From 7a8b21817bb196f4c63c13ce5d13c67fda17b311 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Mon, 23 Mar 2020 20:23:31 +0100 Subject: [PATCH 1/9] Add more active-response variables to the template --- manifests/activeresponse.pp | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/manifests/activeresponse.pp b/manifests/activeresponse.pp index 212cc9da..8780b4a9 100644 --- a/manifests/activeresponse.pp +++ b/manifests/activeresponse.pp @@ -1,13 +1,22 @@ # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) #Define for a specific ossec active-response define wazuh::activeresponse( - $command_name, - $ar_location = 'local', - $ar_level = 7, - $ar_agent_id = '', - $ar_rules_id = [], - $ar_timeout = 300, - $ar_repeated_offenders = '', + $active_response_name = 'Rednering active-response template', + $active_response_disabled = undef, + $active_response_linux_ca_store = undef, + $active_response_ca_verification = undef, + $active_response_command = undef, + $active_response_location = undef, + $active_response_level = undef, + $active_response_agent_id = undef, + $active_response_rules_id = [], + $active_response_timeout = undef, + $active_response_repeated_offenders = [], + + $target_arg = 'ossec.conf', + $order_arg = undef, + $before_arg = undef, + $content_arg = 'wazuh/fragments/_activeresponse.erb' ) { require wazuh::params_manager From a6791b62e37e9827a64c97a754a9da8a0a1d6584 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Mon, 23 Mar 2020 20:24:36 +0100 Subject: [PATCH 2/9] Parameterize concat::fragment variables for active-response template --- manifests/activeresponse.pp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/manifests/activeresponse.pp b/manifests/activeresponse.pp index 8780b4a9..e4e685ee 100644 --- a/manifests/activeresponse.pp +++ b/manifests/activeresponse.pp @@ -21,9 +21,10 @@ require wazuh::params_manager - concat::fragment { $name: - target => 'ossec.conf', - order => 55, - content => template('wazuh/fragments/_activeresponse.erb') + concat::fragment { $active_response_name: + target => $target_arg, + order => $order_arg, + before => $before_arg, + content => template($content_arg) } } From b11208b12849e167c24a7c2587b0068fc8714ac1 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Mon, 23 Mar 2020 20:25:41 +0100 Subject: [PATCH 3/9] Complete active-response variables & use active-response class: agent --- manifests/agent.pp | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/manifests/agent.pp b/manifests/agent.pp index 44ffe954..d40b2779 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -187,10 +187,17 @@ $audit_rules = $wazuh::params_agent::audit_rules, # active-response - $ossec_active_response_disabled = $wazuh::params_agent::active_response_disabled, - $ossec_active_response_linux_ca_store = $wazuh::params_agent::active_response_linux_ca_store, - $ossec_active_response_windows_ca_store = $wazuh::params_agent::active_response_windows_ca_store, - $ossec_active_response_ca_verification = $wazuh::params_agent::active_response_ca_verification, + $ossec_active_response_disabled = $wazuh::params_agent::active_response_disabled, + $ossec_active_response_linux_ca_store = $wazuh::params_agent::active_response_linux_ca_store, + + $ossec_active_response_ca_verification = $wazuh::params_agent::active_response_ca_verification, + $ossec_active_response_command = $wazuh::params_manager::active_response_command, + $ossec_active_response_location = $wazuh::params_agent::active_response_location, + $ossec_active_response_level = $wazuh::params_agent::active_response_level, + $ossec_active_response_agent_id = $wazuh::params_agent::active_response_agent_id, + $ossec_active_response_rules_id = $wazuh::params_agent::active_response_rules_id, + $ossec_active_response_timeout = $wazuh::params_agent::active_response_timeout, + $ossec_active_response_repeated_offenders = $wazuh::params_agent::active_response_repeated_offenders, # Agent Labels $ossec_labels = $wazuh::params_agent::ossec_labels, @@ -406,12 +413,19 @@ } } if ($configure_active_response == true) { - concat::fragment { - 'ossec.conf_active_response': - target => 'ossec.conf', - order => 40, - before => Service[$agent_service_name], - content => template($ossec_active_response_template); + wazuh::activeresponse { 'blockWebattack': + active_response_disabled => $ossec_active_response_disabled, + active_response_linux_ca_store => $ossec_active_response_linux_ca_store, + active_response_ca_verification => $ossec_active_response_ca_verification, + active_response_command => $ossec_active_response_command, + active_response_location => $ossec_active_response_location, + active_response_level => $ossec_active_response_level, + active_response_agent_id => $ossec_active_response_agent_id, + active_response_rules_id => $ossec_active_response_rules_id, + active_response_timeout => $ossec_active_response_timeout, + active_response_repeated_offenders => $ossec_active_response_repeated_offenders, + order_arg => 40, + before_arg => Service[$agent_service_name] } } From 73651c21185247a16a7895c61dee26d40133ee67 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Mon, 23 Mar 2020 20:27:08 +0100 Subject: [PATCH 4/9] Add active-response variables & use activeresponse class: manager --- manifests/manager.pp | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/manifests/manager.pp b/manifests/manager.pp index 0650d52e..0ec051ee 100644 --- a/manifests/manager.pp +++ b/manifests/manager.pp @@ -62,6 +62,16 @@ $ossec_cluster_template = $wazuh::params_manager::ossec_cluster_template, $ossec_active_response_template = $wazuh::params_manager::ossec_active_response_template, + # active-response + $ossec_active_response_command = $wazuh::params_manager::active_response_command, + $ossec_active_response_location = $wazuh::params_manager::active_response_location, + $ossec_active_response_level = $wazuh::params_manager::active_response_level, + $ossec_active_response_agent_id = $wazuh::params_manager::active_response_agent_id, + $ossec_active_response_rules_id = $wazuh::params_manager::active_response_rules_id, + $ossec_active_response_timeout = $wazuh::params_manager::active_response_timeout, + $ossec_active_response_repeated_offenders = $wazuh::params_manager::active_response_repeated_offenders, + + ## Rootcheck $ossec_rootcheck_disabled = $wazuh::params_manager::ossec_rootcheck_disabled, @@ -491,12 +501,16 @@ } } if ($configure_active_response == true){ - concat::fragment { - 'ossec.conf_active_response': - order => 90, - target => 'ossec.conf', - content => template($ossec_active_response_template); - } + wazuh::activeresponse { 'blockWebattack': + active_response_command => $ossec_active_response_command, + active_response_location => $ossec_active_response_location, + active_response_level => $ossec_active_response_level, + active_response_agent_id => $ossec_active_response_agent_id, + active_response_rules_id => $ossec_active_response_rules_id, + active_response_timeout => $ossec_active_response_timeout, + active_response_repeated_offenders => $ossec_active_response_repeated_offenders, + order_arg => 90 + } } concat::fragment { 'ossec.conf_footer': From 84cce8ef0f4577c3e9df03569ca8423f7ba52a34 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Mon, 23 Mar 2020 20:28:20 +0100 Subject: [PATCH 5/9] Define rootcheck system audit list for the manager --- manifests/manager.pp | 1 + manifests/params_manager.pp | 1 + 2 files changed, 2 insertions(+) diff --git a/manifests/manager.pp b/manifests/manager.pp index 0ec051ee..b4182233 100644 --- a/manifests/manager.pp +++ b/manifests/manager.pp @@ -87,6 +87,7 @@ $ossec_rootcheck_rootkit_files = $wazuh::params_manager::ossec_rootcheck_rootkit_files, $ossec_rootcheck_rootkit_trojans = $wazuh::params_manager::ossec_rootcheck_rootkit_trojans, $ossec_rootcheck_skip_nfs = $wazuh::params_manager::ossec_rootcheck_skip_nfs, + $ossec_rootcheck_system_audit = $wazuh::params_manager::ossec_rootcheck_system_audit, # SCA diff --git a/manifests/params_manager.pp b/manifests/params_manager.pp index 0895946c..9dc327f0 100644 --- a/manifests/params_manager.pp +++ b/manifests/params_manager.pp @@ -78,6 +78,7 @@ $ossec_rootcheck_rootkit_files = '/var/ossec/etc/rootcheck/rootkit_files.txt' $ossec_rootcheck_rootkit_trojans = '/var/ossec/etc/rootcheck/rootkit_trojans.txt' $ossec_rootcheck_skip_nfs = 'yes' + $ossec_rootcheck_system_audit = [] # SCA From ce60bbd320d9e03318820f564567aa9fc1a11871 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Mon, 23 Mar 2020 20:28:46 +0100 Subject: [PATCH 6/9] Improve indentation --- manifests/manager.pp | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/manifests/manager.pp b/manifests/manager.pp index b4182233..18766413 100644 --- a/manifests/manager.pp +++ b/manifests/manager.pp @@ -91,26 +91,26 @@ # SCA - ## Amazon - $sca_amazon_amazon_enabled = $wazuh::params_manager::sca_amazon_enabled, - $sca_amazon_amazon_scan_on_start = $wazuh::params_manager::sca_amazon_scan_on_start, - $sca_amazon_amazon_interval = $wazuh::params_manager::sca_amazon_interval, - $sca_amazon_amazon_skip_nfs = $wazuh::params_manager::sca_amazon_skip_nfs, - $sca_amazon_amazon_policies = $wazuh::params_manager::sca_amazon_policies, - - ## RHEL - $sca_rhel_enabled = $wazuh::params_manager::sca_rhel_enabled, - $sca_rhel_scan_on_start = $wazuh::params_manager::sca_rhel_scan_on_start, - $sca_rhel_interval = $wazuh::params_manager::sca_rhel_interval, - $sca_rhel_skip_nfs = $wazuh::params_manager::sca_rhel_skip_nfs, - $sca_rhel_policies = $wazuh::params_manager::sca_rhel_policies, - - ## - $sca_else_enabled = $wazuh::params_manager::sca_else_enabled, - $sca_else_scan_on_start = $wazuh::params_manager::sca_else_scan_on_start, - $sca_else_interval = $wazuh::params_manager::sca_else_interval, - $sca_else_skip_nfs = $wazuh::params_manager::sca_else_skip_nfs, - $sca_else_policies = $wazuh::params_manager::sca_else_policies, + ## Amazon + $sca_amazon_amazon_enabled = $wazuh::params_manager::sca_amazon_enabled, + $sca_amazon_amazon_scan_on_start = $wazuh::params_manager::sca_amazon_scan_on_start, + $sca_amazon_amazon_interval = $wazuh::params_manager::sca_amazon_interval, + $sca_amazon_amazon_skip_nfs = $wazuh::params_manager::sca_amazon_skip_nfs, + $sca_amazon_amazon_policies = $wazuh::params_manager::sca_amazon_policies, + + ## RHEL + $sca_rhel_enabled = $wazuh::params_manager::sca_rhel_enabled, + $sca_rhel_scan_on_start = $wazuh::params_manager::sca_rhel_scan_on_start, + $sca_rhel_interval = $wazuh::params_manager::sca_rhel_interval, + $sca_rhel_skip_nfs = $wazuh::params_manager::sca_rhel_skip_nfs, + $sca_rhel_policies = $wazuh::params_manager::sca_rhel_policies, + + ## + $sca_else_enabled = $wazuh::params_manager::sca_else_enabled, + $sca_else_scan_on_start = $wazuh::params_manager::sca_else_scan_on_start, + $sca_else_interval = $wazuh::params_manager::sca_else_interval, + $sca_else_skip_nfs = $wazuh::params_manager::sca_else_skip_nfs, + $sca_else_policies = $wazuh::params_manager::sca_else_policies, ## Wodles From c1db518ae2318f7ab0839aa5dd43c587c6f81a26 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Mon, 23 Mar 2020 20:29:20 +0100 Subject: [PATCH 7/9] Add active-response variables in params files --- manifests/manager.pp | 2 -- manifests/params_agent.pp | 10 ++++++++-- manifests/params_manager.pp | 10 ++++++++++ 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/manifests/manager.pp b/manifests/manager.pp index 18766413..ec81d0ac 100644 --- a/manifests/manager.pp +++ b/manifests/manager.pp @@ -185,7 +185,6 @@ $syslog_output_format = $wazuh::params_manager::syslog_output_format, # Authd configuration - $ossec_auth_disabled = $wazuh::params_manager::ossec_auth_disabled, $ossec_auth_port = $wazuh::params_manager::ossec_auth_port, $ossec_auth_use_source_ip = $wazuh::params_manager::ossec_auth_use_source_ip, @@ -202,7 +201,6 @@ # syscheck - $ossec_syscheck_disabled = $wazuh::params_manager::ossec_syscheck_disabled, $ossec_syscheck_frequency = $wazuh::params_manager::ossec_syscheck_frequency, $ossec_syscheck_scan_on_start = $wazuh::params_manager::ossec_syscheck_scan_on_start, diff --git a/manifests/params_agent.pp b/manifests/params_agent.pp index 206c67bf..8c778ddd 100644 --- a/manifests/params_agent.pp +++ b/manifests/params_agent.pp @@ -69,9 +69,15 @@ $ossec_local_files = $::wazuh::params_agent::default_local_files # active response - $active_response_disabled = 'no' + $active_response_disabled = 'no' + $active_response_ca_verification = 'yes' + $active_response_location = undef + $active_response_level = undef + $active_response_agent_id = undef + $active_response_rules_id = [] + $active_response_timeout = undef + $active_response_repeated_offenders = [] - $active_response_ca_verification = 'yes' # OS specific configurations case $::kernel { diff --git a/manifests/params_manager.pp b/manifests/params_manager.pp index 9dc327f0..67ac5254 100644 --- a/manifests/params_manager.pp +++ b/manifests/params_manager.pp @@ -139,6 +139,16 @@ $wodle_syscollector_ports = 'yes' $wodle_syscollector_processes = 'yes' + + #active-response + $active_response_command = 'firewall-drop' + $active_response_location = 'local' + $active_response_level = 9 + $active_response_agent_id = '001' + $active_response_rules_id = [31153,31151] + $active_response_timeout = 300 + $active_response_repeated_offenders = ['30,60,120'] + #vulnerability-detector $vulnerability_detector_enabled = 'no' From f9e17b2f05be6046aee322e3de18499892460dd6 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Mon, 23 Mar 2020 20:29:44 +0100 Subject: [PATCH 8/9] Adapt activ-response template to look for activresponse class variables --- templates/fragments/_activeresponse.erb | 37 +++++++++++++++++++------ 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/templates/fragments/_activeresponse.erb b/templates/fragments/_activeresponse.erb index dcef284a..3acef7ba 100644 --- a/templates/fragments/_activeresponse.erb +++ b/templates/fragments/_activeresponse.erb @@ -1,19 +1,40 @@ -<% if @ossec_active_response_disabled -%> - <%= @ossec_active_response_disabled %> +<% if @active_response_disabled -%> + <%= @active_response_disabled %> <%- end -%> <%- if @kernel == 'windows' -%> -<% if @ossec_active_response_windows_ca_store -%> - <%= @ossec_active_response_windows_ca_store %> +<% if @active_response_windows_ca_store -%> + <%= @active_response_windows_ca_store %> <%- end -%> <%- elsif @kernel == 'Linux' -%> -<% if @ossec_active_response_linux_ca_store -%> - <%= @ossec_active_response_linux_ca_store %> +<% if @active_response_linux_ca_store -%> + <%= @active_response_linux_ca_store %> <%- end -%> <%- end -%> -<% if @ossec_active_response_ca_verification -%> - <%= @ossec_active_response_ca_verification %> +<% if @active_response_ca_verification -%> + <%= @active_response_ca_verification %> +<%- end -%> +<% if @active_response_command -%> + <%= @active_response_command %> +<%- end -%> +<% if @active_response_location -%> + <%= @active_response_location %> +<%- end -%> +<% if @active_response_level -%> + <%= @active_response_level %> +<%- end -%> +<% if @active_response_agent_id -%> + <%= @active_response_agent_id %> +<%- end -%> +<% if !@active_response_rules_id.empty? -%> + <%= @active_response_rules_id.join(',') %> +<%- end -%> +<% if @active_response_timeout -%> + <%= @active_response_timeout %> +<%- end -%> +<% if !@active_response_repeated_offenders.empty? -%> + <%= @active_response_repeated_offenders.join(',') %> <%- end -%> From 701a7e45f8999b127b440c425eabafd3cda50f8c Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Tue, 24 Mar 2020 11:24:29 +0100 Subject: [PATCH 9/9] Fix typos --- manifests/activeresponse.pp | 2 +- manifests/agent.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/activeresponse.pp b/manifests/activeresponse.pp index e4e685ee..3340bd2b 100644 --- a/manifests/activeresponse.pp +++ b/manifests/activeresponse.pp @@ -1,7 +1,7 @@ # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) #Define for a specific ossec active-response define wazuh::activeresponse( - $active_response_name = 'Rednering active-response template', + $active_response_name = 'Rendering active-response template', $active_response_disabled = undef, $active_response_linux_ca_store = undef, $active_response_ca_verification = undef, diff --git a/manifests/agent.pp b/manifests/agent.pp index d40b2779..b1e562c3 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -191,7 +191,7 @@ $ossec_active_response_linux_ca_store = $wazuh::params_agent::active_response_linux_ca_store, $ossec_active_response_ca_verification = $wazuh::params_agent::active_response_ca_verification, - $ossec_active_response_command = $wazuh::params_manager::active_response_command, + $ossec_active_response_command = $wazuh::params_agent::active_response_command, $ossec_active_response_location = $wazuh::params_agent::active_response_location, $ossec_active_response_level = $wazuh::params_agent::active_response_level, $ossec_active_response_agent_id = $wazuh::params_agent::active_response_agent_id,