Merge pull request #234 from wazuh/feature-233-adapt-activeresponse-d…

…efinition Adapt active-response definition
wazuh · Mar 24, 2020 · 786c384 · 786c384
2 parents dd793e9 + 701a7e4
commit 786c384
Show file tree

Hide file tree

Showing 6 changed files with 132 additions and 57 deletions.
diff --git a/manifests/activeresponse.pp b/manifests/activeresponse.pp
@@ -1,20 +1,30 @@
 # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 #Define for a specific ossec active-response
 define wazuh::activeresponse(
-  $command_name,
-  $ar_location           = 'local',
-  $ar_level              = 7,
-  $ar_agent_id           = '',
-  $ar_rules_id           = [],
-  $ar_timeout            = 300,
-  $ar_repeated_offenders = '',
+  $active_response_name               = 'Rendering active-response template',
+  $active_response_disabled           = undef,
+  $active_response_linux_ca_store     = undef,
+  $active_response_ca_verification    = undef,
+  $active_response_command            = undef,
+  $active_response_location           = undef,
+  $active_response_level              = undef,
+  $active_response_agent_id           = undef,
+  $active_response_rules_id           = [],
+  $active_response_timeout            = undef,
+  $active_response_repeated_offenders = [],
+
+  $target_arg                         = 'ossec.conf',
+  $order_arg                          = undef,
+  $before_arg                         = undef,
+  $content_arg                        = 'wazuh/fragments/_activeresponse.erb'
 ) {
 
   require wazuh::params_manager
 
-  concat::fragment { $name:
-    target  => 'ossec.conf',
-    order   => 55,
-    content => template('wazuh/fragments/_activeresponse.erb')
+  concat::fragment { $active_response_name:
+    target  => $target_arg,
+    order   => $order_arg,
+    before  => $before_arg,
+    content => template($content_arg)
   }
 }
diff --git a/manifests/agent.pp b/manifests/agent.pp
@@ -187,10 +187,17 @@
   $audit_rules                       = $wazuh::params_agent::audit_rules,
 
   # active-response
-  $ossec_active_response_disabled          =  $wazuh::params_agent::active_response_disabled,
-  $ossec_active_response_linux_ca_store    =  $wazuh::params_agent::active_response_linux_ca_store,
-  $ossec_active_response_windows_ca_store  =  $wazuh::params_agent::active_response_windows_ca_store,
-  $ossec_active_response_ca_verification   =  $wazuh::params_agent::active_response_ca_verification,
+  $ossec_active_response_disabled             =  $wazuh::params_agent::active_response_disabled,
+  $ossec_active_response_linux_ca_store       =  $wazuh::params_agent::active_response_linux_ca_store,
+
+  $ossec_active_response_ca_verification      =  $wazuh::params_agent::active_response_ca_verification,
+  $ossec_active_response_command              =  $wazuh::params_agent::active_response_command,
+  $ossec_active_response_location             =  $wazuh::params_agent::active_response_location,
+  $ossec_active_response_level                =  $wazuh::params_agent::active_response_level,            
+  $ossec_active_response_agent_id             =  $wazuh::params_agent::active_response_agent_id,         
+  $ossec_active_response_rules_id             =  $wazuh::params_agent::active_response_rules_id,         
+  $ossec_active_response_timeout              =  $wazuh::params_agent::active_response_timeout,          
+  $ossec_active_response_repeated_offenders   =  $wazuh::params_agent::active_response_repeated_offenders,
 
   # Agent Labels
   $ossec_labels                      = $wazuh::params_agent::ossec_labels,
@@ -406,12 +413,19 @@
     }
   }
   if ($configure_active_response == true) {
-    concat::fragment {
-      'ossec.conf_active_response':
-        target  => 'ossec.conf',
-        order   => 40,
-        before  => Service[$agent_service_name],
-        content => template($ossec_active_response_template);
+    wazuh::activeresponse { 'blockWebattack':
+      active_response_disabled           =>  $ossec_active_response_disabled,
+      active_response_linux_ca_store     =>  $ossec_active_response_linux_ca_store,
+      active_response_ca_verification    =>  $ossec_active_response_ca_verification,
+      active_response_command            =>  $ossec_active_response_command,
+      active_response_location           =>  $ossec_active_response_location,
+      active_response_level              =>  $ossec_active_response_level,
+      active_response_agent_id           =>  $ossec_active_response_agent_id,
+      active_response_rules_id           =>  $ossec_active_response_rules_id,
+      active_response_timeout            =>  $ossec_active_response_timeout,
+      active_response_repeated_offenders =>  $ossec_active_response_repeated_offenders,
+      order_arg                          => 40,
+      before_arg                         => Service[$agent_service_name]
     }
   }
 

diff --git a/manifests/manager.pp b/manifests/manager.pp
@@ -62,6 +62,16 @@
       $ossec_cluster_template                       = $wazuh::params_manager::ossec_cluster_template,
       $ossec_active_response_template               = $wazuh::params_manager::ossec_active_response_template,
 
+      # active-response
+      $ossec_active_response_command                =  $wazuh::params_manager::active_response_command,
+      $ossec_active_response_location               =  $wazuh::params_manager::active_response_location,
+      $ossec_active_response_level                  =  $wazuh::params_manager::active_response_level,            
+      $ossec_active_response_agent_id               =  $wazuh::params_manager::active_response_agent_id,         
+      $ossec_active_response_rules_id               =  $wazuh::params_manager::active_response_rules_id,         
+      $ossec_active_response_timeout                =  $wazuh::params_manager::active_response_timeout,          
+      $ossec_active_response_repeated_offenders     =  $wazuh::params_manager::active_response_repeated_offenders,
+
+
       ## Rootcheck
 
       $ossec_rootcheck_disabled             = $wazuh::params_manager::ossec_rootcheck_disabled,
@@ -77,29 +87,30 @@
       $ossec_rootcheck_rootkit_files        = $wazuh::params_manager::ossec_rootcheck_rootkit_files,
       $ossec_rootcheck_rootkit_trojans      = $wazuh::params_manager::ossec_rootcheck_rootkit_trojans,
       $ossec_rootcheck_skip_nfs             = $wazuh::params_manager::ossec_rootcheck_skip_nfs,
+      $ossec_rootcheck_system_audit         = $wazuh::params_manager::ossec_rootcheck_system_audit,
 
       # SCA
 
-  ## Amazon
-  $sca_amazon_amazon_enabled = $wazuh::params_manager::sca_amazon_enabled,
-  $sca_amazon_amazon_scan_on_start = $wazuh::params_manager::sca_amazon_scan_on_start,
-  $sca_amazon_amazon_interval = $wazuh::params_manager::sca_amazon_interval,
-  $sca_amazon_amazon_skip_nfs = $wazuh::params_manager::sca_amazon_skip_nfs,
-  $sca_amazon_amazon_policies = $wazuh::params_manager::sca_amazon_policies,
+      ## Amazon
+      $sca_amazon_amazon_enabled = $wazuh::params_manager::sca_amazon_enabled,
+      $sca_amazon_amazon_scan_on_start = $wazuh::params_manager::sca_amazon_scan_on_start,
+      $sca_amazon_amazon_interval = $wazuh::params_manager::sca_amazon_interval,
+      $sca_amazon_amazon_skip_nfs = $wazuh::params_manager::sca_amazon_skip_nfs,
+      $sca_amazon_amazon_policies = $wazuh::params_manager::sca_amazon_policies,
 
-  ## RHEL
-  $sca_rhel_enabled = $wazuh::params_manager::sca_rhel_enabled,
-  $sca_rhel_scan_on_start = $wazuh::params_manager::sca_rhel_scan_on_start,
-  $sca_rhel_interval = $wazuh::params_manager::sca_rhel_interval,
-  $sca_rhel_skip_nfs = $wazuh::params_manager::sca_rhel_skip_nfs,
-  $sca_rhel_policies = $wazuh::params_manager::sca_rhel_policies,
+      ## RHEL
+      $sca_rhel_enabled = $wazuh::params_manager::sca_rhel_enabled,
+      $sca_rhel_scan_on_start = $wazuh::params_manager::sca_rhel_scan_on_start,
+      $sca_rhel_interval = $wazuh::params_manager::sca_rhel_interval,
+      $sca_rhel_skip_nfs = $wazuh::params_manager::sca_rhel_skip_nfs,
+      $sca_rhel_policies = $wazuh::params_manager::sca_rhel_policies,
 
-  ## <Linux else>
-  $sca_else_enabled = $wazuh::params_manager::sca_else_enabled,
-  $sca_else_scan_on_start = $wazuh::params_manager::sca_else_scan_on_start,
-  $sca_else_interval = $wazuh::params_manager::sca_else_interval,
-  $sca_else_skip_nfs = $wazuh::params_manager::sca_else_skip_nfs,
-  $sca_else_policies = $wazuh::params_manager::sca_else_policies,
+      ## <Linux else>
+      $sca_else_enabled = $wazuh::params_manager::sca_else_enabled,
+      $sca_else_scan_on_start = $wazuh::params_manager::sca_else_scan_on_start,
+      $sca_else_interval = $wazuh::params_manager::sca_else_interval,
+      $sca_else_skip_nfs = $wazuh::params_manager::sca_else_skip_nfs,
+      $sca_else_policies = $wazuh::params_manager::sca_else_policies,
 
 
       ## Wodles
@@ -174,7 +185,6 @@
       $syslog_output_format                 = $wazuh::params_manager::syslog_output_format,
 
       # Authd configuration
-
       $ossec_auth_disabled                  = $wazuh::params_manager::ossec_auth_disabled,
       $ossec_auth_port                      = $wazuh::params_manager::ossec_auth_port,
       $ossec_auth_use_source_ip             = $wazuh::params_manager::ossec_auth_use_source_ip,
@@ -191,7 +201,6 @@
 
 
       # syscheck
-
       $ossec_syscheck_disabled              = $wazuh::params_manager::ossec_syscheck_disabled,
       $ossec_syscheck_frequency             = $wazuh::params_manager::ossec_syscheck_frequency,
       $ossec_syscheck_scan_on_start         = $wazuh::params_manager::ossec_syscheck_scan_on_start,
@@ -492,12 +501,16 @@
       }
   }
   if ($configure_active_response == true){
-    concat::fragment {
-        'ossec.conf_active_response':
-          order   => 90,
-          target  => 'ossec.conf',
-          content => template($ossec_active_response_template);
-      }
+    wazuh::activeresponse { 'blockWebattack':
+      active_response_command            => $ossec_active_response_command,
+      active_response_location           => $ossec_active_response_location,
+      active_response_level              => $ossec_active_response_level,
+      active_response_agent_id           => $ossec_active_response_agent_id,
+      active_response_rules_id           => $ossec_active_response_rules_id,
+      active_response_timeout            => $ossec_active_response_timeout,
+      active_response_repeated_offenders => $ossec_active_response_repeated_offenders,
+      order_arg                          => 90
+    }
   }
   concat::fragment {
     'ossec.conf_footer':

diff --git a/manifests/params_agent.pp b/manifests/params_agent.pp
@@ -69,9 +69,15 @@
   $ossec_local_files = $::wazuh::params_agent::default_local_files
 
   # active response
-  $active_response_disabled = 'no'
+  $active_response_disabled                        = 'no'
+  $active_response_ca_verification                 = 'yes'
+  $active_response_location                        = undef
+  $active_response_level                           = undef
+  $active_response_agent_id                        = undef
+  $active_response_rules_id                        = []
+  $active_response_timeout                         = undef
+  $active_response_repeated_offenders              = []
 
-  $active_response_ca_verification = 'yes'
 
   # OS specific configurations
   case $::kernel {

diff --git a/manifests/params_manager.pp b/manifests/params_manager.pp
@@ -78,6 +78,7 @@
       $ossec_rootcheck_rootkit_files                   = '/var/ossec/etc/rootcheck/rootkit_files.txt'
       $ossec_rootcheck_rootkit_trojans                 = '/var/ossec/etc/rootcheck/rootkit_trojans.txt'
       $ossec_rootcheck_skip_nfs                        = 'yes'
+      $ossec_rootcheck_system_audit                    = []
 
       # SCA
 
@@ -138,6 +139,16 @@
       $wodle_syscollector_ports                        = 'yes'
       $wodle_syscollector_processes                    = 'yes'
 
+
+      #active-response
+      $active_response_command                         = 'firewall-drop'
+      $active_response_location                        = 'local'
+      $active_response_level                           = 9
+      $active_response_agent_id                        = '001'
+      $active_response_rules_id                        = [31153,31151]
+      $active_response_timeout                         = 300
+      $active_response_repeated_offenders              = ['30,60,120']
+
       #vulnerability-detector
 
       $vulnerability_detector_enabled                            = 'no'

diff --git a/templates/fragments/_activeresponse.erb b/templates/fragments/_activeresponse.erb
@@ -1,19 +1,40 @@
 
 <active-response>
-<% if @ossec_active_response_disabled -%>
-  <disabled><%= @ossec_active_response_disabled %></disabled>
+<% if @active_response_disabled -%>
+  <disabled><%= @active_response_disabled %></disabled>
 <%- end -%>
 <%- if @kernel == 'windows' -%>
-<% if @ossec_active_response_windows_ca_store -%>
-  <ca_store><%= @ossec_active_response_windows_ca_store %></ca_store>
+<% if @active_response_windows_ca_store -%>
+  <ca_store><%= @active_response_windows_ca_store %></ca_store>
 <%- end -%>
 <%- elsif @kernel == 'Linux' -%>
-<% if @ossec_active_response_linux_ca_store -%>
-  <ca_store><%= @ossec_active_response_linux_ca_store %></ca_store>
+<% if @active_response_linux_ca_store -%>
+  <ca_store><%= @active_response_linux_ca_store %></ca_store>
 <%- end -%>
 <%- end -%>
-<% if @ossec_active_response_ca_verification -%>
-  <ca_verification><%= @ossec_active_response_ca_verification %></ca_verification>
+<% if @active_response_ca_verification -%>
+  <ca_verification><%= @active_response_ca_verification %></ca_verification>
+<%- end -%>
+<% if @active_response_command -%>
+  <command><%= @active_response_command %></command>
+<%- end -%>
+<% if @active_response_location -%>
+  <location><%= @active_response_location %></location>
+<%- end -%> 
+<% if @active_response_level -%>
+  <level><%= @active_response_level %></level>
+<%- end -%> 
+<% if @active_response_agent_id -%>
+  <agent_id><%= @active_response_agent_id %></agent_id>
+<%- end -%> 
+<% if !@active_response_rules_id.empty? -%>
+  <rules_id><%= @active_response_rules_id.join(',') %></rules_id>
+<%- end -%>
+<% if @active_response_timeout -%>
+  <timeout><%= @active_response_timeout %></timeout>
+<%- end -%>
+<% if !@active_response_repeated_offenders.empty? -%>
+  <repeated_offenders><%= @active_response_repeated_offenders.join(',') %></repeated_offenders>
 <%- end -%> 
 </active-response>