diff --git a/manifests/activeresponse.pp b/manifests/activeresponse.pp index 212cc9da..3340bd2b 100644 --- a/manifests/activeresponse.pp +++ b/manifests/activeresponse.pp @@ -1,20 +1,30 @@ # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) #Define for a specific ossec active-response define wazuh::activeresponse( - $command_name, - $ar_location = 'local', - $ar_level = 7, - $ar_agent_id = '', - $ar_rules_id = [], - $ar_timeout = 300, - $ar_repeated_offenders = '', + $active_response_name = 'Rendering active-response template', + $active_response_disabled = undef, + $active_response_linux_ca_store = undef, + $active_response_ca_verification = undef, + $active_response_command = undef, + $active_response_location = undef, + $active_response_level = undef, + $active_response_agent_id = undef, + $active_response_rules_id = [], + $active_response_timeout = undef, + $active_response_repeated_offenders = [], + + $target_arg = 'ossec.conf', + $order_arg = undef, + $before_arg = undef, + $content_arg = 'wazuh/fragments/_activeresponse.erb' ) { require wazuh::params_manager - concat::fragment { $name: - target => 'ossec.conf', - order => 55, - content => template('wazuh/fragments/_activeresponse.erb') + concat::fragment { $active_response_name: + target => $target_arg, + order => $order_arg, + before => $before_arg, + content => template($content_arg) } } diff --git a/manifests/agent.pp b/manifests/agent.pp index 44ffe954..b1e562c3 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -187,10 +187,17 @@ $audit_rules = $wazuh::params_agent::audit_rules, # active-response - $ossec_active_response_disabled = $wazuh::params_agent::active_response_disabled, - $ossec_active_response_linux_ca_store = $wazuh::params_agent::active_response_linux_ca_store, - $ossec_active_response_windows_ca_store = $wazuh::params_agent::active_response_windows_ca_store, - $ossec_active_response_ca_verification = $wazuh::params_agent::active_response_ca_verification, + $ossec_active_response_disabled = $wazuh::params_agent::active_response_disabled, + $ossec_active_response_linux_ca_store = $wazuh::params_agent::active_response_linux_ca_store, + + $ossec_active_response_ca_verification = $wazuh::params_agent::active_response_ca_verification, + $ossec_active_response_command = $wazuh::params_agent::active_response_command, + $ossec_active_response_location = $wazuh::params_agent::active_response_location, + $ossec_active_response_level = $wazuh::params_agent::active_response_level, + $ossec_active_response_agent_id = $wazuh::params_agent::active_response_agent_id, + $ossec_active_response_rules_id = $wazuh::params_agent::active_response_rules_id, + $ossec_active_response_timeout = $wazuh::params_agent::active_response_timeout, + $ossec_active_response_repeated_offenders = $wazuh::params_agent::active_response_repeated_offenders, # Agent Labels $ossec_labels = $wazuh::params_agent::ossec_labels, @@ -406,12 +413,19 @@ } } if ($configure_active_response == true) { - concat::fragment { - 'ossec.conf_active_response': - target => 'ossec.conf', - order => 40, - before => Service[$agent_service_name], - content => template($ossec_active_response_template); + wazuh::activeresponse { 'blockWebattack': + active_response_disabled => $ossec_active_response_disabled, + active_response_linux_ca_store => $ossec_active_response_linux_ca_store, + active_response_ca_verification => $ossec_active_response_ca_verification, + active_response_command => $ossec_active_response_command, + active_response_location => $ossec_active_response_location, + active_response_level => $ossec_active_response_level, + active_response_agent_id => $ossec_active_response_agent_id, + active_response_rules_id => $ossec_active_response_rules_id, + active_response_timeout => $ossec_active_response_timeout, + active_response_repeated_offenders => $ossec_active_response_repeated_offenders, + order_arg => 40, + before_arg => Service[$agent_service_name] } } diff --git a/manifests/manager.pp b/manifests/manager.pp index 4b33918a..a3f14925 100644 --- a/manifests/manager.pp +++ b/manifests/manager.pp @@ -62,6 +62,16 @@ $ossec_cluster_template = $wazuh::params_manager::ossec_cluster_template, $ossec_active_response_template = $wazuh::params_manager::ossec_active_response_template, + # active-response + $ossec_active_response_command = $wazuh::params_manager::active_response_command, + $ossec_active_response_location = $wazuh::params_manager::active_response_location, + $ossec_active_response_level = $wazuh::params_manager::active_response_level, + $ossec_active_response_agent_id = $wazuh::params_manager::active_response_agent_id, + $ossec_active_response_rules_id = $wazuh::params_manager::active_response_rules_id, + $ossec_active_response_timeout = $wazuh::params_manager::active_response_timeout, + $ossec_active_response_repeated_offenders = $wazuh::params_manager::active_response_repeated_offenders, + + ## Rootcheck $ossec_rootcheck_disabled = $wazuh::params_manager::ossec_rootcheck_disabled, @@ -77,29 +87,30 @@ $ossec_rootcheck_rootkit_files = $wazuh::params_manager::ossec_rootcheck_rootkit_files, $ossec_rootcheck_rootkit_trojans = $wazuh::params_manager::ossec_rootcheck_rootkit_trojans, $ossec_rootcheck_skip_nfs = $wazuh::params_manager::ossec_rootcheck_skip_nfs, + $ossec_rootcheck_system_audit = $wazuh::params_manager::ossec_rootcheck_system_audit, # SCA - ## Amazon - $sca_amazon_amazon_enabled = $wazuh::params_manager::sca_amazon_enabled, - $sca_amazon_amazon_scan_on_start = $wazuh::params_manager::sca_amazon_scan_on_start, - $sca_amazon_amazon_interval = $wazuh::params_manager::sca_amazon_interval, - $sca_amazon_amazon_skip_nfs = $wazuh::params_manager::sca_amazon_skip_nfs, - $sca_amazon_amazon_policies = $wazuh::params_manager::sca_amazon_policies, + ## Amazon + $sca_amazon_amazon_enabled = $wazuh::params_manager::sca_amazon_enabled, + $sca_amazon_amazon_scan_on_start = $wazuh::params_manager::sca_amazon_scan_on_start, + $sca_amazon_amazon_interval = $wazuh::params_manager::sca_amazon_interval, + $sca_amazon_amazon_skip_nfs = $wazuh::params_manager::sca_amazon_skip_nfs, + $sca_amazon_amazon_policies = $wazuh::params_manager::sca_amazon_policies, - ## RHEL - $sca_rhel_enabled = $wazuh::params_manager::sca_rhel_enabled, - $sca_rhel_scan_on_start = $wazuh::params_manager::sca_rhel_scan_on_start, - $sca_rhel_interval = $wazuh::params_manager::sca_rhel_interval, - $sca_rhel_skip_nfs = $wazuh::params_manager::sca_rhel_skip_nfs, - $sca_rhel_policies = $wazuh::params_manager::sca_rhel_policies, + ## RHEL + $sca_rhel_enabled = $wazuh::params_manager::sca_rhel_enabled, + $sca_rhel_scan_on_start = $wazuh::params_manager::sca_rhel_scan_on_start, + $sca_rhel_interval = $wazuh::params_manager::sca_rhel_interval, + $sca_rhel_skip_nfs = $wazuh::params_manager::sca_rhel_skip_nfs, + $sca_rhel_policies = $wazuh::params_manager::sca_rhel_policies, - ## - $sca_else_enabled = $wazuh::params_manager::sca_else_enabled, - $sca_else_scan_on_start = $wazuh::params_manager::sca_else_scan_on_start, - $sca_else_interval = $wazuh::params_manager::sca_else_interval, - $sca_else_skip_nfs = $wazuh::params_manager::sca_else_skip_nfs, - $sca_else_policies = $wazuh::params_manager::sca_else_policies, + ## + $sca_else_enabled = $wazuh::params_manager::sca_else_enabled, + $sca_else_scan_on_start = $wazuh::params_manager::sca_else_scan_on_start, + $sca_else_interval = $wazuh::params_manager::sca_else_interval, + $sca_else_skip_nfs = $wazuh::params_manager::sca_else_skip_nfs, + $sca_else_policies = $wazuh::params_manager::sca_else_policies, ## Wodles @@ -174,7 +185,6 @@ $syslog_output_format = $wazuh::params_manager::syslog_output_format, # Authd configuration - $ossec_auth_disabled = $wazuh::params_manager::ossec_auth_disabled, $ossec_auth_port = $wazuh::params_manager::ossec_auth_port, $ossec_auth_use_source_ip = $wazuh::params_manager::ossec_auth_use_source_ip, @@ -191,7 +201,6 @@ # syscheck - $ossec_syscheck_disabled = $wazuh::params_manager::ossec_syscheck_disabled, $ossec_syscheck_frequency = $wazuh::params_manager::ossec_syscheck_frequency, $ossec_syscheck_scan_on_start = $wazuh::params_manager::ossec_syscheck_scan_on_start, @@ -492,12 +501,16 @@ } } if ($configure_active_response == true){ - concat::fragment { - 'ossec.conf_active_response': - order => 90, - target => 'ossec.conf', - content => template($ossec_active_response_template); - } + wazuh::activeresponse { 'blockWebattack': + active_response_command => $ossec_active_response_command, + active_response_location => $ossec_active_response_location, + active_response_level => $ossec_active_response_level, + active_response_agent_id => $ossec_active_response_agent_id, + active_response_rules_id => $ossec_active_response_rules_id, + active_response_timeout => $ossec_active_response_timeout, + active_response_repeated_offenders => $ossec_active_response_repeated_offenders, + order_arg => 90 + } } concat::fragment { 'ossec.conf_footer': diff --git a/manifests/params_agent.pp b/manifests/params_agent.pp index 206c67bf..8c778ddd 100644 --- a/manifests/params_agent.pp +++ b/manifests/params_agent.pp @@ -69,9 +69,15 @@ $ossec_local_files = $::wazuh::params_agent::default_local_files # active response - $active_response_disabled = 'no' + $active_response_disabled = 'no' + $active_response_ca_verification = 'yes' + $active_response_location = undef + $active_response_level = undef + $active_response_agent_id = undef + $active_response_rules_id = [] + $active_response_timeout = undef + $active_response_repeated_offenders = [] - $active_response_ca_verification = 'yes' # OS specific configurations case $::kernel { diff --git a/manifests/params_manager.pp b/manifests/params_manager.pp index ede29b27..c7f7f3dd 100644 --- a/manifests/params_manager.pp +++ b/manifests/params_manager.pp @@ -78,6 +78,7 @@ $ossec_rootcheck_rootkit_files = '/var/ossec/etc/rootcheck/rootkit_files.txt' $ossec_rootcheck_rootkit_trojans = '/var/ossec/etc/rootcheck/rootkit_trojans.txt' $ossec_rootcheck_skip_nfs = 'yes' + $ossec_rootcheck_system_audit = [] # SCA @@ -138,6 +139,16 @@ $wodle_syscollector_ports = 'yes' $wodle_syscollector_processes = 'yes' + + #active-response + $active_response_command = 'firewall-drop' + $active_response_location = 'local' + $active_response_level = 9 + $active_response_agent_id = '001' + $active_response_rules_id = [31153,31151] + $active_response_timeout = 300 + $active_response_repeated_offenders = ['30,60,120'] + #vulnerability-detector $vulnerability_detector_enabled = 'no' diff --git a/templates/fragments/_activeresponse.erb b/templates/fragments/_activeresponse.erb index dcef284a..3acef7ba 100644 --- a/templates/fragments/_activeresponse.erb +++ b/templates/fragments/_activeresponse.erb @@ -1,19 +1,40 @@ -<% if @ossec_active_response_disabled -%> - <%= @ossec_active_response_disabled %> +<% if @active_response_disabled -%> + <%= @active_response_disabled %> <%- end -%> <%- if @kernel == 'windows' -%> -<% if @ossec_active_response_windows_ca_store -%> - <%= @ossec_active_response_windows_ca_store %> +<% if @active_response_windows_ca_store -%> + <%= @active_response_windows_ca_store %> <%- end -%> <%- elsif @kernel == 'Linux' -%> -<% if @ossec_active_response_linux_ca_store -%> - <%= @ossec_active_response_linux_ca_store %> +<% if @active_response_linux_ca_store -%> + <%= @active_response_linux_ca_store %> <%- end -%> <%- end -%> -<% if @ossec_active_response_ca_verification -%> - <%= @ossec_active_response_ca_verification %> +<% if @active_response_ca_verification -%> + <%= @active_response_ca_verification %> +<%- end -%> +<% if @active_response_command -%> + <%= @active_response_command %> +<%- end -%> +<% if @active_response_location -%> + <%= @active_response_location %> +<%- end -%> +<% if @active_response_level -%> + <%= @active_response_level %> +<%- end -%> +<% if @active_response_agent_id -%> + <%= @active_response_agent_id %> +<%- end -%> +<% if !@active_response_rules_id.empty? -%> + <%= @active_response_rules_id.join(',') %> +<%- end -%> +<% if @active_response_timeout -%> + <%= @active_response_timeout %> +<%- end -%> +<% if !@active_response_repeated_offenders.empty? -%> + <%= @active_response_repeated_offenders.join(',') %> <%- end -%>