set default-config.toml

2025-11-17 20:31:09 +01:00 · 2025-11-17 20:31:09 +01:00 · 5205c2fb22
commit 5205c2fb22
parent cf155a951c
3 changed files with 94 additions and 45 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -41,26 +41,3 @@ jobs:
        with:
          name: wazuh-notifier-go-v2-binary
          path: wazuh-notify-go-v2/wazuh-notifier-go-v2
-
-  release:
-    runs-on: ubuntu-latest
-    needs: build
-    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
-
-    steps:
-      - name: Download all build artifacts
-        uses: actions/download-artifact@v3
-        with:
-          path: artifacts
-
-      - name: Release wazuh-notify-go artifact (Gitea Upload)
-        uses: christopherhx/gitea-upload-artifact@v4
-        with:
-          name: wazuh-notifier-go-binary
-          path: artifacts/wazuh-notifier-go-binary-internal/wazuh-notifier-go
-
-      - name: Release wazuh-notify-go-v2 artifact (Gitea Upload)
-        uses: christopherhx/gitea-upload-artifact@v4
-        with:
-          name: wazuh-notifier-go-v2-binary
-          path: artifacts/wazuh-notifier-go-v2-binary-internal/wazuh-notifier-go-v2
--- a/wazuh-notify-go-v2/config/config.go
+++ b/wazuh-notify-go-v2/config/config.go
@ -1,7 +1,7 @@
 package config

 import (
-	"errors"
+	_ "embed"
 	"fmt"
 	"os"
 	"path"
@ -10,45 +10,50 @@ import (
 	"github.com/BurntSushi/toml"
 )

+//go:embed default-config.toml
+var DefaultConfigFile []byte
 var File Config

 func Read() error {
-
 	const SystemConfigPath = "/etc/wazuh-notify/wazuh-notify-config.toml"
-	var LocalConfigPath string

 	execPath, _ := os.Executable()
-	LocalConfigPath = path.Join(path.Dir(execPath), "wazuh-notify-config.toml")
+	LocalConfigPath := path.Join(path.Dir(execPath), "wazuh-notify-config.toml")

 	var tomlFile []byte
 	var err error

 	tomlFile, err = os.ReadFile(SystemConfigPath)
-	if err == nil {
-		log.Log(fmt.Sprintf("TOML loaded from system path: %s", SystemConfigPath))
-	}
-
-	if errors.Is(err, os.ErrNotExist) {
-		log.Log("TOML not found in system path, attempting local fallback.")

+	if err != nil {
 		tomlFile, err = os.ReadFile(LocalConfigPath)
-		if err == nil {
-			log.Log(fmt.Sprintf("TOML loaded from local path: %s", LocalConfigPath))
-		}
 	}

 	if err != nil {
-		log.Log(fmt.Sprintf("FATAL: TOML config failed to load from both paths. Last error: %v", err))
-		return err
-	}
+		log.Log("Config not found. Attempting to create default.")

-	err = toml.Unmarshal(tomlFile, &File)
-	if err != nil {
-		log.Log(err.Error())
-		return err
+		errMkdir := os.MkdirAll(path.Dir(SystemConfigPath), os.ModePerm)
+
+		errWrite := os.WriteFile(SystemConfigPath, DefaultConfigFile, 0600)
+
+		if errMkdir != nil || errWrite != nil {
+			log.Log(fmt.Sprintf("Warning: Could not write config to disk (%v).", errWrite))
+			log.Log("Falling back to embedded memory config.")
 		} else {
-		log.Log("yaml loaded")
+			log.Log(fmt.Sprintf("Successfully created default config at %s", SystemConfigPath))
 		}
+
+		tomlFile = DefaultConfigFile
+		err = nil
+	}
+
+	parseErr := toml.Unmarshal(tomlFile, &File)
+	if parseErr != nil {
+		log.Log(parseErr.Error())
+		return parseErr
+	}
+
+	log.Log("TOML configuration loaded successfully")
 	return nil
 }

--- a/wazuh-notify-go-v2/config/default-config.toml
+++ b/wazuh-notify-go-v2/config/default-config.toml
@ -0,0 +1,67 @@
+#############################################################################################################
+# This is the TOML config file for wazuh-notify (active response) for both the Python and Go implementation #
+#############################################################################################################
+
+[general]
+# Platforms in this string with comma seperated values are triggered.
+targets = "slack, ntfy, discord"
+
+# Platforms in this string will enable sending the full event information.
+full_alert = ""
+
+# Exclude rule events that are enabled in the ossec.conf active response definition.
+# These settings provide an easier way to disable events from firing the notifiers.
+excluded_rules = "99999, 00000"
+excluded_agents = "99999"
+
+# Exclude specific rules by string contained in description
+# These settings provide an easier way to disable events from firing the notifiers.
+exclude_descriptions = [
+    ""
+]
+
+# The next 2 settings are used to add information to the messages.
+sender = "Wazuh (IDS)"
+click = "https://documentation.wazuh.com/"
+
+[discord]
+webhook = "https://discord.com/api/webhooks/XXX"
+
+[ntfy]
+webhook = "https://ntfy.sh/XXX"
+
+[slack]
+webhook = "https://hooks.slack.com/services/XXX"
+
+# Priority mapping from 0-15 (Wazuh threat levels) to 1-5 (in notifications) and their respective colors (Discord)
+# https://documentation.wazuh.com/current/user-manual/ruleset/rules-classification.html
+# Enter threat_map as lists of integers, mention/notify_threshold as integer and color as Hex integer
+[[priority_map]]
+threat_map = [15, 14, 13, 12]
+mention_threshold = 1
+notify_threshold = 1
+color = 0xec3e40 # Red, SEVERE
+
+[[priority_map]]
+threat_map = [11, 10, 9]
+mention_threshold = 1
+notify_threshold = 1
+color = 0xff9b2b # Orange, HIGH
+
+[[priority_map]]
+threat_map = [8, 7, 6]
+mention_threshold = 5
+notify_threshold = 5
+color = 0xf5d800 # Yellow, ELEVATED
+
+[[priority_map]]
+threat_map = [5, 4]
+mention_threshold = 20
+notify_threshold = 5
+color = 0x377fc7 # Blue, GUARDED
+
+[[priority_map]]
+threat_map = [3, 2, 1, 0]
+mention_threshold = 20
+notify_threshold = 1
+color = 0x01a465 # Green, LOW