Contents
- 1 Modify the following files
- 2 Add swap file and a second disk for /usr
- 3 Enable unbound (local caching DNS resolver)
- 4 Fetch and extract the ports tree
- 5 Install portmaster and rpl utilities
- 6 Adjust sshd
- 7 Adjust syslog
- 8 Enable NTP
- 9 Install postfix
- 10 Update FreeBSD
- 11 Fetch and extract the src tree
- 12 Install the following ports
- 13 Install NGINX
- 14 Install SNORT IDS
- 15 Install OSSEC
- 16 Enable pf
- 17 Optionally install Wazuh agent (if you have a Wazuh manager)
In AWS VPC, create an Internet Gateway (igw-xxx) and attach it to your VPC.
In AWS VPC, create 2 subnets INTERNET (10.20.0.0/24) and DMZ (10.20.1.0/24).
Configure the route table for the INTERNET subnet like this :
Destination | Target |
---|---|
10.20.0.0/16 | local |
0.0.0.0/0 | igw-xxx |
In AWS EC2, launch the FreeBSD 10.3 firewall instance.
Attach 2 interfaces eth0 and eth1 to the firewall instance.
Subnet | Interface | Address |
---|---|---|
INTERNET | eth0 | 10.20.0.11 |
DMZ | eth1 | 10.20.1.10 |
Configure the route table for the DMZ subnet like this :
Destination | Target |
---|---|
10.20.0.0/16 | local |
0.0.0.0/0 | eth1 / instance |
Allocate a new Elastic IP address and associate it to the eth0 interface.
The firewall instance will use 10.20.0.1 for its default gateway.
You should be able to login to the firewall instance using your ssh key.
ssh -i key.pem ec2-user@elastic-ip-address
Configure the other instances behind the firewall with one interface attached to the DMZ subnet and use 10.20.1.1 for the default gateway.
Modify the following files
vi /etc/rc.conf ------------------------------ cut here ------------------------------ ec2_configinit_enable=YES ec2_fetchkey_enable=YES ec2_ephemeralswap_enable=YES ec2_loghostkey_enable=YES firstboot_freebsd_update_enable=YES firstboot_pkgs_enable=YES growfs_enable="YES" ifconfig_DEFAULT="SYNCDHCP" sshd_enable="YES" firstboot_pkgs_list="awscli" gateway_enable="YES" ------------------------------ cut here ------------------------------ vi /etc/dhclient.conf ------------------------------ cut here ------------------------------ supersede host-name "firewall-host.domain"; supersede domain-name "domain"; supersede domain-name-servers 127.0.0.1; ------------------------------ cut here ------------------------------ vi /etc/hosts ------------------------------ cut here ------------------------------ ::1 localhost localhost.domain 127.0.0.1 localhost localhost.domain 10.20.0.11 firewall-host firewall-host.domain 10.20.1.10 firewall-host-dmz firewall-host-dmz.domain 10.20.1.11 php-host-dmz php-host-dmz.domain ------------------------------ cut here ------------------------------ vi /etc/nsswitch.conf ------------------------------ cut here ------------------------------ group: files passwd: files services: files ------------------------------ cut here ------------------------------
Add swap file and a second disk for /usr
dd if=/dev/zero of=/boot/swap1 bs=1m count=1024 chmod 0600 /boot/swap1
In EC2, create a new EBS Volume (10G) and attach it to the firewall instance (/dev/sdf).
sysctl kern.disks ------------------------------ cut here ------------------------------ kern.disks: xbd5 ada0 ------------------------------ cut here ------------------------------ gpart create -s GPT xbd5 gpart add -t freebsd-ufs -a 1M xbd5 gpart show ------------------------------ cut here ------------------------------ => 3 20971515 ada0 GPT (10G) 3 32 1 freebsd-boot (16K) 35 20971483 2 freebsd-ufs (10G) => 34 20971453 xbd5 GPT (10G) 34 2014 - free - (1.0M) 2048 20967424 1 freebsd-ufs (10G) 20969472 2015 - free - (1.0M) ------------------------------ cut here ------------------------------ newfs -U /dev/xbd5p1 mkdir /newdisk mount /newdisk cd /usr tar cf - . | ( cd /newdisk/.; tar xpf - ) mkdir /newhome cd /home tar cf - . | ( cd /newhome/.; tar xpf - ) mv /home /home- mv /newhome /home mv /usr /usr- mkdir /usr vi /etc/fstab ------------------------------ cut here ------------------------------ /dev/gpt/rootfs / ufs rw 1 1 /dev/xbd5p1 /usr ufs rw 2 2 md99 none swap sw,file=/boot/swap1,late 0 0 ------------------------------ cut here ------------------------------ swapon -aL swapinfo -k reboot /bin/rm -f /home- chflags -R noschg /usr- /bin/rm -rf /usr-
Enable unbound (local caching DNS resolver)
vi /etc/rc.conf.d/local_unbound ------------------------------ cut here ------------------------------ local_unbound_enable="YES" local_unbound_forwarders="8.8.8.8" ------------------------------ cut here ------------------------------ vi /etc/resolvconf.conf ------------------------------ cut here ------------------------------ resolv_conf="/dev/null" resolvconf="NO" ------------------------------ cut here ------------------------------
Fetch and extract the ports tree
portsnap fetch portsnap extract portsnap fetch update
Install portmaster and rpl utilities
cd /usr/ports/ports-mgmt/portmaster make clean all install make clean portmaster -d misc/rpl
Adjust sshd
vi /etc/ssh/sshd_config ------------------------------ cut here ------------------------------ ClientAliveInterval 900 IgnoreRhosts yes LoginGraceTime 30 MaxAuthTries 3 PermitEmptyPasswords no PermitRootLogin no PubkeyAuthentication yes ------------------------------ cut here ------------------------------ sh /etc/rc.d/sshd restart
Adjust syslog
vi /etc/syslog.conf ------------------------------ cut here ------------------------------ *.* /var/log/all.log ------------------------------ cut here ------------------------------ touch /var/log/all.log chmod 0640 /var/log/all.log chown root:wheel /var/log/all.log sh /etc/rc.d/syslogd restart vi /etc/newsyslog.conf -------------------------- cut here -------------------------- /var/log/all.log 600 12 * $M1D0 J -------------------------- cut here --------------------------
Enable NTP
ntpdate 0.freebsd.pool.ntp.org vi /etc/ntp.conf ------------------------------ cut here ------------------------------ server 0.pool.ntp.org iburst maxpoll 9 server 1.pool.ntp.org iburst maxpoll 9 server 2.pool.ntp.org iburst maxpoll 9 restrict default limited kod nomodify notrap nopeer noquery restrict -6 default limited kod nomodify notrap nopeer noquery restrict 127.0.0.1 restrict -6 ::1 restrict 127.127.1.0 ------------------------------ cut here ------------------------------ vi /etc/rc.conf.d/ntpd ------------------------------ cut here ------------------------------ ntpd_enable="YES" ntpd_program="/usr/sbin/ntpd" ntpd_config="/etc/ntp.conf" ntpd_sync_on_start="YES" ntpd_flags="-p /var/run/ntpd.pid" ------------------------------ cut here ------------------------------ sh /etc/rc.d/ntpd start
Install postfix
portmaster -d mail/postfix vi /etc/periodic.conf ------------------------------ cut here ------------------------------ daily_clean_hoststat_enable="NO" daily_status_mail_rejects_enable="NO" daily_status_include_submit_mailq="NO" daily_submit_queuerun="NO" ------------------------------ cut here ------------------------------ sh /etc/rc.d/sendmail stop vi /etc/rc.conf.d/sendmail ------------------------------ cut here ------------------------------ sendmail_enable="NONE" ------------------------------ cut here ------------------------------ vi /etc/rc.conf.d/postfix ------------------------------ cut here ------------------------------ postfix_enable="YES" ------------------------------ cut here ------------------------------ sh /usr/local/etc/rc.d/postfix start
Update FreeBSD
freebsd-update fetch freebsd-update fetch install
Fetch and extract the src tree
portmaster -d devel/subversion portmaster -d security/ca_root_nss svn co https://svn0.us-west.FreeBSD.org/base/releng/10.3 /usr/src svn up /usr/src cd /usr/src make clean make update SVN_UPDATE=yes vi /etc/make.conf ------------------------------ cut here ------------------------------ WITHOUT_X11=yes WITHOUT_ATM=yes WITHOUT_I4B=yes WITHOUT_IPX=yes WITHOUT_NIS=yes DEFAULT_VERSIONS+=ssl=openssl ------------------------------ cut here ------------------------------ vi /etc/src.conf ------------------------------ cut here ------------------------------ WITHOUT_X11=yes WITHOUT_ATM=yes WITHOUT_I4B=yes WITHOUT_IPX=yes WITHOUT_NIS=yes ------------------------------ cut here ------------------------------
Install the following ports
portmaster -d sysutils/lsof portmaster -d security/sudo portmaster -d security/openssl
Install NGINX
portmaster -d www/nginx vi /usr/local/etc/nginx/nginx.conf ------------------------------ cut here ------------------------------ worker_processes 1; error_log /var/log/nginx/error.log; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; access_log /var/log/nginx/access.log; sendfile on; keepalive_timeout 65; server { listen 10.20.0.11:80; server_name www.domain; return 301 https://www.domain$request_uri; } log_format upstreamlog '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $status / upstream $upstream_status $request upstream_response_time $upstream_response_time msec $msec request_time $request_time body: $request_body'; upstream backend_hosts { server php-host-dmz; } server { listen 10.20.0.11:443; ssl on; ssl_certificate /usr/local/etc/nginx/crt.pem; ssl_certificate_key /usr/local/etc/nginx/key.pem; server_name www.domain; #access_log /var/log/nginx/ssl-access.log upstreamlog; #error_log /var/log/nginx/ssl-error.log debug; access_log /var/log/nginx/ssl-access.log; error_log /var/log/nginx/ssl-error.log; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Accept-Language $http_accept_language; set $ref $http_referer; if ($ref ~* '^https?://(.*)$') { set $ref http://$1; } proxy_set_header Referer $ref; location / { proxy_pass http://backend_hosts; proxy_redirect http:// https://; } } } ------------------------------ cut here ------------------------------ openssl req -new -newkey rsa:2048 -nodes -keyout /usr/local/etc/nginx/key.pem -out /usr/local/etc/nginx/csr.pem
Get your SSL certificate (Ex : GoDaddy).
cat /usr/local/etc/nginx/fdcf9fc805c10328.crt /usr/local/etc/nginx/gd_bundle-g2-g1.crt > /usr/local/etc/nginx/crt.pem
Start NGINX.
vi /etc/rc.conf.d/nginx ------------------------------ cut here ------------------------------ nginx_enable="YES" nginx_profiles="firewall" nginx_firewall_configfile="/usr/local/etc/nginx/nginx.conf" ------------------------------ cut here ------------------------------ sh /usr/local/etc/rc.d/nginx start
Install SNORT IDS
portmaster -d security/snort vi /etc/rc.conf.d/snort ------------------------------ cut here ------------------------------ snort_enable="YES" snort_conf="/usr/local/etc/snort/snort.conf" snort_flags="-D -q" snort_interface="xn0" ------------------------------ cut here ------------------------------ sed -i '' '/^include \$RULE_PATH\/.*.rules$/d' /usr/local/etc/snort/snort.conf rpl '_PATH ./' '_PATH /usr/local/etc/snort/' /usr/local/etc/snort/snort.conf rpl '# output unified2:' 'output unified2:' /usr/local/etc/snort/snort.conf rpl 'policy windows' 'policy bsd' /usr/local/etc/snort/snort.conf vi /usr/local/etc/snort/snort.conf ------------------------------ cut here ------------------------------ var WHITE_LIST_PATH /usr/local/etc/snort/rules/iplists var BLACK_LIST_PATH /usr/local/etc/snort/rules/iplists preprocessor reputation: \ memcap 500, \ scan_local, \ priority whitelist, \ white trust, \ nested_ip inner, \ whitelist $WHITE_LIST_PATH/white_list.rules, \ blacklist $BLACK_LIST_PATH/black_list.rules output alert_fast: /var/log/snort/snort.alert include $RULE_PATH/local.rules include $RULE_PATH/snort.rules ------------------------------ cut here ------------------------------ vi /usr/local/etc/snort/snort.conf ------------------------------ cut here ------------------------------ ipvar HOME_NET [10.20.0.11,10.20.1.0/24] ipvar EXTERNAL_NET any ------------------------------ cut here ------------------------------
Get your snort oinkcode.
cp /usr/local/etc/pulledpork/pulledpork.conf.sample /usr/local/etc/pulledpork/pulledpork.conf rpl https://www.snort.org/reg-rules/ https://www.snort.org/rules/ /usr/local/etc/pulledpork/pulledpork.conf rpl snortrules-snapshot.tar.gz snortrules-snapshot-2990.tar.gz /usr/local/etc/pulledpork/pulledpork.conf rpl https://snort.org/downloads/community/ https://www.snort.org/downloads/community/ /usr/local/etc/pulledpork/pulledpork.conf rpl '<oinkcode>' 'youroinkcode' /usr/local/etc/pulledpork/pulledpork.conf rpl /iplists/default.blacklist /iplists/black_list.rules /usr/local/etc/pulledpork/pulledpork.conf vi /usr/local/etc/pulledpork/pulledpork.conf ------------------------------ cut here ------------------------------ rule_url=https://www.snort.org/downloads/community/|community-rules.tar.gz|09188442b1e1cf975615d42225cd8065e386129d ------------------------------ cut here ------------------------------ mkdir /usr/local/etc/snort/so_rules touch /usr/local/etc/snort/rules/local.rules mkdir /usr/local/etc/snort/rules/iplists touch /usr/local/etc/snort/rules/iplists/white_list.rules touch /usr/local/etc/snort/rules/iplists/black_list.rules vi /usr/local/etc/snort/rules/iplists/white_list.rules ------------------------------ cut here ------------------------------ 10.20.0.1 ------------------------------ cut here ------------------------------ cp /dev/null /var/log/sid_changes.log rm /tmp/snortrules-snapshot-2990.tar.gz* /tmp/opensource.gz* cp /usr/local/etc/pulledpork/disablesid.conf.sample /usr/local/etc/pulledpork/disablesid.conf cp /usr/local/etc/pulledpork/dropsid.conf.sample /usr/local/etc/pulledpork/dropsid.conf cp /usr/local/etc/pulledpork/enablesid.conf.sample /usr/local/etc/pulledpork/enablesid.conf cp /usr/local/etc/pulledpork/modifysid.conf.sample /usr/local/etc/pulledpork/modifysid.conf vi /usr/local/etc/pulledpork/disablesid.conf ------------------------------ cut here ------------------------------ 136:2 # spp_reputation: Packets Wwhitelisted ------------------------------ cut here ------------------------------ pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf -i /usr/local/etc/pulledpork/disablesid.conf -l -v -P vi /usr/local/etc/rc.d/snort ------------------------------ cut here ------------------------------ /sbin/ifconfig $snort_interface -rxcsum -txcsum -tso -lro ------------------------------ cut here ------------------------------ vi /usr/local/etc/snort/preproc_rules/preprocessor.rules ------------------------------ cut here ------------------------------ #alert ( msg: "REPUTATION_EVENT_WHITELIST"; sid: 2; gid: 136; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) ------------------------------ cut here ------------------------------ sh /usr/local/etc/rc.d/snort start vi /etc/daily.local ------------------------------ cut here ------------------------------ #!/bin/sh /usr/local/bin/pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf -i /usr/local/etc/pulledpork/disablesid.conf -l -v 2>&1 > /root/pulledpork.out /bin/sh /etc/rc.d/pf reload ------------------------------ cut here ------------------------------ chmod 700 /etc/daily.local vi /etc/rc.conf.d/barnyard2 ------------------------------ cut here ------------------------------ barnyard2_enable="NO" ------------------------------ cut here ------------------------------
Install OSSEC
portmaster -d security/ossec-hids-local cp /usr/local/ossec-hids/etc/ossec.conf.sample /usr/local/ossec-hids/etc/ossec.conf rpl daniel.cid@xxx.com root@host.domain /usr/local/ossec-hids/etc/ossec.conf rpl smtp.xxx.com. host.domain /usr/local/ossec-hids/etc/ossec.conf rpl ossecm@ossec.xxx.com. ossecm@host.domain /usr/local/ossec-hids/etc/ossec.conf vi /usr/local/ossec-hids/etc/ossec.conf ------------------------------ cut here ------------------------------ <global> <white_list>127.0.0.1</white_list> <white_list>10.20.0.11</white_list> <white_list>10.20.1.0/24</white_list>> </global> <localfile> <log_format>syslog</log_format> <location>/var/log/all.log</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/usr/local/ossec-hids/logs/active-responses.log</location> </localfile> <localfile> <log_format>snort-fast</log_format> <location>/var/log/snort/snort.alert</location> </localfile> <localfile> <log_format>apache</log_format> <location>/var/log/nginx/access.log</location> </localfile> <localfile> <log_format>apache</log_format> <location>/var/log/nginx/error.log</location> </localfile> <localfile> <log_format>apache</log_format> <location>/var/log/nginx/ssl-access.log</location> </localfile> <localfile> <log_format>apache</log_format> <location>/var/log/nginx/ssl-error.log</location> </localfile> ------------------------------ cut here ------------------------------ vi /etc/rc.conf.d/ossechids ------------------------------ cut here ------------------------------ ossechids_enable="YES" ossechids_user="ossec" ossechids_group="ossec" ------------------------------ cut here ------------------------------ cp /etc/localtime /usr/local/ossec-hids/var/etc/localtime chown root:ossec /usr/local/ossec-hids/var/etc/localtime vi /usr/local/ossec-hids/rules/local_rules.xml ------------------------------ cut here ------------------------------ <group name="local,syslog,"> <rule id="100001" level="0"> <if_sid>1002</if_sid> <match>normalizations disabled because not inline</match> <description>Ignore pulledpork normalizations disabled because not inline</description> </rule> </group> <!-- SYSLOG,LOCAL --> <group name="web,"> <rule id="600003" level="0"> <if_sid>31533</if_sid> <description>Ignore High amount of POST requests in a small period of time (likely bot)</description> </rule> </group> ------------------------------ cut here ------------------------------ mv /usr/local/ossec-hids/active-response/bin/firewall-drop.sh /usr/local/ossec-hids/active-response/bin/iptables.sh cp /usr/local/ossec-hids/active-response/bin/pf.sh /usr/local/ossec-hids/active-response/bin/firewall-drop.sh sh /usr/local/etc/rc.d/ossec-hids start
Enable pf
vi /boot/loader.conf ------------------------------ cut here ------------------------------ net.pf.states_hashsize="524288" pf_load="YES" pflog_load="YES" ------------------------------ cut here ------------------------------ vi /etc/rc.conf.d/pf ------------------------------ cut here ------------------------------ pf_enable="YES" pf_rules="/etc/pf.conf" pf_program="/sbin/pfctl" pf_flags="" ------------------------------ cut here ------------------------------ vi /etc/rc.conf.d/pflog ------------------------------ cut here ------------------------------ pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_program="/sbin/pflogd" pflog_flags="" ------------------------------ cut here ------------------------------ mkdir /home/pf touch /home/pf/blackhole vi /home/pf/martians ------------------------------ cut here ------------------------------ 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.168.0.0/23 192.168.2.0/24 192.168.4.0/22 192.168.8.0/21 192.168.16.0/20 192.168.32.0/19 192.168.64.0/18 192.168.128.0/17 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/4 240.0.0.0/4 255.255.255.255/32 ------------------------------ cut here ------------------------------ vi /home/pf/trusted ------------------------------ cut here ------------------------------ x.x.x.x/x x.x.x.x ------------------------------ cut here ------------------------------ vi /etc/pf.conf ------------------------------ cut here ------------------------------ int_if="xn0" dmz_if="xn1" int_nb = "{ 10.20.0.0, 10.20.0.255 }" dmz_nb = "{ 10.20.1.0, 10.20.1.255 }" broadcast = "255.255.255.255" multicast = "224.0.0.1" int_network = "10.20.0.0/24" int_address = "10.20.0.11" int_gateway = "10.20.0.1" dmz_network = "10.20.1.0/24" dmz_address = "10.20.1.10" dmz_gateway = "10.20.1.1" auth_port = "{ 113 }" icmp_types = "{ echorep, echoreq, timex, unreach }" table <firewall> const { self } table <ossec_fwtable> persist table <blacklist> persist file "/usr/local/etc/snort/rules/iplists/black_list.rules" table <blackhole> persist file "/home/pf/blackhole" table <martians> persist file "/home/pf/martians" table <trusted> persist file "/home/pf/trusted" # Play nice set block-policy return # Increase default max state table entries set limit { states 50000, frags 50000, table-entries 500000 } # Allow anything via interface lo0 set skip on lo0 # Normalisation of incoming packets scrub in rdr on $int_if inet proto tcp from <trusted> to $int_address port 222 -> 10.20.1.11 port 22 nat on $int_if from $dmz_network to any -> $int_address # Default rule (just to be sure) pass in pass out # Default rule (just to be safe) block in log block out log # block blackhole'd prefixes block quick from <blacklist> to any block quick from <blackhole> to any # Reset ident block return-rst in quick proto tcp from any to any port $auth_port flags S/SA # Pass int in pass in quick inet proto icmp from any to $int_address icmp-type $icmp_types keep state pass in quick inet proto udp from 10.20.0.1 to $int_address port 68 pass in quick on $int_if inet proto tcp from <trusted> to any keep state pass in quick on $int_if inet proto udp from <trusted> to any keep state # Pass int out pass out quick inet proto icmp from $int_address to any keep state pass out quick inet proto udp from $int_address to any port 67 # Pass dmz in pass in quick inet proto icmp from any to $dmz_address icmp-type $icmp_types keep state # Pass dmz out pass out quick on $dmz_if inet proto tcp from $dmz_address to $dmz_network keep state pass out quick on $dmz_if inet proto tcp from <trusted> to any keep state pass out quick on $dmz_if inet proto udp from <trusted> to any keep state # Block anti-spoofing block in log quick from urpf-failed block in quick from any to $broadcast block in quick from any to $multicast # Block dmz in block in quick log on $dmz_if from ($dmz_if) to any block in quick log on $dmz_if from $dmz_nb to any # Block dmz out block out quick log on $dmz_if from !($dmz_if) to any block out quick log on $dmz_if from any to ($dmz_if) block out quick log on $dmz_if from any to $dmz_nb # Block int in block drop in quick on $int_if from $int_address to any block drop in quick on $int_if from <martians> to any block drop in quick on $int_if from <ossec_fwtable> to any block out quick log on $int_if from any to $dmz_network block out quick log on $int_if from any to $int_nb # Pass dmz in/out pass quick on $dmz_if # Pass int in pass in quick on $int_if inet proto tcp from any to $int_address port 443 keep state # Pass int out pass out quick on $int_if ------------------------------ cut here ------------------------------ pfctl -nf /etc/pf.conf sh /etc/rc.d/pf start
Optionally install Wazuh agent (if you have a Wazuh manager)
portmaster -d lang/gcc cd /root fetch https://github.com/wang/gcczuh/wazuh/archive/v2.1.0.tar.gz tar zxf v2.1.0.tar.gz cd wazuh-2.1.0 ./install.sh vi /var/ossec/etc/ossec.conf ------------------------------ cut here ------------------------------ <localfile> <log_format>syslog</log_format> <location>/var/log/all.log</location> </localfile> ------------------------------ cut here ------------------------------ vi /usr/local/etc/rc.d/wazuh-agent ------------------------------ cut here ------------------------------ #!/bin/sh # # PROVIDE: wazuhagent # REQUIRE: DAEMON # BEFORE: LOGIN # KEYWORD: shutdown . /etc/rc.subr name="wazuhagent" rcvar=wazuhagent_enable load_rc_config $name : ${wazuhagent_enable="NO"} start_cmd="wazuhagent_command start" stop_cmd="wazuhagent_command stop" restart_cmd="wazuhagent_command restart" status_cmd="wazuhagent_command status" reload_cmd="wazuhagent_command reload" command="/var/ossec/bin/ossec-control" required_files="/var/ossec/etc/ossec.conf" extra_commands="reload" wazuhagent_command() { ${command} ${rc_arg} } run_rc_command "$1" ------------------------------ cut here ------------------------------ vi /etc/rc.conf.d/wazuhagent ------------------------------ cut here ------------------------------ wazuhagent_enable="YES" ------------------------------ cut here ------------------------------ /var/ossec/bin/agent-auth -m wazuh_manager_ip_address cp /etc/localtime /var/ossec/etc/localtime sh /usr/local/etc/rc.d/wazuh-agent start