######################################
Atomic OSSEC Configuration
######################################

Introduction
============

AO is configured to a secure set of defaults upon installation. Most users do not need to change these settings.

.. note:: Manual modification of the **/etc/awp/config** file is not supported. Please change these setting through the AO Web Console. 

--------------------

Post Installation Configuration 
===============================
At this point you should have Atomic OSSEC on your system. If you do **NOT** have AEO installed, please follow the `installation steps`_ before proceeding. 

.. _installation steps: ../installingAO/index.html

**Accessing Configuration Settings via AO Web Console**

   Step 1: Log into the Atomic Web Console 
   
   Step 2: Click on Hub Configuration > Hub Configuration
   
   
From here you can change all of the Atomic Configuration settings, which are broken into classes and are documented below or links are provided to specific documentation pages for those options. 

**Accessing Configuration Settings via Command Line**

   Configuration settings are stored in **/var/awp/etc/config**. After modifying the configuration file, please save it and run the following command:
   
      .. code-block:: console
       
         awp -s -f
		 
------------------

Authentication Information
==========================

   **USERNAME**
    
	  * This is the username AO will use to download updates. This should b the same username you use to log into the License Manager. 

   **PASSWORD**
   
      * This is the password AO will use to download updates. This should be the same password you use to log into the License Manager.
	  
   **UPDATEPATH**
   
      * Default path used to download rule and signature updates. 
	  
   **AOHOME**
   
      * Path to the AO Directory, usually tis is **/var/awp**.
	  
   **CONFIGURED**
   
      * Internal flag to force the system through configuration mode. 
	  
	 
   **HTTP_PROXY**
   
      * Type of server that acts as an intermediary between an HTTP client (such as a web browser) and an HTTP server

   **HTTP_PROXY_PORT**
   
      * A specific network port number designated for communication between a client and a proxy server   
	  
   **HTTP_PROXY_USERNAME**
   
      * Username used to authenticate with a private HTTP proxy server
	  
   **HTTP_PROXY_PASSWORD**
   
      * A password used to authenticate a client’s request to access a proxy server
   
------------------
	  
AWP Web Settings
================

   **AWP_AUTO_LOGOUT**
    
	  * Time, in minutes, AO Web may be open and idle before the user will be logged out. Set -l to disable auto logout. 
	  
   **ALERTS_USE_DB**
   
      * Set to 'yes' to retrieve security event data from database, 'no' to retrieve from files. 
   
   **AWPWEB_CERTIFICATE**

      * Digital certificate that authenticates the identity of a website

   **AWP_IGNORE_LOCAL**

      * Ignores events from HUB

   **AWP_ENABLE_PUNCHLIST_UI**

      * Enables punchlist access in UI. Requires more data

   **AWPW_MAX_OUTBOUND**

      * Max outbound data

-----------------
	  
Data Retention Policies
================

   **RETENTION_USE_CONSOLIDATED**

      * 

   **RETENTION_CONSOLIDATED**

      * 

   **AWP_CLEAN_INDEXES**

      * 

   **AWP_CLEAN_STATS**

      * 

   **AWP_CLEAN_REPORTS**

      * 

   **DB_USE_ARCHIVE**

      * 

   **DB_ARCHIVE_PERIOD**

      * 

   **RETENTION_MAX_RBC_COUNT**

      * 

	  
-----------------

Data Paths
==========

   **PATH_EVENT_LOG**
   
      * Path to security event log. 
	  
   **PATH_DISABLED_SIG**
   
      * Path to disable signatures list. 
	  
   **PATH_SEC_MODULE**
   
      * Path to security module status data. 
	  
   **PATH_SIG_UPDATE**
   
      * Path to signature updates status data. 
	  
   **PATH_VULNERABILITY**
   
      * Path to vulnerability status data. 
	  
   **PATH_VULNERABILITY_REPORT**
   
      * Path to vulnerability report data. 
	  
   **PATH_VULNERABILITY_TEMPLATES**
   
      * Path to vulnerability templates. 

   **PATH_VULNERABILITY_XML**

      *
	  
   **PATH_RSS**
   
      * URL to the Atomicorp Security Bulletins RSS feed. You shouldn't change this unless told to do so by Atomicorp support personnel.
	
   **IP_ACCESSLIST**

      * Path to file containing whitelisted IP addresses. 

   **PATH_DENYLIST**

      * Path to blacklist data. 

   **Path_GEODENYLIST**

      * Path to Geo-blocking data. 
	  
   **PATH_TLD**

      * Path to TLD list. 
	  
   **PATH_SYSCHECK**

      * Path to system file check data. 
	  
   **PATH_WEBAPP_DB**   
   
      * Path to web app database. 
	  
------------

General
====================

   **HOSTNAME**
   
      * Hostname for the system. This is also set during installation.
	  
   **NOTIFY**
   
      * Determines if AO will notify by email or not. Set this to yes if you want AO to email you, and no if you do not.
	  
   **EMAIL**
   
      * The customer email address set by the user to send alerts to. This is also set by the user during installation.	  

    **ADMIN_USERS**
   
      * This defines special SSH users. This is not to be confused with users that can log into the AO web console, or any other "admin" user on the system.
	  
	  * This setting allows you define special administrative users that AO will check to make sure they can SSH into the system (users other than root). If this is defined, AND the users exist, AND they have valid SSH keys, password auth and root logins will be automatically disabled. This list is not used to restrict what users can ssh into the system, its just a list of special users that should always be allowed to ssh into the system. AO uses this list to check these accounts to make sure they are working correctly, to ensure that those users can still log into the system when changes are made to the ssh settings via AO (for example, disabling password authentication, AO will check this list of users to make sure they have SSH keys installed). This is an important fail safe feature, and you should list all your administrative users (other than root) in this list to help ensure they will be able to log into the system.
	  
	  * Usernames are separated with spaces. Example: 

          .. code-block:: console
		  
             joe bob karen
			 
      .. note:: Users are not defined by default. Additionally, this setting has **NOTHING** to do with AllowUsers in sshd.
	  
      * If an admin user is not defined, AO will **NOT** allow SSH settings to be modified. 
	  
         .. note:: For example, if no admin users are defined, AO will not allow password authentication to be disabled nor will it allow root logins to be disabled. **This is a critical safeguard to prevent users from accidentally locking themselves out of the system.**
		 
      * If an admin user or users are defined, and if password authentication is disabled, AO will also check to make sure the admin user or users have ssh keys installed in the correct place, and that their permissions are valid. If the keys are not installed, the permissions are wrong, or they are not installed in the right place, AO will not allow any SSH configuration changes to take place and will ensure the defaults are used. Again, this is a critical safeguard to prevent users from accidentally locking themselves out of the system. AO can not test the keys themselves for validity as an authentication credential, as it only has access to the public key. Therefore, it is the users responsibility to ensure the SSH key pair works correctly for the account. 
	  
	     * Please see the article `SSH KEYS`_ for courtesy information about using SSH keys with SSH.

           .. _SSH KEYS: ../misc/sshKeys.html	

   **SYSTEM_TYPE**

      * Defines a basic service policy for the system. 

      * Setting the profile to anything other than 'custom' will configure AO to disable the following services:

         * portmap
         * nfs
         * nfslock
         * rpcidmapd
         * cups
         * gpm
         * xfs
         * pcscd
         * mcstrans
         * kdump
         * isdn
         * hplip
         * hidd
         * messagebus
         * haldaemon
         * bluetooth
         * avahi-daemon
         * autofs
         
         * apmd
		  
      * Options associated with this configuration setting: 
	  
         * webserver: You should use this setting for all system types except for the three below.

            * cpanel: setting this to cpanel, will configure the system for cpanel. 
			
            * directadmin: setting this to directadmin, will configure the system for directadmin. 
			
            * custom: If this is set to custom, no service will be automatically disabled and no special configuration changes are made to the system to work with non-package managed control panels. Do **NOT** use this setting with platforms like cpanel or directadmin. It will void support on your system. 
		

   **AUTOMATIC_UPDATES**

      * Configures the update frequency for rules and signatures downloaded through the AO%s/awp/awp/gc updater. 
      
      .. note:: Updates can be run manually with awp -u	
	  

   **UPDATE_TYPE**
   
      * Configures the behavior of **AUTOMATIC_UPDATES** event. There are three options with this setting:
	  
         * All: This will upgrade all AO software, rule and signatures updates.
         * rules-only: This will exclude all software updates, including updates to AO. This will prevent AO from updating any rpm package updates and kernel updates and will only install rule and signature updates.
		 
		 
   **RESTART_APACHE**
   
      * Sets the restart policy for actions involving the web server. Updates to mod_security, or mod_evasive policies will require a web server restart to go into effect. 
   
      * This setting has three options:
	  
         * Yes: Restart Apache when needed.

         * Graceful: Use the 'graceful' method which tries to wait for all clients to finish being served before restarting Apache. If Apache has a stuck thread or worker Graceful may not complete. 
		 
         * No: Do not restart Apache.
		 
		    .. note:: If you set this to "No", updates that require apache restarts will not be applied, such as new WAF rules. If you set this to "No" you will need to schedule regular restart intervals to install the latest rules. Only the latest rules are supported with the WAF.

   **RESTART_NGINX**

      *See the settings for Apache and the same options apply here

   **KERNEL_CHANNEL**

      *Disabled option
			
   **AWP_USER**
   
      * Sets the user to run AO web activity under. This can be either "tortix" for use with AO-Web, or "psaadm" for use with the Plesk AO module. Note: this setting has been deprecated.
	
	
   **FEED_TYPE**
   
      * This setting allows you to toggle between different WAF feeds. Currently this is only used by AO Lite, and supports the following options: [Default: real-time]
	  
         * real-time
		 
         * 90-day delayed feeds   
   
   
   **FEED_SOURCE**

      * This setting allows you to toggle between different WAF feeds. [ Default: subscription ]
	
	
   **ALLOW_NFS**
   
      * This will disable the service checks that would normally disable NFS services when SYSTEM_TYPE is set to "webserver", "cpanel" or "directadmin".
	  
      .. note:: This does not enable or configure NFS service, please consult your vendor for support with configuring NFS.
	  
      .. note:: You will need to reboot your system if you have locked the kernel to prevent kernel modules from loading. 
	  

   **DOWNLOADER**
   
      * Set the downloader backend. Internal or Curl. [Default: curl]
	  
	  
   **REPUTATION_REPORT**
  
      * Allow sending of statistical information on local events and event sources to Atomicorp.
	  

   **REPUTATION_FREQUENCY**
   
      * How often reputation reports will be sent.
	  
	  
   **PURGE_LOGS**
   
      * Maximum days to retain logs. **NOTE** Once logs are removed, there is no way to retrieve them so use with caution.

   **AIR_GAPPED**

      *

   **AUM_TIMEOUT_CONNECT**

      *

   **AUM_TIMEOUT_TRANSFER**

      *

   **REPO_MANAGEMENT_POLICY**

      *
	  
--------------

AO Firewall Settings
=====================

Please see the `AO Firewall`_ page for more information about configuring the AO firewall.

.. _AO Firewall: ../aedFirewall/index.html 

---------------


ClamAV Settings
====================

   Please see the `Anti asl`_ wiki page for more information about configuring ClamAV. 

   .. _Anti asl: ../clamAV/index.html

---------------


OSSEC Settings
===================

   .. toctree::
      :maxdepth: 1
	  
      ../ossec/notificationSettings
      ../ossec/databaseSettings
      ../ossec/generalSettings
      ../ossec/internalSettings
	  

------------------

Mod Security Settings
==========================

Please see the `Atomic WAF`_ page for documentation on these settings.

.. _Atomic WAF: ../awpFirewall/index

------------------

PHP Settings
=================

These settings do not import existing settings. If you already have configured PHP, or are using another tool to do so, those changes will not be displayed by AO. This option exists for AO to manage these functions and settings.

   .. note:: If you want AO to manage these settings do not change them manually in php.ini, and do not use a third party tool to manage these settings. Additionally, when PHP functions are disabled, and an application tries to use them. Apache will ONLY log that in the domain's error_log file. It will not log this in the global error_log. Please check the domain's error_log file if your application is not working properly.



   **PHP_CHECKS**

      * Enable/Disable PHP check enforcement mode. [Default: No]

      * If this is set to "no", Atomic OSSEC will not be configured to manage any PHP settings, and the rest of the PHP settings will no effect. To enable, or disable PHP functions, this must be set to "yes". 

      .. note:: Setting this to "no" will still test for vulnerabilities, but will neither fix them, nor make any changes to your PHP configuration. 


   **PHP_SAFE_MODE**

      * Enable/Disable PHP Safe_Mode

      .. note:: PHP 5.3 and later has deprecated this feature. 


   **PHP_REGISTER_GLOBALS**

      * Enable/Disable register_globals. 


   **PHP_URL_FOPEN**

      * Enable/Disable url_fopen. Please see this `page`_ for information on this function and a serious vulnerability that can be created by allowing this function in PHP. 

      .. _page: ../php/fopen.html


   **PHP_URL_INCLUDE**

      * Enable/Disable URL includes


   **PHP_EXPOSE_PHP**

      * Enable/Disable expose_php [Default: no]


   **PHP_DISPLAY_ERRORS**

      * Enable/Disable display_errors [Default: no]


   **PHP_MAIL_XHEADER**

      * Enable/Disable X-PHP-Originating-Script that will include UID of the script followed by the filename. [Default: yes]


   **ALLOW_curl_exec**

      * Enable/Disable the curl_exec() function


   **ALLOW_curl_multi_exec**

      * Enable/Disable the curl_multi_exec() function


   **ALLOW_dl**

      * Enable/Disable the dl() function


   **ALLOW_escapeshellcmd**

      * Enable/Disable the escapeshellcmd() function


   **ALLOW_exec**

      * Enable/Disable the exec() function 


   **ALLOW_ftp_exec**

      * Enable/Disable the ftp_exec() function
	  
	  
   **ALLOW_fsockopen**
   
      * Enable/Disable the fsockopen() function
	  
	  
   **ALLOW_leak**
   
      * Enable/Disable the leak() function
	  

   **ALLOW_passthru**
   
      * Enable/Disable the passthru() function 
	  
	  
   **ALLOW_pcntl_exec**
   
      * Enable/Disable the pcntl_exec() function 
	  
	  
   **ALLOW_pfsockopen**
   
      * Enable/Disable the pfsockopen() function 
	  
	  
   **ALLOW_phpinfo**
   
      * Enable/Disable the phpinfo() function 
	  
	  
   **ALLOW_popen**
   
      * Enable/Disable the popen() function 
	  
   
   **ALLOW_posix_mkfifo**

      * Enable/Disable the posix_kill() function. 


   **ALLOW_posix_kill**

      * Enable/Disable the posix_kill() function


   **ALLOW_posix_setpgid**

      * Enable/Disable the setpgid() function 


   **ALLOW_posix_setsid**

      * Enable/Disable the setsid() function 


   **ALLOW_posix_setuid**

      * Enable/Disable the setuid() function 


   **ALLOW_proc_close**

      * Enable/Disable the proc_close() function 


   **ALLOW_proc_get_status**

       * Enable/Disable the proc_get_status() function 


   **ALLOW_proc_nice**

       * Enable/Disable the proc_get_status() function 


   **ALLOW_proc_open**

      * Enable/Disable the proc_open() function 


   **ALLOW_proc_terminate**

      * Enable/Disable the proc_terminate() function 


   **ALLOW_shell_exec**

      * Enable/Disable the shell_exec() function 


   **ALLOW_show_source**
   
      * Enable/Disable the show_source() function 
	  
	  
   **ALLOW_system**
   
      * Enable/Disable the system() function 
	  
	  
---------------

SSH Daemon Settings
========================

Please see the`SSH debugging`_ page in case you can't log into your AO server via SSH. 

.. _SSH debugging: ../misc/sshDebug.html

   .. note:: This does not import existing settings from SSH. The purpose of these settings to enforce the sshd configuration settings, based on these settings. Therefore if you change sshd settings, and they do not match what is set in AO, AO will set them to the settings defined in AO. The use of third party products to change these settings is not supported.

   **SSH_PROTOCOL**
   
      .. note:: Do not change this setting unless you know what you are doing. 
	  
      * SSH supports several legacy protocols (1 and 1.5), along with the current SSH protocol, 2. 1 and 1.5 have fundamental weakenesses that can cause SSH sessions with those protocols to be compromised, therefore we recommend you leave the protocol setting of "2".
	  
	  
   **CUSTOM_SSH_PORT**
   
      * Use a custom ssh port. [Default: no]
	  
	  
   **SSH_PORT**
   
      * This will tell SSH to change its default port of 22 to a different port. If you set this to "no", that will tell SSH to use the default port of 22. For example, if you wanted to change SSHs port to "2222" you would enter "2222" in this field. [Default: no]
	  
      .. note:: This does not import existing settings. If you already have a custom port set, that port number will not show up here. This option exists for AO to manage this function, if you do not change this option to a port number AO will not make any changes to this option in sshd
	  

   **SSH_STRICTMODE**
   
      * This tells SSH to check the ownership and permissions on ssh public key files. This prevents a user from accidentally setting the permissions on the file so that other users can add their keys to another users key file. We highly recommend you enable strict modes. [Default: yes]
	  
	  
   **SSH_IGNORE_RHOSTS**
   
      * This tells SSH to ignore rhosts file. rhosts files tell SSH to trust another host completely, which means a user logging in from that host will not asked for a password. Allowing rhosts files is very insecure, and we recommend you leave this enabled. [Default: yes]
	  
	  
   **SSH_PUBKEY**
   
      * This setting tells SSH to allow the use of public keys, instead of passwords, for authentication. Public keys are more secure than passwords, provided that the public key itself has a strong password. Keys can provide a cheap two factor authentication system (what you have, and what you know). [Default: yes]
	  
	  
   **SSH_ROOTLOGINS**
   
      * This setting tells SSH to allow root logins. If you set this to yes, root will be allowed to ssh in, if you set this to no, root will not be allowed to ssh in. We recommend you set this to "no". [Default: yes]
	  
	  
   **SSH_PASSWORD_AUTH**
   
      * This enables/disables password authentication via SSH. For this to work, you must define at least one ADMIN_USER. [Default: yes]
	  
      * Options that can be set on this setting:
	  
         * yes - Allows password authentication
		 
         * no - Does not allow password authentication, but AO will check to make sure at least one valid ADMIN_USER exists with keys installed. If one does not, AO will NOT disable password authentication, and will try to prevent other applications from doing so. This is an important fail safe to prevent accidental lockout from your system.
		 
         * override - Does not allow password authentication, but will NOT check to make sure at least one valid ADMIN_USER exists with keys installed. Warning: This will lock you out of your system if you do not have valid key based authentication configured for the system, and AO will not check to ensure your keys are valid (not recommend, define an ADMIN_USERS instead).
		 
		 
   **SSH_PRIV_SEPARATION**
   
      * This ensures that SSH runs with privilege separation. [Default: yes]
	  
	  
   **SSH_GSSAPI_AUTH**
   
      * Specifies whether user authentication based on GSSAPI is allowed. [Default: no]
	  
	  
   **SSH_GSSAPI_CLEANUP**
   
      * Specifies whether to automatically destroy the user’s credentials cache on logout. [Default: yes]
	  
	  
   **SSH_BANNER**
   
      * AO can configure SSH to display a banner to users when they log in. This tells SSH what file to use for the banner. AO comes with a standard banner you can use that is provided in the /etc/awp/banner file. [Default: /etc/awp/banner]
	  

   **SSH_USEDNS**
   
      * Specifies whether sshdshould look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. [Default: yes]
	  
	  
   **SSH_ALLOWAGENTFORWARDING**
   
      * This setting configures SSH to allow X11 forwarding. This will allow the server to communicate with an X11 desktop, which will allow the server to open windows, control the keyboard and otherwise operate on the users desktop as if it was the users machine. [Default: no]
	  
      * THis can present a security risk if the server is not completely trusted, as malicious processes can control the users desktop. 
	  
	  
   **SSH_ALLOWTCPFORWARDING**
   
      * This setting configures SSH to allow port forwarding from a client. This will allow a client to "tunnel" to a port on the server over an SSH connection. [Default: no]
	  
      * This can present a security risk as this allows users to bypass any firewall policies that would otherwise prevent them from connecting to ports that are blocked.


---------------

Denial of Service Settings
==========================

   **MODEV_ENABLED**

      * Enable/Disable mod_evasive (DoS protection)

      .. note:: Also see the `Mod Evasive`_ page for important documentation about configuring the DOS protection system for Apache. 

      .. _Mod Evasive: https://www.google.com/forums/viewtopic


   **MODEV_DOSHashTableSize**

      * The hash table size defines the number of top-level nodes for each child's hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space.


   **MODEV_DOSPageCount**

      * Threshold for the number of requests for the same page (or URI) per page interval.


   **MODEV_DOSSiteCount**

      * Threshold for the total number of requests for any object by the same client on the same listener per site interval.
	  
	  
   **MODEV_DOSPageInterval**
   
      * Interval for the page count threshold. [Default: 2]
	  
	  
   **MODEV_DOSSiteInterval**
   
      * Interval for the site count threshold. [Default: 2]
	  
	  
   **MODEV_DOSBlockingPeriod**
   
      * Number of seconds to block a client IP. Clients will be returned a 403 error.
	  
	  
   **APPINV_CRON**
   
      * Interval to run the web application inventory engine. [Default: daily]
	  
	  
----------------

MySQL Security Settings
=======================

   **MYSQL_CHECKS**
   
      * Enable/Disable enforcement mode for Mysql security settings. Setting this to no will implement check-only mode. [Default: yes]
	  
	  
   **MYSQL_DISABLE_LOAD_DATA**
   
      * Enable/Disable mysql local-infile [Default: yes]
	  
	  
   **MYSQL_ENABLE_LOG_ERRORS**
   
      * Enable/Disable mysql /var/log/mysqld.log error log [Default: yes]
	  
	  
   **MYSQL_ENABLE_LOG_WARNINGS**
   
      * Enable/Disable mysql log warnings [Default: yes]
	  
	  
   **MYSQL_DISABLE_SYMBOLIC_LINKS**
   
      * Enable/Disable mysql symbolic links[Default: yes]
	  
	  
   **MYSQL_QUERY_CACHE**
   
      * Mysql query cache settings [Default: 32m]
	  
      .. note:: This must be in multiples of 32. For example, 64, 128, etc.
	  
	  
------------

Plesk Security Settings
=======================
	  
   **PSA_DISABLE_CRONTAB**
   
      * This setting will disable the ability to manage cron jobs in Plesk. Default: [no]

   **PSA_PHP_DOMAIN_POLICY**

      * 

cPanel Settings
=======================

   **CPANEL_DISABLE_POSTEASYAPACHE**

      * 

Web App inventory
========================

   **APPINV_CRON**

      * 

CGroups
=====================

   **CGROUPS_ENABLE**

      * 

Clustering
===============

   **OSSEC_CLUSTER**

      * 

   **CLUSTER_NAME**

      * 

   **CLUSTER_NODE_NAME**

      * 

   **CLUSTER_TYPE** 

      * 

   **CLUSTER_KEY**

      * 

   **CLUSTER_PORT**

      * 

   **CLUSTER_BIND_ADDRESS**

      * 

   **CLUSTER_MASTER_ADDRESS**

      * 

   **CLUSTER_HIDDEN**

      * 

SSO and 2FA settings
===========================

   **OPENID_CONNECT_INTEGRATION**

      * 

   **SSO_AUTH_ONLY_MODE**

      * 

Rsyslog settings
=============================

   **MODLOAD_IMKLOG**

      * 

WebAuthn settings
========================

   **WEBAUTHN_ENABLE**

      * 

RunSafe Security Settings
==========================

   **RUNSAFE_SECURITY_ENABLED**

      * 

   **RUNSAFE_SECURITY_API_KEY**

      * 
   