after_regex">(\d*),(\d*),\S*</regex>
  <order>srcport,dstport</order>
 </decoder>
 <decoder name="pfsense-wrapped-fields">
  <parent>pfsense-wrapped</parent>
  <regex offset="after_regex">datalength=(\S*)|(\d*)</regex>
  <order>length</order>
 </decoder>
 <decoder name="mailcow-journald-unwrap">
  <prematch>postfix\(\d+\): \w+ \d+ \d+:\d+:\d+ \w+ \.+\(\d+\):</prematch>
 </decoder>
 <decoder name="mailcow-journald-unwrap-child">
  <parent>mailcow-journald-unwrap</parent>
  <regex offset="after_parent">\.+</regex>
  <order>extra_data</order>
 </decoder>
 <!-- Gitea: matches lines like:
     2026/05/29 14:19:59 routers/web/auth/auth.go:309:SignInPost() [W] Failed authentication attempt...
     2026/05/29 14:19:59 HTTPRequest [I] router: completed POST /user/login for ...
 -->
 <decoder name="gitea">
  <program_name>gitea</program_name>
 </decoder>
 <decoder name="gitea-auth-fail">
  <parent>gitea</parent>
  <prematch>Failed authentication attempt</prematch>
  <regex>Failed authentication attempt for (\S+) from (\d+.\d+.\d+.\d+)</regex>
  <order>user, srcip</order>
 </decoder>
@@ -0,0 +1,181 @@
 <!-- Local rules -->
 <!-- Modify it at your will. -->
 <!-- Copyright (C) 2015, Wazuh Inc. -->
 <!-- Example -->
 <group name="local,syslog,sshd,">
  <!--
  Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
  -->
  <rule id="100001" level="5">
    <if_sid>5716</if_sid>
    <srcip>1.1.1.1</srcip>
    <description>sshd: authentication failed from IP 1.1.1.1.</description>
    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
  </rule>
  <!-- Bridge rule: makes pfsense-wrapped decoder trigger the pfSense rule chain -->
  <rule id="87699" level="0">
    <decoded_as>pfsense-wrapped</decoded_as>
    <description>pfSense wrapped syslog parent rule.</description>
  </rule>
  <rule id="87761" level="5">
    <if_sid>87699</if_sid>
    <action>block</action>
    <description>pfSense firewall drop event (wrapped).</description>
    <group>pfsense,firewall_block,pci_dss_1.4,gpg13_4.12,hipaa_164.312.a.1,nist_800_53_SC.7,tsc_CC6.7,tsc_CC6.8,</group>
  </rule>
  <rule id="87762" level="10" frequency="18" timeframe="45" ignore="240">
    <if_matched_sid>87761</if_matched_sid>
    <same_source_ip />
    <description>Multiple pfSense firewall block events from same source (wrapped).</description>
    <mitre>
      <id>T1110</id>
    </mitre>
    <group>pfsense,</group>
  </rule>
 </group>
 <group name="attack,">
  <rule id="100100" level="10">
    <if_group>web|attack|attacks</if_group>
    <list field="srcip" lookup="address_match_key">etc/lists/blacklist-alienvault</list>
    <description>IP address found in AlienVault reputation database.</description>
  </rule>
 </group>
 <group name="dovecot,local,">
  <rule id="100200" level="0">
    <if_sid>9705</if_sid>
    <match>watchdog@invalid</match>
    <description>Dovecot: mailcow watchdog health check (ignored)</description>
  </rule>
  <rule id="100201" level="0">
    <if_sid>9707</if_sid>
    <match>rip=172.22.1.</match>
    <description>Dovecot: mailcow watchdog IMAP probe disconnect (ignored)</description>
  </rule>
  <rule id="100202" level="0">
    <if_sid>9706</if_sid>
    <match>imap(IGNORED_EMAIL_ADDRESS)</match>
    <description>Dovecot: own-mailbox routine session disconnect (ignored)</description>
  </rule>
  <rule id="100301" level="0">
    <if_sid>9706</if_sid>
    <match>managesieve-login: Disconnected: Connection closed (no auth attempts</match>
    <description>Mailcow watchdog managesieve healthcheck - suppressed</description>
  </rule>
 </group>
 <group name="dovecot,authentication_success,">
  <rule id="100300" level="0" overwrite="no">
    <if_sid>9701</if_sid>
    <description>Dovecot successful login - suppressed (routine IMAP polling)</description>
  </rule>
 </group>
 <group name="gitea,">
  <!-- Parent rule: any Gitea event gets decoded but only fires if a child rule matches -->
  <rule id="100400" level="0">
    <decoded_as>gitea</decoded_as>
    <description>Gitea event (parent)</description>
  </rule>
  <!-- Suppress polling/router/HTTP noise so it never reaches the alert log -->
  <rule id="100401" level="0">
    <if_sid>100400</if_sid>
    <match>router: polling</match>
    <description>Gitea: router polling - suppressed</description>
  </rule>
  <rule id="100402" level="0">
    <if_sid>100400</if_sid>
    <match>router: completed</match>
    <description>Gitea: router completed request - suppressed</description>
  </rule>
  <!-- Failed login (matches your real captured line) -->
  <rule id="100410" level="5">
    <if_sid>100400</if_sid>
    <match>Failed authentication attempt</match>
    <description>Gitea: failed authentication attempt</description>
    <group>authentication_failed,</group>
    <mitre>
      <id>T1110</id>
    </mitre>
  </rule>
  <!-- Brute force: 5 failures from same source in 2 minutes -->
  <rule id="100411" level="10" frequency="5" timeframe="120">
    <if_matched_sid>100410</if_matched_sid>
    <description>Gitea: possible brute force (5+ failed logins in 2 min)</description>
    <group>authentication_failures,</group>
    <mitre>
      <id>T1110</id>
    </mitre>
  </rule>
  <!-- Account lifecycle -->
  <rule id="100420" level="5">
    <if_sid>100400</if_sid>
    <match>new user signed up|created user</match>
    <description>Gitea: new user account created</description>
  </rule>
  <rule id="100421" level="7">
    <if_sid>100400</if_sid>
    <match>deleted user|DeleteUser</match>
    <description>Gitea: user account deleted</description>
  </rule>
  <!-- SSH keys / tokens -->
  <rule id="100430" level="5">
    <if_sid>100400</if_sid>
    <match>add public key|added SSH key|AddPublicKey</match>
    <description>Gitea: SSH key added to account</description>
  </rule>
  <rule id="100431" level="3">
    <if_sid>100400</if_sid>
    <match>delete public key|deleted SSH key|DeletePublicKey</match>
    <description>Gitea: SSH key removed from account</description>
  </rule>
  <rule id="100440" level="5">
    <if_sid>100400</if_sid>
    <match>access token|AccessToken</match>
    <description>Gitea: access token activity</description>
  </rule>
  <!-- Password reset / recovery -->
  <rule id="100450" level="5">
    <if_sid>100400</if_sid>
    <match>ResetPasswd|recover_account</match>
    <description>Gitea: password reset / account recovery</description>
  </rule>
  <!-- Repo operations -->
  <rule id="100460" level="7">
    <if_sid>100400</if_sid>
    <match>repository deleted|DeleteRepository</match>
    <description>Gitea: repository deleted</description>
  </rule>
  <!-- 2FA events -->
  <rule id="100470" level="5">
    <if_sid>100400</if_sid>
    <match>TwoFactor|two-factor|TOTP</match>
    <description>Gitea: 2FA event</description>
  </rule>
 </group>
@@ -0,0 +1,356 @@
 <!--
  Wazuh - Manager - Default configuration for amzn 2023
  More info at: https://documentation.wazuh.com
  Mailing list: https://groups.google.com/forum/#!forum/wazuh
 -->
 <ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>yes</logall>
    <logall_json>no</logall_json>
    <email_notification>yes</email_notification>
    <email_to>chris@wittenberger.us</email_to>
    <smtp_server>localhost</smtp_server>
    <email_from>YOUR_EMAIL</email_from>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    <agents_disconnection_time>15m</agents_disconnection_time>
    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
    <update_check>yes</update_check>
  </global>
  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>12</email_alert_level>
  </alerts>
  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
  <logging>
    <log_format>plain</log_format>
  </logging>
  <remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
  </remote>
  <remote>
    <connection>syslog</connection>
    <port>514</port>
    <protocol>udp</protocol>
    <allowed-ips>10.0.0.0/8</allowed-ips>
    <local_ip>WAZUH_SERVER_IP</local_ip>
  </remote>
  <!-- Policy monitoring -->
  <rootcheck>
    <disabled>no</disabled>
    <check_files>yes</check_files>
    <check_trojans>yes</check_trojans>
    <check_dev>yes</check_dev>
    <check_sys>yes</check_sys>
    <check_pids>yes</check_pids>
    <check_ports>yes</check_ports>
    <check_if>yes</check_if>
    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>43200</frequency>
    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
    <skip_nfs>yes</skip_nfs>
    <ignore>/var/lib/containerd</ignore>
    <ignore>/var/lib/docker/overlay2</ignore>
  </rootcheck>
  <wodle name="cis-cat">
    <disabled>yes</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>
    <java_path>wodles/java</java_path>
    <ciscat_path>wodles/ciscat</ciscat_path>
  </wodle>
  <!-- Osquery integration -->
  <wodle name="osquery">
    <disabled>yes</disabled>
    <run_daemon>yes</run_daemon>
    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
    <config_path>/etc/osquery/osquery.conf</config_path>
    <add_labels>yes</add_labels>
  </wodle>
  <!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="yes">yes</ports>
    <processes>yes</processes>
    <users>yes</users>
    <groups>yes</groups>
    <services>yes</services>
    <browser_extensions>yes</browser_extensions>
    <!-- Database synchronization settings -->
    <synchronization>
      <max_eps>10</max_eps>
    </synchronization>
  </wodle>
  <sca>
    <enabled>yes</enabled>
    <scan_on_start>yes</scan_on_start>
    <interval>12h</interval>
    <skip_nfs>yes</skip_nfs>
  </sca>
  <vulnerability-detection>
    <enabled>yes</enabled>
    <index-status>yes</index-status>
    <feed-update-interval>60m</feed-update-interval>
  </vulnerability-detection>
  <indexer>
    <enabled>yes</enabled>
    <hosts>
      <host>https://127.0.0.1:9200</host>
    </hosts>
    <ssl>
      <certificate_authorities>
        <ca>/etc/filebeat/certs/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/etc/filebeat/certs/wazuh-server.pem</certificate>
      <key>/etc/filebeat/certs/wazuh-server-key.pem</key>
    </ssl>
  </indexer>
  <!-- File integrity monitoring -->
  <syscheck>
    <disabled>no</disabled>
    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>43200</frequency>
    <scan_on_start>yes</scan_on_start>
    <!-- Generate alert when new file detected -->
    <alert_new_files>yes</alert_new_files>
    <!-- Don't ignore files that change more than 'frequency' times -->
    <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
    <!-- Directories to check  (perform all possible verifications) -->
    <directories>/etc,/usr/bin,/usr/sbin</directories>
    <directories>/bin,/sbin,/boot</directories>
    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/random.seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>
    <!-- File types to ignore -->
    <ignore type="sregex">.log$|.swp$</ignore>
    <!-- Check the file, but never compute the diff -->
    <nodiff>/etc/ssl/private.key</nodiff>
    <skip_nfs>yes</skip_nfs>
    <skip_dev>yes</skip_dev>
    <skip_proc>yes</skip_proc>
    <skip_sys>yes</skip_sys>
    <!-- Nice value for Syscheck process -->
    <process_priority>10</process_priority>
    <!-- Maximum output throughput -->
    <max_eps>50</max_eps>
    <!-- Database synchronization settings -->
    <synchronization>
      <enabled>yes</enabled>
      <interval>5m</interval>
      <max_eps>10</max_eps>
    </synchronization>
  </syscheck>
  <!-- Active response -->
  <global>
    <white_list>127.0.0.1</white_list>
    <white_list>^localhost.localdomain$</white_list>
    <white_list>WHITELISTED_IPs</white_list>
  </global>
  <command>
    <name>disable-account</name>
    <executable>disable-account</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  <command>
    <name>restart-wazuh</name>
    <executable>restart-wazuh</executable>
  </command>
  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  <command>
    <name>host-deny</name>
    <executable>host-deny</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  <command>
    <name>route-null</name>
    <executable>route-null</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  <command>
    <name>win_route-null</name>
    <executable>route-null.exe</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  <command>
    <name>netsh</name>
    <executable>netsh.exe</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>
  <!--
  <active-response>
    active-response options here
  </active-response>
  -->
  <!-- Log analysis -->
  <localfile>
    <log_format>command</log_format>
    <command>df -P</command>
    <frequency>360</frequency>
  </localfile>
  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
    <alias>netstat listening ports</alias>
    <frequency>360</frequency>
  </localfile>
  <localfile>
    <log_format>full_command</log_format>
    <command>last -n 20</command>
    <frequency>360</frequency>
  </localfile>
  <ruleset>
    <!-- Default ruleset -->
    <decoder_dir>ruleset/decoders</decoder_dir>
    <rule_dir>ruleset/rules</rule_dir>
    <rule_exclude>0215-policy_rules.xml</rule_exclude>
    <list>etc/lists/audit-keys</list>
    <list>etc/lists/amazon/aws-eventnames</list>
    <list>etc/lists/security-eventchannel</list>
    <list>etc/lists/malicious-ioc/malware-hashes</list>
    <list>etc/lists/malicious-ioc/malicious-ip</list>
    <list>etc/lists/malicious-ioc/malicious-domains</list>
    <!-- User-defined ruleset -->
    <decoder_dir>etc/decoders</decoder_dir>
    <rule_dir>etc/rules</rule_dir>
    <!-- Alienvault Reputation ruleset -->
    <list>etc/lists/blacklist-alienvault</list>
  </ruleset>
  <rule_test>
    <enabled>yes</enabled>
    <threads>1</threads>
    <max_sessions>64</max_sessions>
    <session_timeout>15m</session_timeout>
  </rule_test>
  <!-- Configuration for wazuh-authd -->
  <auth>
    <disabled>no</disabled>
    <port>1515</port>
    <use_source_ip>no</use_source_ip>
    <purge>yes</purge>
    <use_password>no</use_password>
    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
    <!-- <ssl_agent_ca></ssl_agent_ca> -->
    <ssl_verify_host>no</ssl_verify_host>
    <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
    <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
    <ssl_auto_negotiate>no</ssl_auto_negotiate>
  </auth>
  <cluster>
    <name>wazuh</name>
    <node_name>node01</node_name>
    <node_type>master</node_type>
    <key></key>
    <port>1516</port>
    <bind_addr>0.0.0.0</bind_addr>
    <nodes>
        <node>NODE_IP</node>
    </nodes>
    <hidden>no</hidden>
    <disabled>yes</disabled>
  </cluster>
  <integration>
    <name>virustotal</name>
    <api_key>f666033b4fdfbeede138a12aac51dd4345bd72261786f54c45c790bf6e4446ca</api_key>
    <group>syscheck</group>
    <rule_id>550,553,554</rule_id>
    <alert_format>json</alert_format>
  </integration>
 </ossec_config>
 <ossec_config>
  <localfile>
    <log_format>journald</log_format>
    <location>journald</location>
  </localfile>
  <localfile>
    <log_format>audit</log_format>
    <location>/var/log/audit/audit.log</location>
  </localfile>
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/active-responses.log</location>
  </localfile>
 </ossec_config>