Merge pull request #80 from wazuh/PR-68_API_configuration
API configuration
This commit is contained in:
AlfonsoRBJ
GitHub
commit
f1ae819bd0
@ -6,6 +6,22 @@ wazuh_manager_config:
|
|||||||
alerts_log: 'yes'
|
alerts_log: 'yes'
|
||||||
logall: 'no'
|
logall: 'no'
|
||||||
log_format: 'plain'
|
log_format: 'plain'
|
||||||
|
api:
|
||||||
|
bind_addr: '0.0.0.0'
|
||||||
|
port: 55000
|
||||||
|
https: 'no'
|
||||||
|
basic_auth: 'yes'
|
||||||
|
behind_proxy_server: 'no'
|
||||||
|
https_cert: '/var/ossec/etc/sslmanager.cert'
|
||||||
|
https_key: '/var/ossec/etc/sslmanager.key'
|
||||||
|
https_use_ca: 'no'
|
||||||
|
https_ca: ''
|
||||||
|
use_only_authd: 'false'
|
||||||
|
drop_privileges: 'true'
|
||||||
|
experimental_features: 'false'
|
||||||
|
secure_protocol: 'TLSv1_2_method'
|
||||||
|
honor_cipher_order: 'true'
|
||||||
|
ciphers: ''
|
||||||
cluster:
|
cluster:
|
||||||
disable: 'yes'
|
disable: 'yes'
|
||||||
name: 'wazuh'
|
name: 'wazuh'
|
||||||
|
|||||||
@ -121,6 +121,17 @@
|
|||||||
- init
|
- init
|
||||||
- config
|
- config
|
||||||
|
|
||||||
|
- name: Installing the config.js (api configuration)
|
||||||
|
template: src=var-ossec-api-configuration-config.js.j2
|
||||||
|
dest=/var/ossec/api/configuration/config.js
|
||||||
|
owner=root
|
||||||
|
group=ossec
|
||||||
|
mode=0740
|
||||||
|
notify: restart wazuh-api
|
||||||
|
tags:
|
||||||
|
- init
|
||||||
|
- config
|
||||||
|
|
||||||
- name: Retrieving Agentless Credentials
|
- name: Retrieving Agentless Credentials
|
||||||
include_vars: agentless_creeds.yml
|
include_vars: agentless_creeds.yml
|
||||||
tags:
|
tags:
|
||||||
|
|||||||
@ -0,0 +1,95 @@
|
|||||||
|
|
||||||
|
var config = {};
|
||||||
|
|
||||||
|
// Basic configuration
|
||||||
|
|
||||||
|
// Path
|
||||||
|
config.ossec_path = "/var/ossec";
|
||||||
|
// The host to bind the API to.
|
||||||
|
config.host = "{{ wazuh_manager_config.api.bind_addr }}";
|
||||||
|
// TCP Port used by the API.
|
||||||
|
config.port = "{{ wazuh_manager_config.api.port }}";
|
||||||
|
// Use HTTP protocol over TLS/SSL. Values: yes, no.
|
||||||
|
config.https = "{{ wazuh_manager_config.api.https }}";
|
||||||
|
// Use HTTP authentication. Values: yes, no.
|
||||||
|
config.basic_auth = "{{ wazuh_manager_config.api.basic_auth }}";
|
||||||
|
//In case the API run behind a proxy server, turn to "yes" this feature. Values: yes, no.
|
||||||
|
config.BehindProxyServer = "{{ wazuh_manager_config.api.behind_proxy_server }}";
|
||||||
|
|
||||||
|
// HTTPS Certificates
|
||||||
|
config.https_key = "{{ wazuh_manager_config.api.https_key }}"
|
||||||
|
config.https_cert = "{{ wazuh_manager_config.api.https_cert }}"
|
||||||
|
config.https_use_ca = "{{ wazuh_manager_config.api.https_use_ca }}"
|
||||||
|
config.https_ca = "{{ wazuh_manager_config.api.https_ca }}"
|
||||||
|
|
||||||
|
// Advanced configuration
|
||||||
|
|
||||||
|
// Values for API log: disabled, info, warning, error, debug (each level includes the previous level).
|
||||||
|
config.logs = "info";
|
||||||
|
// Cross-origin resource sharing. Values: yes, no.
|
||||||
|
config.cors = "yes";
|
||||||
|
// Cache (time in milliseconds)
|
||||||
|
config.cache_enabled = "yes";
|
||||||
|
config.cache_debug = "no";
|
||||||
|
config.cache_time = "750";
|
||||||
|
// Log path
|
||||||
|
config.log_path = config.ossec_path + "/logs/api.log";
|
||||||
|
// Python
|
||||||
|
config.python = [
|
||||||
|
// Default installation
|
||||||
|
{
|
||||||
|
bin: "python",
|
||||||
|
lib: ""
|
||||||
|
},
|
||||||
|
// Python 3
|
||||||
|
{
|
||||||
|
bin: "python3",
|
||||||
|
lib: ""
|
||||||
|
},
|
||||||
|
// Package 'python27' for CentOS 6
|
||||||
|
{
|
||||||
|
bin: "/opt/rh/python27/root/usr/bin/python",
|
||||||
|
lib: "/opt/rh/python27/root/usr/lib64"
|
||||||
|
}
|
||||||
|
];
|
||||||
|
// Shared library path
|
||||||
|
config.ld_library_path = config.ossec_path + "/framework/lib"
|
||||||
|
|
||||||
|
// Option to force the use of authd to remove and add agents
|
||||||
|
config.use_only_authd = {{ wazuh_manager_config.api.use_only_authd }};
|
||||||
|
|
||||||
|
// Option to drop privileges (run as ossec)
|
||||||
|
config.drop_privileges = {{ wazuh_manager_config.api.drop_privileges }};
|
||||||
|
|
||||||
|
// Activate features still under development
|
||||||
|
config.experimental_features = {{ wazuh_manager_config.api.experimental_features }};
|
||||||
|
|
||||||
|
/************************* SSL OPTIONS ****************************************/
|
||||||
|
// SSL protocol
|
||||||
|
|
||||||
|
// SSL protocol to use. All available secure protocols available at:
|
||||||
|
// https://www.openssl.org/docs/man1.0.2/ssl/ssl.html#DEALING-WITH-PROTOCOL-METHODS
|
||||||
|
config.secureProtocol = "{{ wazuh_manager_config.api.secure_protocol }}";
|
||||||
|
try {
|
||||||
|
// Disable the use of SSLv3, TLSv1.1 and TLSv1.0. All available secureOptions at:
|
||||||
|
// https://nodejs.org/api/crypto.html#crypto_openssl_options
|
||||||
|
const crypto = require('crypto');
|
||||||
|
config.secureOptions = crypto.constants.SSL_OP_NO_SSLv3 |
|
||||||
|
crypto.constants.SSL_OP_NO_TLSv1 |
|
||||||
|
crypto.constants.SSL_OP_NO_TLSv1_1;
|
||||||
|
} catch (err) {
|
||||||
|
console.log("Could not configure NodeJS to avoid unsecure SSL/TLS protocols: " + err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// SSL ciphersuit
|
||||||
|
|
||||||
|
// When choosing a cipher, use the server's preferences instead of the client
|
||||||
|
// preferences. When not set, the SSL server will always follow the clients
|
||||||
|
// preferences. More info at:
|
||||||
|
// https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html
|
||||||
|
config.honorCipherOrder = {{ wazuh_manager_config.api.honor_cipher_order }};
|
||||||
|
// Modify default ciphersuit. More info:
|
||||||
|
// https://nodejs.org/api/tls.html#tls_modifying_the_default_tls_cipher_suite
|
||||||
|
config.ciphers = "{{ wazuh_manager_config.api.ciphers }}";
|
||||||
|
|
||||||
|
module.exports = config;
|
||||||
Loading…
Reference in New Issue
Block a user