Tool for managing active response commands for Wazuh
Feel free to use it
Run sudo sentry config --init for first-time setup. This will take the following actions against /var/ossec/etc/ossec.conf:
sudo cp /var/ossec/etc/ossec.conf sentry/backup/manager-config/config-init_${TIMESTAMP}_ossec.conf- Search for comment
<!-- Active response --> - Insert comment
<!-- ${sentry-commands.conf} -->to the line below - Search for comment
```xml
<!--<active-response>active-response options here</active-response>-->
```
- Removes wrapped comment tag from
<active-response>element and wrapsactive-response options herein comment tag if they are present - Search for tag
<active-response> - Insert comment
<!-- ${sentry-responses.conf} -->to the line above<active-response> - Writes existing
<command>and<active-response>elements tosentry-commands.confand<sentry-responses.conf>
As init is not idemptent it is highly recommended to keep backups of your ossec.conf file.
If your Wazuh manager config is not at that location, use --manager-config /path/to/ossec.conf. Wrap the path in quotes if it contains spaces. Alternatively, you can perform the above steps manually, using the path to your config instead of the default.
If you do not wish to enable active response management when using init, use the --active-response skip flag. This will skip steps 3 through 4 above. To disable active response management, use --active-response disable. To enable active response management, use --active-response enable. To enable active response management of the out-of-the-box active responses, use --manage-default-responses yes. To disable management of the out-of-the-box responses, use --manage-default-responses no. These flags are indempotent.