From 5c3b767f3479cea51b1ff4a39e946024a06765c4 Mon Sep 17 00:00:00 2001
From: root <carlos.dominguez@wazuh.com>
Date: Wed, 7 Nov 2018 11:34:02 +0000
Subject: [PATCH] API configuration

---
 .../ansible-wazuh-manager/defaults/main.yml   | 18 +++-
 .../ansible-wazuh-manager/tasks/main.yml      | 23 +++--
 .../var-ossec-api-configuration-config.js.j2  | 95 +++++++++++++++++++
 3 files changed, 127 insertions(+), 9 deletions(-)
 create mode 100644 roles/wazuh/ansible-wazuh-manager/templates/var-ossec-api-configuration-config.js.j2

diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
index 67c83c0a..356a32aa 100644
--- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
+++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
@@ -6,6 +6,22 @@ wazuh_manager_config:
   alerts_log: 'yes'
   logall: 'no'
   log_format: 'plain'
+  api:
+    bind_addr: '0.0.0.0'
+    port: 55000
+    https: 'no'
+    basic_auth: 'yes'
+    behind_proxy_server: 'no'
+    https_cert: '/var/ossec/etc/sslmanager.cert'
+    https_key: '/var/ossec/etc/sslmanager.key'
+    https_use_ca: 'no'
+    https_ca: ''
+    use_only_authd: 'false'
+    drop_privileges: 'true'
+    experimental_features: 'false'
+    secure_protocol: 'TLSv1_2_method'
+    honor_cipher_order: 'true'
+    ciphers: ''
   cluster:
     disable: 'yes'
     name: 'wazuh'
@@ -167,8 +183,6 @@ wazuh_manager_config:
       executable: 'route-null.cmd'
       expect: 'srcip'
       timeout_allowed: 'yes'
-  rule_exclude:
-    - '0215-policy_rules.xml'
   active_responses:
     - command: 'restart-ossec'
       location: 'local'
diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml
index 950dfe06..11480e91 100644
--- a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml
+++ b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml
@@ -109,18 +109,27 @@
     - rules
 
 - name: Configure the shared-agent.conf
-  template:
-    src: var-ossec-etc-shared-agent.conf.j2
-    dest: /var/ossec/etc/shared/default/agent.conf
-    owner: ossec
-    group: ossec
-    mode: 0640
-    validate: '/var/ossec/bin/verify-agent-conf -f %s'
+  template: src=var-ossec-etc-shared-agent.conf.j2
+            dest=/var/ossec/etc/shared/default/agent.conf
+            owner=ossec
+            group=ossec
+            mode=0640
   notify: restart wazuh-manager
   tags:
     - init
     - config
 
+- name: Installing the config.js (api configuration)
+  template: src=var-ossec-api-configuration-config.js.j2
+            dest=/var/ossec/api/configuration/config.js
+            owner=root
+            group=ossec
+            mode=0740
+  notify: restart wazuh-api
+  tags:
+    - init
+    - config
+
 - name: Retrieving Agentless Credentials
   include_vars: agentless_creeds.yml
   tags:
diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-api-configuration-config.js.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-api-configuration-config.js.j2
new file mode 100644
index 00000000..bc909dc7
--- /dev/null
+++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-api-configuration-config.js.j2
@@ -0,0 +1,95 @@
+
+var config = {};
+
+// Basic configuration
+
+// Path
+config.ossec_path = "/var/ossec";
+// The host to bind the API to.
+config.host = "{{ wazuh_manager_config.api.bind_addr }}";
+// TCP Port used by the API.
+config.port = "{{ wazuh_manager_config.api.port }}";
+// Use HTTP protocol over TLS/SSL. Values: yes, no.
+config.https = "{{ wazuh_manager_config.api.https }}";
+// Use HTTP authentication. Values: yes, no.
+config.basic_auth = "{{ wazuh_manager_config.api.basic_auth }}";
+//In case the API run behind a proxy server, turn to "yes" this feature. Values: yes, no.
+config.BehindProxyServer = "{{ wazuh_manager_config.api.behind_proxy_server }}";
+
+// HTTPS Certificates
+config.https_key = "{{ wazuh_manager_config.api.https_key }}"
+config.https_cert = "{{ wazuh_manager_config.api.https_cert }}"
+config.https_use_ca = "{{ wazuh_manager_config.api.https_use_ca }}"
+config.https_ca = "{{ wazuh_manager_config.api.https_ca }}"
+
+// Advanced configuration
+
+// Values for API log: disabled, info, warning, error, debug (each level includes the previous level).
+config.logs = "info";
+// Cross-origin resource sharing. Values: yes, no.
+config.cors = "yes";
+// Cache (time in milliseconds)
+config.cache_enabled = "yes";
+config.cache_debug = "no";
+config.cache_time = "750";
+// Log path
+config.log_path = config.ossec_path + "/logs/api.log";
+// Python
+config.python = [
+    // Default installation
+    {
+        bin: "python",
+        lib: ""
+    },
+    // Python 3
+    {
+        bin: "python3",
+        lib: ""
+    },
+    // Package 'python27' for CentOS 6
+    {
+        bin: "/opt/rh/python27/root/usr/bin/python",
+        lib: "/opt/rh/python27/root/usr/lib64"
+    }
+];
+// Shared library path
+config.ld_library_path = config.ossec_path + "/framework/lib"
+
+// Option to force the use of authd to remove and add agents
+config.use_only_authd = {{ wazuh_manager_config.api.use_only_authd }};
+
+// Option to drop privileges (run as ossec)
+config.drop_privileges = {{ wazuh_manager_config.api.drop_privileges }};
+
+// Activate features still under development
+config.experimental_features  = {{ wazuh_manager_config.api.experimental_features }};
+
+/************************* SSL OPTIONS ****************************************/
+// SSL protocol
+
+// SSL protocol to use. All available secure protocols available at:
+// https://www.openssl.org/docs/man1.0.2/ssl/ssl.html#DEALING-WITH-PROTOCOL-METHODS
+config.secureProtocol = "{{ wazuh_manager_config.api.secure_protocol }}";
+try {
+    // Disable the use of SSLv3, TLSv1.1 and TLSv1.0. All available secureOptions at: 
+    // https://nodejs.org/api/crypto.html#crypto_openssl_options
+    const crypto = require('crypto');
+    config.secureOptions = crypto.constants.SSL_OP_NO_SSLv3 |
+                           crypto.constants.SSL_OP_NO_TLSv1 | 
+                           crypto.constants.SSL_OP_NO_TLSv1_1;
+} catch (err) {
+    console.log("Could not configure NodeJS to avoid unsecure SSL/TLS protocols: " + err)
+}
+
+// SSL ciphersuit
+
+// When choosing a cipher, use the server's preferences instead of the client 
+// preferences. When not set, the SSL server will always follow the clients 
+// preferences. More info at: 
+// https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html
+config.honorCipherOrder = {{ wazuh_manager_config.api.honor_cipher_order }};
+// Modify default ciphersuit. More info: 
+// https://nodejs.org/api/tls.html#tls_modifying_the_default_tls_cipher_suite
+config.ciphers =  "{{ wazuh_manager_config.api.ciphers }}";
+
+module.exports = config;