From b6f3f869de88bc2b0856daee5018190a5422ce0b Mon Sep 17 00:00:00 2001 From: Artur Molchanov Date: Fri, 14 Feb 2020 11:40:08 +0300 Subject: [PATCH 01/35] Add a parameter ossec_rootcheck_ignore_list Add parameters: - wazuh::manager::ossec_rootcheck_ignore_list - wazuh::agent::ossec_rootcheck_ignore_list --- manifests/agent.pp | 1 + manifests/manager.pp | 1 + manifests/params_agent.pp | 1 + manifests/params_manager.pp | 1 + templates/fragments/_rootcheck.erb | 7 ++++++- 5 files changed, 10 insertions(+), 1 deletion(-) diff --git a/manifests/agent.pp b/manifests/agent.pp index 4e0a70f2..f2581a93 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -79,6 +79,7 @@ $ossec_rootcheck_check_ports = $wazuh::params_agent::ossec_rootcheck_check_ports, $ossec_rootcheck_check_if = $wazuh::params_agent::ossec_rootcheck_check_if, $ossec_rootcheck_frequency = $wazuh::params_agent::ossec_rootcheck_frequency, + $ossec_rootcheck_ignore_list = $wazuh::params_agent::ossec_rootcheck_ignore_list, $ossec_rootcheck_rootkit_files = $wazuh::params_agent::ossec_rootcheck_rootkit_files, $ossec_rootcheck_rootkit_trojans = $wazuh::params_agent::ossec_rootcheck_rootkit_trojans, $ossec_rootcheck_skip_nfs = $wazuh::params_agent::ossec_rootcheck_skip_nfs, diff --git a/manifests/manager.pp b/manifests/manager.pp index 9a7fbf46..0650d52e 100644 --- a/manifests/manager.pp +++ b/manifests/manager.pp @@ -73,6 +73,7 @@ $ossec_rootcheck_check_ports = $wazuh::params_manager::ossec_rootcheck_check_ports, $ossec_rootcheck_check_if = $wazuh::params_manager::ossec_rootcheck_check_if, $ossec_rootcheck_frequency = $wazuh::params_manager::ossec_rootcheck_frequency, + $ossec_rootcheck_ignore_list = $wazuh::params_manager::ossec_rootcheck_ignore_list, $ossec_rootcheck_rootkit_files = $wazuh::params_manager::ossec_rootcheck_rootkit_files, $ossec_rootcheck_rootkit_trojans = $wazuh::params_manager::ossec_rootcheck_rootkit_trojans, $ossec_rootcheck_skip_nfs = $wazuh::params_manager::ossec_rootcheck_skip_nfs, diff --git a/manifests/params_agent.pp b/manifests/params_agent.pp index b2c3d002..f75c291e 100644 --- a/manifests/params_agent.pp +++ b/manifests/params_agent.pp @@ -113,6 +113,7 @@ $ossec_rootcheck_check_ports = 'yes' $ossec_rootcheck_check_if = 'yes' $ossec_rootcheck_frequency = 43200 + $ossec_rootcheck_ignore_list = [] $ossec_rootcheck_rootkit_files = '/var/ossec/etc/shared/rootkit_files.txt' $ossec_rootcheck_rootkit_trojans = '/var/ossec/etc/shared/rootkit_trojans.txt' $ossec_rootcheck_skip_nfs = 'yes' diff --git a/manifests/params_manager.pp b/manifests/params_manager.pp index 6c2b0717..412059cc 100644 --- a/manifests/params_manager.pp +++ b/manifests/params_manager.pp @@ -74,6 +74,7 @@ $ossec_rootcheck_check_ports = 'yes' $ossec_rootcheck_check_if = 'yes' $ossec_rootcheck_frequency = 43200 + $ossec_rootcheck_ignore_list = [] $ossec_rootcheck_rootkit_files = '/var/ossec/etc/rootcheck/rootkit_files.txt' $ossec_rootcheck_rootkit_trojans = '/var/ossec/etc/rootcheck/rootkit_trojans.txt' $ossec_rootcheck_skip_nfs = 'yes' diff --git a/templates/fragments/_rootcheck.erb b/templates/fragments/_rootcheck.erb index 94fd4fd9..865149dd 100644 --- a/templates/fragments/_rootcheck.erb +++ b/templates/fragments/_rootcheck.erb @@ -29,6 +29,11 @@ <% if @ossec_rootcheck_frequency-%> <%= @ossec_rootcheck_frequency %> <%- end -%> + <%- if @ossec_rootcheck_ignore_list -%> + <%- @ossec_rootcheck_ignore_list.each do |ignore_element| -%> + <%= ignore_element %> + <%- end -%> + <%- end -%> <% if @ossec_rootcheck_rootkit_files-%> <%= @ossec_rootcheck_rootkit_files %> <%- end -%> @@ -37,7 +42,7 @@ <%- end -%> <% if @ossec_rootcheck_skip_nfs-%> <%= @ossec_rootcheck_skip_nfs%> - <%- end -%> + <%- end -%> <%- else -%> From a2638b77c23d9b132805d2bedd2fd36f5550815d Mon Sep 17 00:00:00 2001 From: Artur Molchanov Date: Mon, 17 Feb 2020 14:37:08 +0300 Subject: [PATCH 02/35] Add a parameter wazuh_api::manage_nodejs_package Add a parameter wazuh::wazuh_api::manage_nodejs_package for controlling nodejs package installation. if manage_nodejs_package == true (by default) nodejs repo and package will be installed. Otherwise the repo and the package should be configured by the user. --- manifests/wazuh_api.pp | 53 +++++++++++++++++++++++------------------- 1 file changed, 29 insertions(+), 24 deletions(-) diff --git a/manifests/wazuh_api.pp b/manifests/wazuh_api.pp index 67708a64..049fdada 100644 --- a/manifests/wazuh_api.pp +++ b/manifests/wazuh_api.pp @@ -1,37 +1,22 @@ # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) # Wazuh API installation class wazuh::wazuh_api ( - - $wazuh_api_package = 'wazuh-api', - $wazuh_api_service = 'wazuh-api', - $wazuh_api_version = '3.11.3-1', - $nodejs_package = 'nodejs' - + Boolean $manage_nodejs_package = true, + String[1] $nodejs_package = 'nodejs', + String[1] $wazuh_api_package = 'wazuh-api', + String[1] $wazuh_api_service = 'wazuh-api', + String[1] $wazuh_api_version = '3.11.3-1' ){ + if $manage_nodejs_package { + contain wazuh::wazuh_api::nodejs + } if $::osfamily == 'Debian' { - exec { 'Updating repositories...': - path => '/usr/bin', - command => 'curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -', - - } - package { $nodejs_package: - provider => 'apt', - } package { $wazuh_api_package: ensure => $wazuh_api_version, provider => 'apt', } - - }else{ - exec { 'Updating repositories...': - path => '/usr/bin', - command => 'curl --silent --location https://rpm.nodesource.com/setup_8.x | bash -', - - } - package { $nodejs_package: - provider => 'yum', - } + } else { package { $wazuh_api_package: ensure => $wazuh_api_version, provider => 'yum', @@ -42,7 +27,27 @@ ensure => running, enable => true, provider => 'systemd', + require => Package[$wazuh_api_package], } +} +class wazuh::wazuh_api::nodejs { + if $::osfamily == 'Debian' { + exec { 'Updating repositories...': + path => '/usr/bin', + command => 'curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -', + } + package { $nodejs_package: + provider => 'apt', + } + } else { + exec { 'Updating repositories...': + path => '/usr/bin', + command => 'curl --silent --location https://rpm.nodesource.com/setup_8.x | bash -', + } + package { $nodejs_package: + provider => 'yum', + } + } } From a2cdcc1754af97af44988436ccbbcb0f4805c2ff Mon Sep 17 00:00:00 2001 From: Deepjyoti Mondal Date: Thu, 20 Feb 2020 00:50:05 +0530 Subject: [PATCH 03/35] Fixes #215: Fix audit package name for Debian This PR intends to fix the audit package name in Debian systems, so that package installation works for Debian as well. --- manifests/agent.pp | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/manifests/agent.pp b/manifests/agent.pp index 4e0a70f2..afd74a6f 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -208,12 +208,25 @@ validate_string($agent_service_name) if (( $ossec_syscheck_whodata_directories_1 == 'yes' ) or ( $ossec_syscheck_whodata_directories_2 == 'yes' )) { - package { 'Installing Audit...': - name => 'audit', - } - service { 'auditd': - ensure => running, - enable => true, + case $::kernel { + 'Linux': { + case $::operatingsystem { + 'Debian', 'debian', 'Ubuntu', 'ubuntu': { + package { 'Installing Audit...': + name => 'auditd', + } + } + default: { + package { 'Installing Audit...': + name => 'audit', + } + } + } + service { 'auditd': + ensure => running, + enable => true, + } + } } } From 3dff1e3a32892aa971ead48c9da5858d0d807bd7 Mon Sep 17 00:00:00 2001 From: Alan Evans Date: Fri, 21 Feb 2020 17:32:36 -0700 Subject: [PATCH 04/35] Always treat $ossec_emailnotification as a boolean --- manifests/manager.pp | 3 ++- manifests/params_manager.pp | 2 +- templates/wazuh_manager.conf.erb | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/manifests/manager.pp b/manifests/manager.pp index 9a7fbf46..0e26b210 100644 --- a/manifests/manager.pp +++ b/manifests/manager.pp @@ -279,7 +279,8 @@ # This allows arrays of integers, sadly # (commented due to stdlib version requirement) - if ($ossec_emailnotification == true) { + validate_bool($ossec_emailnotification) + if ($ossec_emailnotification) { if $ossec_smtp_server == undef { fail('$ossec_emailnotification is enabled but $smtp_server was not set') } diff --git a/manifests/params_manager.pp b/manifests/params_manager.pp index 6c2b0717..1e92259e 100644 --- a/manifests/params_manager.pp +++ b/manifests/params_manager.pp @@ -13,7 +13,7 @@ ### Ossec.conf blocks ## Global - $ossec_emailnotification = 'no' + $ossec_emailnotification = false $ossec_emailto = ['recipient@example.wazuh.com'] $ossec_smtp_server = 'smtp.example.wazuh.com' $ossec_emailfrom = 'ossecm@example.wazuh.com' diff --git a/templates/wazuh_manager.conf.erb b/templates/wazuh_manager.conf.erb index e855dc1a..f7c24900 100644 --- a/templates/wazuh_manager.conf.erb +++ b/templates/wazuh_manager.conf.erb @@ -4,7 +4,7 @@ no no <%- if @ossec_emailnotification -%> - no + yes <%- @ossec_emailto.each do |emailto| -%> <%= emailto %> <%- end -%> From 855de23d303a8cce5d973d243ed0228b82d9e507 Mon Sep 17 00:00:00 2001 From: Deepjyoti Mondal Date: Mon, 9 Mar 2020 20:03:10 +0530 Subject: [PATCH 05/35] Fixes #225 : Option to configure audit rules from this module itself The PR implements the option to configure audit rules from the Wazuh module it self. This also moves audit configuration and installation to a separate pp file for better management. --- manifests/agent.pp | 17 ++++++++++------ manifests/audit.pp | 41 +++++++++++++++++++++++++++++++++++++++ manifests/params_agent.pp | 6 ++++++ templates/audit_rules.erb | 18 +++++++++++++++++ 4 files changed, 76 insertions(+), 6 deletions(-) create mode 100644 manifests/audit.pp create mode 100644 templates/audit_rules.erb diff --git a/manifests/agent.pp b/manifests/agent.pp index 4e0a70f2..4824b8e7 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -177,6 +177,12 @@ $ossec_syscheck_skip_nfs = $wazuh::params_agent::ossec_syscheck_skip_nfs, $ossec_syscheck_windows_audit_interval = $wazuh::params_agent::windows_audit_interval, + # Audit + $audit_manage_rules = $wazuh::params_agent::audit_manage_rules, + $audit_buffer_bytes = $wazuh::params_agent::audit_buffer_bytes, + $audit_backlog_wait_time = $wazuh::params_agent::audit_backlog_wait_time, + $audit_rules = $wazuh::params_agent::audit_rules, + # active-response $ossec_active_response_disabled = $wazuh::params_agent::active_response_disabled, $ossec_active_response_linux_ca_store = $wazuh::params_agent::active_response_linux_ca_store, @@ -208,12 +214,11 @@ validate_string($agent_service_name) if (( $ossec_syscheck_whodata_directories_1 == 'yes' ) or ( $ossec_syscheck_whodata_directories_2 == 'yes' )) { - package { 'Installing Audit...': - name => 'audit', - } - service { 'auditd': - ensure => running, - enable => true, + class { "wazuh::audit": + audit_manage_rules => $audit_manage_rules, + audit_backlog_wait_time => $audit_backlog_wait_time, + audit_buffer_bytes => $audit_buffer_bytes, + audit_rules => $audit_rules, } } diff --git a/manifests/audit.pp b/manifests/audit.pp new file mode 100644 index 00000000..19784e75 --- /dev/null +++ b/manifests/audit.pp @@ -0,0 +1,41 @@ +class wazuh::audit ( + $audit_manage_rules = false, + $audit_buffer_bytes = "8192", + $audit_backlog_wait_time = "0", + $audit_rules = [], +) { + + case $::kernel { + 'Linux': { + case $::operatingsystem { + 'Debian', 'debian', 'Ubuntu', 'ubuntu': { + package { 'Installing Audit...': + name => 'auditd', + } + } + default: { + package { 'Installing Audit...': + name => 'audit' + } + } + } + + service { 'auditd': + ensure => running, + enable => true, + } + + if $audit_manage_rules == true { + + file { 'Configure audit.rules': + owner => 'root', + group => 'root', + path => '/etc/audit/rules.d/audit.rules', + mode => '0644', + notify => Service['auditd'], ## Restarts the service + content => template('wazuh/audit_rules.erb') + } + } + } + } +} diff --git a/manifests/params_agent.pp b/manifests/params_agent.pp index 2f034cc2..009b408c 100644 --- a/manifests/params_agent.pp +++ b/manifests/params_agent.pp @@ -224,6 +224,12 @@ $ossec_syscheck_nodiff = '/etc/ssl/private.key' $ossec_syscheck_skip_nfs = 'yes' + # Audit + $audit_manage_rules = false + $audit_buffer_bytes = "8192" + $audit_backlog_wait_time = "0" + $audit_rules = [] + # active-response $active_response_linux_ca_store = '/var/ossec/etc/wpk_root.pem' diff --git a/templates/audit_rules.erb b/templates/audit_rules.erb new file mode 100644 index 00000000..ba36c3d3 --- /dev/null +++ b/templates/audit_rules.erb @@ -0,0 +1,18 @@ +## First rule - delete all +-D + +## Increase the buffers to survive stress events. +## Make this bigger for busy systems +-b <%= @audit_buffer_bytes %> + +## This determine how long to wait in burst of events +--backlog_wait_time <%= @audit_backlog_wait_time %> + +## Set failure mode to syslog +-f 1 + +<% if !@audit_rules.empty? -%> + <% @audit_rules.each do |audit_rule| -%> + <%= audit_rule %> + <%- end -%> +<%- end -%> From 0b92465e026b8a327c50ac7dd242323eea45d916 Mon Sep 17 00:00:00 2001 From: Deepjyoti Mondal Date: Mon, 9 Mar 2020 20:42:27 +0530 Subject: [PATCH 06/35] Fixes #227 : Add system_audit subsection in rootcheck The PR adds system_audit subsection configuration in rootcheck --- manifests/agent.pp | 1 + manifests/params_agent.pp | 8 ++++++++ templates/fragments/_rootcheck.erb | 5 +++++ 3 files changed, 14 insertions(+) diff --git a/manifests/agent.pp b/manifests/agent.pp index 4e0a70f2..fa8703cc 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -81,6 +81,7 @@ $ossec_rootcheck_frequency = $wazuh::params_agent::ossec_rootcheck_frequency, $ossec_rootcheck_rootkit_files = $wazuh::params_agent::ossec_rootcheck_rootkit_files, $ossec_rootcheck_rootkit_trojans = $wazuh::params_agent::ossec_rootcheck_rootkit_trojans, + $ossec_rootcheck_system_audit = $wazuh::params_agent::default_rootcheck_system_audit, $ossec_rootcheck_skip_nfs = $wazuh::params_agent::ossec_rootcheck_skip_nfs, diff --git a/manifests/params_agent.pp b/manifests/params_agent.pp index 2f034cc2..441772a2 100644 --- a/manifests/params_agent.pp +++ b/manifests/params_agent.pp @@ -73,6 +73,9 @@ $active_response_ca_verification = 'yes' + ## system audit + $ossec_rootcheck_system_audit = $::wazuh::params_agent::default_rootcheck_system_audit + # OS specific configurations case $::kernel { 'Linux': { @@ -233,6 +236,11 @@ $manage_repo = true + $default_rootcheck_system_audit = [ + "./shared/system_audit_rcl.txt", + "./shared/system_audit_ssh.txt", + ] + case $::osfamily { 'Debian': { $service_has_status = false diff --git a/templates/fragments/_rootcheck.erb b/templates/fragments/_rootcheck.erb index 94fd4fd9..ad7aa58a 100644 --- a/templates/fragments/_rootcheck.erb +++ b/templates/fragments/_rootcheck.erb @@ -35,6 +35,11 @@ <% if @ossec_rootcheck_rootkit_trojans-%> <%= @ossec_rootcheck_rootkit_trojans %> <%- end -%> + <%- if @ossec_rootcheck_system_audit -%> + <%- @ossec_rootcheck_system_audit.each do |audit_file| -%> + <%= audit_file %> + <%- end -%> + <%- end -%> <% if @ossec_rootcheck_skip_nfs-%> <%= @ossec_rootcheck_skip_nfs%> <%- end -%> From d1f4aa74dc134c40d99c695444e98732f70e408d Mon Sep 17 00:00:00 2001 From: rshad Date: Mon, 9 Mar 2020 18:43:01 +0000 Subject: [PATCH 07/35] move var: nodejs_package to nodejs class --- manifests/wazuh_api.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/manifests/wazuh_api.pp b/manifests/wazuh_api.pp index be905e7d..9e097a77 100644 --- a/manifests/wazuh_api.pp +++ b/manifests/wazuh_api.pp @@ -6,7 +6,6 @@ $wazuh_api_package = 'wazuh-api', $wazuh_api_service = 'wazuh-api', $wazuh_api_version = '3.11.4-1', - $nodejs_package = 'nodejs', ){ if $manage_nodejs_package { @@ -33,7 +32,9 @@ } } -class wazuh::wazuh_api::nodejs { +class wazuh::wazuh_api::nodejs ( + $nodejs_package = 'nodejs' +){ if $::osfamily == 'Debian' { exec { 'Updating repositories...': path => '/usr/bin', From f7fa74ef4e28b4a3f8a50ac67dc98af8753c945e Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Wed, 11 Mar 2020 11:47:23 +0100 Subject: [PATCH 08/35] Upgrade to NodeJS 10 --- manifests/wazuh_api.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/wazuh_api.pp b/manifests/wazuh_api.pp index 9e097a77..5ed69f3c 100644 --- a/manifests/wazuh_api.pp +++ b/manifests/wazuh_api.pp @@ -38,7 +38,7 @@ if $::osfamily == 'Debian' { exec { 'Updating repositories...': path => '/usr/bin', - command => 'curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -', + command => 'curl -sL https://deb.nodesource.com/setup_10.x | sudo -E bash -', } package { $nodejs_package: provider => 'apt', @@ -46,7 +46,7 @@ } else { exec { 'Updating repositories...': path => '/usr/bin', - command => 'curl --silent --location https://rpm.nodesource.com/setup_8.x | bash -', + command => 'curl --silent --location https://rpm.nodesource.com/setup_10.x | bash -', } package { $nodejs_package: From 8d0455200b489a27d83fa9473ff6738076ec5f86 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Wed, 11 Mar 2020 13:07:08 +0100 Subject: [PATCH 09/35] Remove trailing whitespace --- manifests/wazuh_api.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/wazuh_api.pp b/manifests/wazuh_api.pp index 5ed69f3c..279adfa4 100644 --- a/manifests/wazuh_api.pp +++ b/manifests/wazuh_api.pp @@ -1,7 +1,7 @@ # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) # Wazuh API installation class wazuh::wazuh_api ( - + $manage_nodejs_package = true, $wazuh_api_package = 'wazuh-api', $wazuh_api_service = 'wazuh-api', From 5149941d3757bb1fd3574759eba7b5d11ec84d0f Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Wed, 11 Mar 2020 13:22:18 +0100 Subject: [PATCH 10/35] Moved nodejs class --- manifests/wazuh_api.pp | 23 ----------------------- manifests/wazuh_api/node_js.pp | 26 ++++++++++++++++++++++++++ 2 files changed, 26 insertions(+), 23 deletions(-) create mode 100644 manifests/wazuh_api/node_js.pp diff --git a/manifests/wazuh_api.pp b/manifests/wazuh_api.pp index 279adfa4..d0be37bb 100644 --- a/manifests/wazuh_api.pp +++ b/manifests/wazuh_api.pp @@ -31,26 +31,3 @@ require => Package[$wazuh_api_package], } } - -class wazuh::wazuh_api::nodejs ( - $nodejs_package = 'nodejs' -){ - if $::osfamily == 'Debian' { - exec { 'Updating repositories...': - path => '/usr/bin', - command => 'curl -sL https://deb.nodesource.com/setup_10.x | sudo -E bash -', - } - package { $nodejs_package: - provider => 'apt', - } - } else { - exec { 'Updating repositories...': - path => '/usr/bin', - command => 'curl --silent --location https://rpm.nodesource.com/setup_10.x | bash -', - - } - package { $nodejs_package: - provider => 'yum', - } - } -} diff --git a/manifests/wazuh_api/node_js.pp b/manifests/wazuh_api/node_js.pp new file mode 100644 index 00000000..b8c4cbcf --- /dev/null +++ b/manifests/wazuh_api/node_js.pp @@ -0,0 +1,26 @@ +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh API installation + +class wazuh::wazuh_api::nodejs ( + $nodejs_package = 'nodejs' +){ + if $::osfamily == 'Debian' { + exec { 'Updating repositories...': + path => '/usr/bin', + command => 'curl -sL https://deb.nodesource.com/setup_10.x | sudo -E bash -', + } + package { $nodejs_package: + provider => 'apt', + } + } else { + exec { 'Updating repositories...': + path => '/usr/bin', + command => 'curl --silent --location https://rpm.nodesource.com/setup_10.x | bash -', + + } + package { $nodejs_package: + provider => 'yum', + } + } +} + From 86301a9aa13f5a0e4dbd7396e2f444318aae566e Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Wed, 11 Mar 2020 13:30:25 +0100 Subject: [PATCH 11/35] Rename file --- manifests/wazuh_api/{node_js.pp => nodejs.pp} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename manifests/wazuh_api/{node_js.pp => nodejs.pp} (100%) diff --git a/manifests/wazuh_api/node_js.pp b/manifests/wazuh_api/nodejs.pp similarity index 100% rename from manifests/wazuh_api/node_js.pp rename to manifests/wazuh_api/nodejs.pp From c0cfbd1994df51336f3acf93d02ce3ad4f6ff8b9 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Wed, 18 Mar 2020 16:20:34 +0100 Subject: [PATCH 12/35] Remove default rules from audit rules temp. --- templates/audit_rules.erb | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/templates/audit_rules.erb b/templates/audit_rules.erb index ba36c3d3..3ffab3b2 100644 --- a/templates/audit_rules.erb +++ b/templates/audit_rules.erb @@ -1,18 +1,5 @@ -## First rule - delete all --D - -## Increase the buffers to survive stress events. -## Make this bigger for busy systems --b <%= @audit_buffer_bytes %> - -## This determine how long to wait in burst of events ---backlog_wait_time <%= @audit_backlog_wait_time %> - -## Set failure mode to syslog --f 1 - <% if !@audit_rules.empty? -%> - <% @audit_rules.each do |audit_rule| -%> - <%= audit_rule %> - <%- end -%> +<% @audit_rules.each do |audit_rule| -%> +<%= audit_rule %> +<%- end -%> <%- end -%> From 5972eeef87dc906a072f41ff1714858d694c8498 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Wed, 18 Mar 2020 16:20:57 +0100 Subject: [PATCH 13/35] Define default audit rules in agent params --- manifests/params_agent.pp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/manifests/params_agent.pp b/manifests/params_agent.pp index 009b408c..24aa8925 100644 --- a/manifests/params_agent.pp +++ b/manifests/params_agent.pp @@ -228,7 +228,12 @@ $audit_manage_rules = false $audit_buffer_bytes = "8192" $audit_backlog_wait_time = "0" - $audit_rules = [] + $audit_rules = [ + '-D', + "-b ${audit_buffer_bytes}", + "--backlog_wait_time ${audit_backlog_wait_time}", + "-f 1" + ] # active-response $active_response_linux_ca_store = '/var/ossec/etc/wpk_root.pem' From 16619a41df65abd9f1df59dfc262bd2ba7cde9a9 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Wed, 18 Mar 2020 16:30:07 +0100 Subject: [PATCH 14/35] Remove -D "delete loaded rules" from audit rules var. --- manifests/params_agent.pp | 1 - 1 file changed, 1 deletion(-) diff --git a/manifests/params_agent.pp b/manifests/params_agent.pp index 24aa8925..abdaad8e 100644 --- a/manifests/params_agent.pp +++ b/manifests/params_agent.pp @@ -229,7 +229,6 @@ $audit_buffer_bytes = "8192" $audit_backlog_wait_time = "0" $audit_rules = [ - '-D', "-b ${audit_buffer_bytes}", "--backlog_wait_time ${audit_backlog_wait_time}", "-f 1" From 96e2e8993db1c4a391228d69c181e756ab8cb045 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Wed, 18 Mar 2020 18:55:31 +0100 Subject: [PATCH 15/35] Fix condition to check if a list is empty --- templates/fragments/_rootcheck.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/fragments/_rootcheck.erb b/templates/fragments/_rootcheck.erb index ad7aa58a..f2ba1f5d 100644 --- a/templates/fragments/_rootcheck.erb +++ b/templates/fragments/_rootcheck.erb @@ -35,7 +35,7 @@ <% if @ossec_rootcheck_rootkit_trojans-%> <%= @ossec_rootcheck_rootkit_trojans %> <%- end -%> - <%- if @ossec_rootcheck_system_audit -%> + <%- if !@ossec_rootcheck_system_audit.empty? -%> <%- @ossec_rootcheck_system_audit.each do |audit_file| -%> <%= audit_file %> <%- end -%> From 624daa7329176fc30fa571343f5aead28cc649d0 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Wed, 18 Mar 2020 18:56:28 +0100 Subject: [PATCH 16/35] Defined sys. audit files for both linux and windows & removed auxiliary var. --- manifests/params_agent.pp | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/manifests/params_agent.pp b/manifests/params_agent.pp index 441772a2..63a861bf 100644 --- a/manifests/params_agent.pp +++ b/manifests/params_agent.pp @@ -73,9 +73,6 @@ $active_response_ca_verification = 'yes' - ## system audit - $ossec_rootcheck_system_audit = $::wazuh::params_agent::default_rootcheck_system_audit - # OS specific configurations case $::kernel { 'Linux': { @@ -119,6 +116,10 @@ $ossec_rootcheck_rootkit_files = '/var/ossec/etc/shared/rootkit_files.txt' $ossec_rootcheck_rootkit_trojans = '/var/ossec/etc/shared/rootkit_trojans.txt' $ossec_rootcheck_skip_nfs = 'yes' + $ossec_rootcheck_system_audit = [ + "/var/ossec/etc/shared/system_audit_rcl.txt", + "/var/ossec/etc/shared/system_audit_ssh.txt", + ] # SCA @@ -236,11 +237,6 @@ $manage_repo = true - $default_rootcheck_system_audit = [ - "./shared/system_audit_rcl.txt", - "./shared/system_audit_ssh.txt", - ] - case $::osfamily { 'Debian': { $service_has_status = false @@ -409,6 +405,7 @@ $ossec_rootcheck_windows_disabled = 'no' $ossec_rootcheck_windows_windows_apps = './shared/win_applications_rcl.txt' $ossec_rootcheck_windows_windows_malware = './shared/win_malware_rcl.txt' + $ossec_rootcheck_system_audit = [] # sca $sca_windows_enabled = 'yes' From 057f54eb9a4a6453dfbc6a99faec0a69f5aea988 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Wed, 18 Mar 2020 18:56:49 +0100 Subject: [PATCH 17/35] Change variable name --- manifests/agent.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/agent.pp b/manifests/agent.pp index fa8703cc..e7ba26ad 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -81,8 +81,8 @@ $ossec_rootcheck_frequency = $wazuh::params_agent::ossec_rootcheck_frequency, $ossec_rootcheck_rootkit_files = $wazuh::params_agent::ossec_rootcheck_rootkit_files, $ossec_rootcheck_rootkit_trojans = $wazuh::params_agent::ossec_rootcheck_rootkit_trojans, - $ossec_rootcheck_system_audit = $wazuh::params_agent::default_rootcheck_system_audit, $ossec_rootcheck_skip_nfs = $wazuh::params_agent::ossec_rootcheck_skip_nfs, + $ossec_rootcheck_system_audit = $wazuh::params_agent::ossec_rootcheck_system_audit, # rootcheck windows From f8614d0415ac5bfb703a8a9b6b61b21e89ef0235 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Wed, 18 Mar 2020 19:00:53 +0100 Subject: [PATCH 18/35] Set system audit files array to empty by default --- manifests/params_agent.pp | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/manifests/params_agent.pp b/manifests/params_agent.pp index 63a861bf..b2d73925 100644 --- a/manifests/params_agent.pp +++ b/manifests/params_agent.pp @@ -116,10 +116,9 @@ $ossec_rootcheck_rootkit_files = '/var/ossec/etc/shared/rootkit_files.txt' $ossec_rootcheck_rootkit_trojans = '/var/ossec/etc/shared/rootkit_trojans.txt' $ossec_rootcheck_skip_nfs = 'yes' - $ossec_rootcheck_system_audit = [ - "/var/ossec/etc/shared/system_audit_rcl.txt", - "/var/ossec/etc/shared/system_audit_ssh.txt", - ] + + # Example: ["/var/ossec/etc/shared/system_audit_rcl.txt"] + $ossec_rootcheck_system_audit = [] # SCA From 1f864e6712ee164a4c82bce79465075656644522 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Fri, 20 Mar 2020 14:06:08 +0100 Subject: [PATCH 19/35] Fix variable name in agent.pp --- manifests/agent.pp | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/manifests/agent.pp b/manifests/agent.pp index 9a50ef43..d0dcec6b 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -167,12 +167,8 @@ $ossec_syscheck_auto_ignore = $wazuh::params_agent::ossec_syscheck_auto_ignore, $ossec_syscheck_directories_1 = $wazuh::params_agent::ossec_syscheck_directories_1, $ossec_syscheck_directories_2 = $wazuh::params_agent::ossec_syscheck_directories_2, - $ossec_syscheck_ - - - - - _directories_1 = $wazuh::params_agent::ossec_syscheck_whodata_directories_1, + + $ossec_syscheck_whodata_directories_1 = $wazuh::params_agent::ossec_syscheck_whodata_directories_1, $ossec_syscheck_realtime_directories_1 = $wazuh::params_agent::ossec_syscheck_realtime_directories_1, $ossec_syscheck_whodata_directories_2 = $wazuh::params_agent::ossec_syscheck_whodata_directories_2, $ossec_syscheck_realtime_directories_2 = $wazuh::params_agent::ossec_syscheck_realtime_directories_2, From 697bad3e571aca7820308669e71f6cd52d67cac1 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Fri, 20 Mar 2020 16:18:45 +0100 Subject: [PATCH 20/35] Append to audit rules file instead of overwriting & removed the template --- manifests/audit.pp | 16 +++++++++------- templates/audit_rules.erb | 5 ----- 2 files changed, 9 insertions(+), 12 deletions(-) delete mode 100644 templates/audit_rules.erb diff --git a/manifests/audit.pp b/manifests/audit.pp index 19784e75..612b8650 100644 --- a/manifests/audit.pp +++ b/manifests/audit.pp @@ -26,14 +26,16 @@ } if $audit_manage_rules == true { + file { '/etc/audit/rules.d/audit.rules': + ensure => present + } - file { 'Configure audit.rules': - owner => 'root', - group => 'root', - path => '/etc/audit/rules.d/audit.rules', - mode => '0644', - notify => Service['auditd'], ## Restarts the service - content => template('wazuh/audit_rules.erb') + $audit_rules.each |String $rule| { + file_line { "Append rule ${rule} to /etc/audit/rules.d/audit.rules": + path => '/etc/audit/rules.d/audit.rules', + line => $rule, + require => File['/etc/audit/rules.d/audit.rules'] + } } } } diff --git a/templates/audit_rules.erb b/templates/audit_rules.erb deleted file mode 100644 index 3ffab3b2..00000000 --- a/templates/audit_rules.erb +++ /dev/null @@ -1,5 +0,0 @@ -<% if !@audit_rules.empty? -%> -<% @audit_rules.each do |audit_rule| -%> -<%= audit_rule %> -<%- end -%> -<%- end -%> From 7a8b21817bb196f4c63c13ce5d13c67fda17b311 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Mon, 23 Mar 2020 20:23:31 +0100 Subject: [PATCH 21/35] Add more active-response variables to the template --- manifests/activeresponse.pp | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/manifests/activeresponse.pp b/manifests/activeresponse.pp index 212cc9da..8780b4a9 100644 --- a/manifests/activeresponse.pp +++ b/manifests/activeresponse.pp @@ -1,13 +1,22 @@ # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) #Define for a specific ossec active-response define wazuh::activeresponse( - $command_name, - $ar_location = 'local', - $ar_level = 7, - $ar_agent_id = '', - $ar_rules_id = [], - $ar_timeout = 300, - $ar_repeated_offenders = '', + $active_response_name = 'Rednering active-response template', + $active_response_disabled = undef, + $active_response_linux_ca_store = undef, + $active_response_ca_verification = undef, + $active_response_command = undef, + $active_response_location = undef, + $active_response_level = undef, + $active_response_agent_id = undef, + $active_response_rules_id = [], + $active_response_timeout = undef, + $active_response_repeated_offenders = [], + + $target_arg = 'ossec.conf', + $order_arg = undef, + $before_arg = undef, + $content_arg = 'wazuh/fragments/_activeresponse.erb' ) { require wazuh::params_manager From a6791b62e37e9827a64c97a754a9da8a0a1d6584 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Mon, 23 Mar 2020 20:24:36 +0100 Subject: [PATCH 22/35] Parameterize concat::fragment variables for active-response template --- manifests/activeresponse.pp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/manifests/activeresponse.pp b/manifests/activeresponse.pp index 8780b4a9..e4e685ee 100644 --- a/manifests/activeresponse.pp +++ b/manifests/activeresponse.pp @@ -21,9 +21,10 @@ require wazuh::params_manager - concat::fragment { $name: - target => 'ossec.conf', - order => 55, - content => template('wazuh/fragments/_activeresponse.erb') + concat::fragment { $active_response_name: + target => $target_arg, + order => $order_arg, + before => $before_arg, + content => template($content_arg) } } From b11208b12849e167c24a7c2587b0068fc8714ac1 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Mon, 23 Mar 2020 20:25:41 +0100 Subject: [PATCH 23/35] Complete active-response variables & use active-response class: agent --- manifests/agent.pp | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/manifests/agent.pp b/manifests/agent.pp index 44ffe954..d40b2779 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -187,10 +187,17 @@ $audit_rules = $wazuh::params_agent::audit_rules, # active-response - $ossec_active_response_disabled = $wazuh::params_agent::active_response_disabled, - $ossec_active_response_linux_ca_store = $wazuh::params_agent::active_response_linux_ca_store, - $ossec_active_response_windows_ca_store = $wazuh::params_agent::active_response_windows_ca_store, - $ossec_active_response_ca_verification = $wazuh::params_agent::active_response_ca_verification, + $ossec_active_response_disabled = $wazuh::params_agent::active_response_disabled, + $ossec_active_response_linux_ca_store = $wazuh::params_agent::active_response_linux_ca_store, + + $ossec_active_response_ca_verification = $wazuh::params_agent::active_response_ca_verification, + $ossec_active_response_command = $wazuh::params_manager::active_response_command, + $ossec_active_response_location = $wazuh::params_agent::active_response_location, + $ossec_active_response_level = $wazuh::params_agent::active_response_level, + $ossec_active_response_agent_id = $wazuh::params_agent::active_response_agent_id, + $ossec_active_response_rules_id = $wazuh::params_agent::active_response_rules_id, + $ossec_active_response_timeout = $wazuh::params_agent::active_response_timeout, + $ossec_active_response_repeated_offenders = $wazuh::params_agent::active_response_repeated_offenders, # Agent Labels $ossec_labels = $wazuh::params_agent::ossec_labels, @@ -406,12 +413,19 @@ } } if ($configure_active_response == true) { - concat::fragment { - 'ossec.conf_active_response': - target => 'ossec.conf', - order => 40, - before => Service[$agent_service_name], - content => template($ossec_active_response_template); + wazuh::activeresponse { 'blockWebattack': + active_response_disabled => $ossec_active_response_disabled, + active_response_linux_ca_store => $ossec_active_response_linux_ca_store, + active_response_ca_verification => $ossec_active_response_ca_verification, + active_response_command => $ossec_active_response_command, + active_response_location => $ossec_active_response_location, + active_response_level => $ossec_active_response_level, + active_response_agent_id => $ossec_active_response_agent_id, + active_response_rules_id => $ossec_active_response_rules_id, + active_response_timeout => $ossec_active_response_timeout, + active_response_repeated_offenders => $ossec_active_response_repeated_offenders, + order_arg => 40, + before_arg => Service[$agent_service_name] } } From 73651c21185247a16a7895c61dee26d40133ee67 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Mon, 23 Mar 2020 20:27:08 +0100 Subject: [PATCH 24/35] Add active-response variables & use activeresponse class: manager --- manifests/manager.pp | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/manifests/manager.pp b/manifests/manager.pp index 0650d52e..0ec051ee 100644 --- a/manifests/manager.pp +++ b/manifests/manager.pp @@ -62,6 +62,16 @@ $ossec_cluster_template = $wazuh::params_manager::ossec_cluster_template, $ossec_active_response_template = $wazuh::params_manager::ossec_active_response_template, + # active-response + $ossec_active_response_command = $wazuh::params_manager::active_response_command, + $ossec_active_response_location = $wazuh::params_manager::active_response_location, + $ossec_active_response_level = $wazuh::params_manager::active_response_level, + $ossec_active_response_agent_id = $wazuh::params_manager::active_response_agent_id, + $ossec_active_response_rules_id = $wazuh::params_manager::active_response_rules_id, + $ossec_active_response_timeout = $wazuh::params_manager::active_response_timeout, + $ossec_active_response_repeated_offenders = $wazuh::params_manager::active_response_repeated_offenders, + + ## Rootcheck $ossec_rootcheck_disabled = $wazuh::params_manager::ossec_rootcheck_disabled, @@ -491,12 +501,16 @@ } } if ($configure_active_response == true){ - concat::fragment { - 'ossec.conf_active_response': - order => 90, - target => 'ossec.conf', - content => template($ossec_active_response_template); - } + wazuh::activeresponse { 'blockWebattack': + active_response_command => $ossec_active_response_command, + active_response_location => $ossec_active_response_location, + active_response_level => $ossec_active_response_level, + active_response_agent_id => $ossec_active_response_agent_id, + active_response_rules_id => $ossec_active_response_rules_id, + active_response_timeout => $ossec_active_response_timeout, + active_response_repeated_offenders => $ossec_active_response_repeated_offenders, + order_arg => 90 + } } concat::fragment { 'ossec.conf_footer': From 84cce8ef0f4577c3e9df03569ca8423f7ba52a34 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Mon, 23 Mar 2020 20:28:20 +0100 Subject: [PATCH 25/35] Define rootcheck system audit list for the manager --- manifests/manager.pp | 1 + manifests/params_manager.pp | 1 + 2 files changed, 2 insertions(+) diff --git a/manifests/manager.pp b/manifests/manager.pp index 0ec051ee..b4182233 100644 --- a/manifests/manager.pp +++ b/manifests/manager.pp @@ -87,6 +87,7 @@ $ossec_rootcheck_rootkit_files = $wazuh::params_manager::ossec_rootcheck_rootkit_files, $ossec_rootcheck_rootkit_trojans = $wazuh::params_manager::ossec_rootcheck_rootkit_trojans, $ossec_rootcheck_skip_nfs = $wazuh::params_manager::ossec_rootcheck_skip_nfs, + $ossec_rootcheck_system_audit = $wazuh::params_manager::ossec_rootcheck_system_audit, # SCA diff --git a/manifests/params_manager.pp b/manifests/params_manager.pp index 0895946c..9dc327f0 100644 --- a/manifests/params_manager.pp +++ b/manifests/params_manager.pp @@ -78,6 +78,7 @@ $ossec_rootcheck_rootkit_files = '/var/ossec/etc/rootcheck/rootkit_files.txt' $ossec_rootcheck_rootkit_trojans = '/var/ossec/etc/rootcheck/rootkit_trojans.txt' $ossec_rootcheck_skip_nfs = 'yes' + $ossec_rootcheck_system_audit = [] # SCA From ce60bbd320d9e03318820f564567aa9fc1a11871 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Mon, 23 Mar 2020 20:28:46 +0100 Subject: [PATCH 26/35] Improve indentation --- manifests/manager.pp | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/manifests/manager.pp b/manifests/manager.pp index b4182233..18766413 100644 --- a/manifests/manager.pp +++ b/manifests/manager.pp @@ -91,26 +91,26 @@ # SCA - ## Amazon - $sca_amazon_amazon_enabled = $wazuh::params_manager::sca_amazon_enabled, - $sca_amazon_amazon_scan_on_start = $wazuh::params_manager::sca_amazon_scan_on_start, - $sca_amazon_amazon_interval = $wazuh::params_manager::sca_amazon_interval, - $sca_amazon_amazon_skip_nfs = $wazuh::params_manager::sca_amazon_skip_nfs, - $sca_amazon_amazon_policies = $wazuh::params_manager::sca_amazon_policies, - - ## RHEL - $sca_rhel_enabled = $wazuh::params_manager::sca_rhel_enabled, - $sca_rhel_scan_on_start = $wazuh::params_manager::sca_rhel_scan_on_start, - $sca_rhel_interval = $wazuh::params_manager::sca_rhel_interval, - $sca_rhel_skip_nfs = $wazuh::params_manager::sca_rhel_skip_nfs, - $sca_rhel_policies = $wazuh::params_manager::sca_rhel_policies, - - ## - $sca_else_enabled = $wazuh::params_manager::sca_else_enabled, - $sca_else_scan_on_start = $wazuh::params_manager::sca_else_scan_on_start, - $sca_else_interval = $wazuh::params_manager::sca_else_interval, - $sca_else_skip_nfs = $wazuh::params_manager::sca_else_skip_nfs, - $sca_else_policies = $wazuh::params_manager::sca_else_policies, + ## Amazon + $sca_amazon_amazon_enabled = $wazuh::params_manager::sca_amazon_enabled, + $sca_amazon_amazon_scan_on_start = $wazuh::params_manager::sca_amazon_scan_on_start, + $sca_amazon_amazon_interval = $wazuh::params_manager::sca_amazon_interval, + $sca_amazon_amazon_skip_nfs = $wazuh::params_manager::sca_amazon_skip_nfs, + $sca_amazon_amazon_policies = $wazuh::params_manager::sca_amazon_policies, + + ## RHEL + $sca_rhel_enabled = $wazuh::params_manager::sca_rhel_enabled, + $sca_rhel_scan_on_start = $wazuh::params_manager::sca_rhel_scan_on_start, + $sca_rhel_interval = $wazuh::params_manager::sca_rhel_interval, + $sca_rhel_skip_nfs = $wazuh::params_manager::sca_rhel_skip_nfs, + $sca_rhel_policies = $wazuh::params_manager::sca_rhel_policies, + + ## + $sca_else_enabled = $wazuh::params_manager::sca_else_enabled, + $sca_else_scan_on_start = $wazuh::params_manager::sca_else_scan_on_start, + $sca_else_interval = $wazuh::params_manager::sca_else_interval, + $sca_else_skip_nfs = $wazuh::params_manager::sca_else_skip_nfs, + $sca_else_policies = $wazuh::params_manager::sca_else_policies, ## Wodles From c1db518ae2318f7ab0839aa5dd43c587c6f81a26 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Mon, 23 Mar 2020 20:29:20 +0100 Subject: [PATCH 27/35] Add active-response variables in params files --- manifests/manager.pp | 2 -- manifests/params_agent.pp | 10 ++++++++-- manifests/params_manager.pp | 10 ++++++++++ 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/manifests/manager.pp b/manifests/manager.pp index 18766413..ec81d0ac 100644 --- a/manifests/manager.pp +++ b/manifests/manager.pp @@ -185,7 +185,6 @@ $syslog_output_format = $wazuh::params_manager::syslog_output_format, # Authd configuration - $ossec_auth_disabled = $wazuh::params_manager::ossec_auth_disabled, $ossec_auth_port = $wazuh::params_manager::ossec_auth_port, $ossec_auth_use_source_ip = $wazuh::params_manager::ossec_auth_use_source_ip, @@ -202,7 +201,6 @@ # syscheck - $ossec_syscheck_disabled = $wazuh::params_manager::ossec_syscheck_disabled, $ossec_syscheck_frequency = $wazuh::params_manager::ossec_syscheck_frequency, $ossec_syscheck_scan_on_start = $wazuh::params_manager::ossec_syscheck_scan_on_start, diff --git a/manifests/params_agent.pp b/manifests/params_agent.pp index 206c67bf..8c778ddd 100644 --- a/manifests/params_agent.pp +++ b/manifests/params_agent.pp @@ -69,9 +69,15 @@ $ossec_local_files = $::wazuh::params_agent::default_local_files # active response - $active_response_disabled = 'no' + $active_response_disabled = 'no' + $active_response_ca_verification = 'yes' + $active_response_location = undef + $active_response_level = undef + $active_response_agent_id = undef + $active_response_rules_id = [] + $active_response_timeout = undef + $active_response_repeated_offenders = [] - $active_response_ca_verification = 'yes' # OS specific configurations case $::kernel { diff --git a/manifests/params_manager.pp b/manifests/params_manager.pp index 9dc327f0..67ac5254 100644 --- a/manifests/params_manager.pp +++ b/manifests/params_manager.pp @@ -139,6 +139,16 @@ $wodle_syscollector_ports = 'yes' $wodle_syscollector_processes = 'yes' + + #active-response + $active_response_command = 'firewall-drop' + $active_response_location = 'local' + $active_response_level = 9 + $active_response_agent_id = '001' + $active_response_rules_id = [31153,31151] + $active_response_timeout = 300 + $active_response_repeated_offenders = ['30,60,120'] + #vulnerability-detector $vulnerability_detector_enabled = 'no' From f9e17b2f05be6046aee322e3de18499892460dd6 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Mon, 23 Mar 2020 20:29:44 +0100 Subject: [PATCH 28/35] Adapt activ-response template to look for activresponse class variables --- templates/fragments/_activeresponse.erb | 37 +++++++++++++++++++------ 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/templates/fragments/_activeresponse.erb b/templates/fragments/_activeresponse.erb index dcef284a..3acef7ba 100644 --- a/templates/fragments/_activeresponse.erb +++ b/templates/fragments/_activeresponse.erb @@ -1,19 +1,40 @@ -<% if @ossec_active_response_disabled -%> - <%= @ossec_active_response_disabled %> +<% if @active_response_disabled -%> + <%= @active_response_disabled %> <%- end -%> <%- if @kernel == 'windows' -%> -<% if @ossec_active_response_windows_ca_store -%> - <%= @ossec_active_response_windows_ca_store %> +<% if @active_response_windows_ca_store -%> + <%= @active_response_windows_ca_store %> <%- end -%> <%- elsif @kernel == 'Linux' -%> -<% if @ossec_active_response_linux_ca_store -%> - <%= @ossec_active_response_linux_ca_store %> +<% if @active_response_linux_ca_store -%> + <%= @active_response_linux_ca_store %> <%- end -%> <%- end -%> -<% if @ossec_active_response_ca_verification -%> - <%= @ossec_active_response_ca_verification %> +<% if @active_response_ca_verification -%> + <%= @active_response_ca_verification %> +<%- end -%> +<% if @active_response_command -%> + <%= @active_response_command %> +<%- end -%> +<% if @active_response_location -%> + <%= @active_response_location %> +<%- end -%> +<% if @active_response_level -%> + <%= @active_response_level %> +<%- end -%> +<% if @active_response_agent_id -%> + <%= @active_response_agent_id %> +<%- end -%> +<% if !@active_response_rules_id.empty? -%> + <%= @active_response_rules_id.join(',') %> +<%- end -%> +<% if @active_response_timeout -%> + <%= @active_response_timeout %> +<%- end -%> +<% if !@active_response_repeated_offenders.empty? -%> + <%= @active_response_repeated_offenders.join(',') %> <%- end -%> From 701a7e45f8999b127b440c425eabafd3cda50f8c Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Tue, 24 Mar 2020 11:24:29 +0100 Subject: [PATCH 29/35] Fix typos --- manifests/activeresponse.pp | 2 +- manifests/agent.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/activeresponse.pp b/manifests/activeresponse.pp index e4e685ee..3340bd2b 100644 --- a/manifests/activeresponse.pp +++ b/manifests/activeresponse.pp @@ -1,7 +1,7 @@ # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) #Define for a specific ossec active-response define wazuh::activeresponse( - $active_response_name = 'Rednering active-response template', + $active_response_name = 'Rendering active-response template', $active_response_disabled = undef, $active_response_linux_ca_store = undef, $active_response_ca_verification = undef, diff --git a/manifests/agent.pp b/manifests/agent.pp index d40b2779..b1e562c3 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -191,7 +191,7 @@ $ossec_active_response_linux_ca_store = $wazuh::params_agent::active_response_linux_ca_store, $ossec_active_response_ca_verification = $wazuh::params_agent::active_response_ca_verification, - $ossec_active_response_command = $wazuh::params_manager::active_response_command, + $ossec_active_response_command = $wazuh::params_agent::active_response_command, $ossec_active_response_location = $wazuh::params_agent::active_response_location, $ossec_active_response_level = $wazuh::params_agent::active_response_level, $ossec_active_response_agent_id = $wazuh::params_agent::active_response_agent_id, From b448ed3863d2102100cc240b629fafc50fcb8a5b Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Tue, 24 Mar 2020 15:33:04 +0100 Subject: [PATCH 30/35] Update CHANGELOG.md --- CHANGELOG.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fdae7ec4..1f3f236d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,30 @@ # Change Log All notable changes to this project will be documented in this file. +## Wazuh Puppet v3.12.0_7.6.1 + +### Added + +- Update to Wazuh version 3.12.0_7.6.1 + +- Add a parameter ossec_rootcheck_ignore_list ([@Hexta](https://github.com/Hexta)) [PR#212](https://github.com/wazuh/wazuh-puppet/pull/212) + +- Add a parameter wazuh_api::manage_nodejs_package ([@Hexta](https://github.com/Hexta)) [PR#213](https://github.com/wazuh/wazuh-puppet/pull/213) + +- Upgrade to NodeJS v10 ([@xr09](https://github.com/xr09)) [PR#230](https://github.com/wazuh/wazuh-puppet/pull/230) + +- Always treat $ossec_emailnotification as a boolean ([@alanwevans](https://github.com/alanwevans)) [PR#229](https://github.com/wazuh/wazuh-puppet/pull/229) + +- Adapt active-response definition ([@rshad](https://github.com/rshad)) [PR#234](https://github.com/wazuh/wazuh-puppet/pull/234) + +### Fixed + +- Fixes #215: Fix audit package name for Debian ([@djmgit](https://github.com/djmgit)) [PR#216](https://github.com/wazuh/wazuh-puppet/pull/216) + +- Fixes #227 : Add system_audit subsection in rootcheck ([@djmgit](https://github.com/djmgit)) [PR#228](https://github.com/wazuh/wazuh-puppet/pull/228) + +- Fixes #225 : Option to configure audit rules from this module itself ([@djmgit](https://github.com/djmgit)) [PR#226](https://github.com/wazuh/wazuh-puppet/pull/226) + ## Wazuh Puppet v3.11.4_7.6.1 ### Added From cd60bb4fece4c82644e1e58ed2407d2199827d17 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Tue, 24 Mar 2020 15:33:27 +0100 Subject: [PATCH 31/35] Bump Version to 3.12.0_7.6.1 --- VERSION | 2 +- manifests/filebeat.pp | 4 ++-- manifests/kibana.pp | 2 +- manifests/params_agent.pp | 2 +- manifests/params_manager.pp | 4 ++-- manifests/wazuh_api.pp | 2 +- metadata.json | 2 +- 7 files changed, 9 insertions(+), 9 deletions(-) diff --git a/VERSION b/VERSION index 1997d546..46980cb1 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -WAZUH-PUPPET_VERSION="v3.11.4" +WAZUH-PUPPET_VERSION="v3.12.0" REVISION="31140" \ No newline at end of file diff --git a/manifests/filebeat.pp b/manifests/filebeat.pp index 4a575438..c39d1285 100644 --- a/manifests/filebeat.pp +++ b/manifests/filebeat.pp @@ -8,8 +8,8 @@ $filebeat_package = 'filebeat', $filebeat_service = 'filebeat', $filebeat_version = '7.6.1', - $wazuh_app_version = '3.11.4_7.6.1', - $wazuh_extensions_version = 'v3.11.4', + $wazuh_app_version = '3.12.0_7.6.1', + $wazuh_extensions_version = 'v3.12.0', $wazuh_filebeat_module = 'wazuh-filebeat-0.1.tar.gz', ){ diff --git a/manifests/kibana.pp b/manifests/kibana.pp index 81c1c387..6b744e11 100644 --- a/manifests/kibana.pp +++ b/manifests/kibana.pp @@ -4,7 +4,7 @@ $kibana_package = 'kibana', $kibana_service = 'kibana', $kibana_version = '7.6.1', - $kibana_app_version = '3.11.4_7.6.1', + $kibana_app_version = '3.12.0_7.6.1', $kibana_elasticsearch_ip = 'localhost', $kibana_elasticsearch_port = '9200', diff --git a/manifests/params_agent.pp b/manifests/params_agent.pp index 8c778ddd..cd586344 100644 --- a/manifests/params_agent.pp +++ b/manifests/params_agent.pp @@ -1,7 +1,7 @@ # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) # Wazuh-Agent configuration parameters class wazuh::params_agent { - $agent_package_version = '3.11.4-1' + $agent_package_version = '3.12.0-1' $agent_service_ensure = 'running' $agent_name = undef diff --git a/manifests/params_manager.pp b/manifests/params_manager.pp index c7f7f3dd..e3a6d5e5 100644 --- a/manifests/params_manager.pp +++ b/manifests/params_manager.pp @@ -5,7 +5,7 @@ 'Linux': { # Installation - $server_package_version = '3.11.4-1' + $server_package_version = '3.12.0-1' $manage_repos = true $manage_firewall = false @@ -483,7 +483,7 @@ $keys_group = 'Administrators' $agent_service = 'OssecSvc' - $agent_package = 'Wazuh Agent 3.11.4' + $agent_package = 'Wazuh Agent 3.12.0' $server_service = '' $server_package = '' $api_service = '' diff --git a/manifests/wazuh_api.pp b/manifests/wazuh_api.pp index d0be37bb..e38297a9 100644 --- a/manifests/wazuh_api.pp +++ b/manifests/wazuh_api.pp @@ -5,7 +5,7 @@ $manage_nodejs_package = true, $wazuh_api_package = 'wazuh-api', $wazuh_api_service = 'wazuh-api', - $wazuh_api_version = '3.11.4-1', + $wazuh_api_version = '3.12.0-1', ){ if $manage_nodejs_package { diff --git a/metadata.json b/metadata.json index f8fd32a9..8c315aa7 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "wazuh-wazuh", - "version": "3.11.4", + "version": "3.12.0", "author": "WAZUH", "summary": "Install and configure Wazuh-HIDS client and server", "license": "Apache-2.0", From 5bde8e392969ebba43f33c71b863bc36cf2940b4 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Tue, 24 Mar 2020 17:20:40 +0100 Subject: [PATCH 32/35] Add logs files paths for manager in Debian --- manifests/params_manager.pp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/manifests/params_manager.pp b/manifests/params_manager.pp index e3a6d5e5..58140c7a 100644 --- a/manifests/params_manager.pp +++ b/manifests/params_manager.pp @@ -327,8 +327,10 @@ $ossec_service_provider = undef $api_service_provider = undef $default_local_files = [ - { 'location' => '/var/log/syslog' , 'log_format' => 'syslog'}, - { 'location' => '/var/log/dpkg.log', 'log_format' => 'syslog'}, + { 'location' => '/var/log/syslog' , 'log_format' => 'syslog' }, + { 'location' => '/var/log/dpkg.log', 'log_format' => 'syslog' }, + { 'location' => '/var/log/kern.log', 'log_format' => 'syslog' }, + { 'location' => '/var/log/auth.log', 'log_format' => 'syslog' }, { 'location' => '/var/ossec/logs/active-responses.log', 'log_format' => 'syslog'}, ] case $::lsbdistcodename { From 02317a66f68d0e69fbd8305fa7a99b85a7be008d Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Tue, 24 Mar 2020 18:34:15 +0100 Subject: [PATCH 33/35] Linting fixes --- manifests/agent.pp | 14 +++++++------- manifests/manager.pp | 8 ++++---- manifests/params_agent.pp | 2 +- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/manifests/agent.pp b/manifests/agent.pp index b1e562c3..99b22e0e 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -168,7 +168,7 @@ $ossec_syscheck_auto_ignore = $wazuh::params_agent::ossec_syscheck_auto_ignore, $ossec_syscheck_directories_1 = $wazuh::params_agent::ossec_syscheck_directories_1, $ossec_syscheck_directories_2 = $wazuh::params_agent::ossec_syscheck_directories_2, - + $ossec_syscheck_whodata_directories_1 = $wazuh::params_agent::ossec_syscheck_whodata_directories_1, $ossec_syscheck_realtime_directories_1 = $wazuh::params_agent::ossec_syscheck_realtime_directories_1, $ossec_syscheck_whodata_directories_2 = $wazuh::params_agent::ossec_syscheck_whodata_directories_2, @@ -189,14 +189,14 @@ # active-response $ossec_active_response_disabled = $wazuh::params_agent::active_response_disabled, $ossec_active_response_linux_ca_store = $wazuh::params_agent::active_response_linux_ca_store, - + $ossec_active_response_ca_verification = $wazuh::params_agent::active_response_ca_verification, $ossec_active_response_command = $wazuh::params_agent::active_response_command, $ossec_active_response_location = $wazuh::params_agent::active_response_location, - $ossec_active_response_level = $wazuh::params_agent::active_response_level, - $ossec_active_response_agent_id = $wazuh::params_agent::active_response_agent_id, - $ossec_active_response_rules_id = $wazuh::params_agent::active_response_rules_id, - $ossec_active_response_timeout = $wazuh::params_agent::active_response_timeout, + $ossec_active_response_level = $wazuh::params_agent::active_response_level, + $ossec_active_response_agent_id = $wazuh::params_agent::active_response_agent_id, + $ossec_active_response_rules_id = $wazuh::params_agent::active_response_rules_id, + $ossec_active_response_timeout = $wazuh::params_agent::active_response_timeout, $ossec_active_response_repeated_offenders = $wazuh::params_agent::active_response_repeated_offenders, # Agent Labels @@ -224,7 +224,7 @@ validate_string($agent_service_name) if (( $ossec_syscheck_whodata_directories_1 == 'yes' ) or ( $ossec_syscheck_whodata_directories_2 == 'yes' )) { - class { "wazuh::audit": + class { "wazuh::audit": audit_manage_rules => $audit_manage_rules, audit_backlog_wait_time => $audit_backlog_wait_time, audit_buffer_bytes => $audit_buffer_bytes, diff --git a/manifests/manager.pp b/manifests/manager.pp index a3f14925..1519eb36 100644 --- a/manifests/manager.pp +++ b/manifests/manager.pp @@ -65,10 +65,10 @@ # active-response $ossec_active_response_command = $wazuh::params_manager::active_response_command, $ossec_active_response_location = $wazuh::params_manager::active_response_location, - $ossec_active_response_level = $wazuh::params_manager::active_response_level, - $ossec_active_response_agent_id = $wazuh::params_manager::active_response_agent_id, - $ossec_active_response_rules_id = $wazuh::params_manager::active_response_rules_id, - $ossec_active_response_timeout = $wazuh::params_manager::active_response_timeout, + $ossec_active_response_level = $wazuh::params_manager::active_response_level, + $ossec_active_response_agent_id = $wazuh::params_manager::active_response_agent_id, + $ossec_active_response_rules_id = $wazuh::params_manager::active_response_rules_id, + $ossec_active_response_timeout = $wazuh::params_manager::active_response_timeout, $ossec_active_response_repeated_offenders = $wazuh::params_manager::active_response_repeated_offenders, diff --git a/manifests/params_agent.pp b/manifests/params_agent.pp index cd586344..08156977 100644 --- a/manifests/params_agent.pp +++ b/manifests/params_agent.pp @@ -125,7 +125,7 @@ $ossec_rootcheck_skip_nfs = 'yes' # Example: ["/var/ossec/etc/shared/system_audit_rcl.txt"] - $ossec_rootcheck_system_audit = [] + $ossec_rootcheck_system_audit = [] # SCA From 2ce6d85d8b647fe3bb6f2e6e65efed45dc9b4cc3 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Tue, 24 Mar 2020 18:39:41 +0100 Subject: [PATCH 34/35] Update CHANGELOG.md --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1f3f236d..a5194c1c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,8 @@ All notable changes to this project will be documented in this file. - Fixes #225 : Option to configure audit rules from this module itself ([@djmgit](https://github.com/djmgit)) [PR#226](https://github.com/wazuh/wazuh-puppet/pull/226) +- Fixes #221 : No kern.log, auth.log, mail.log in default localfile config for Debian family ([@rshad](https://github.com/rshad)) [Issue#221](https://github.com/wazuh/wazuh-puppet/issues/221) + ## Wazuh Puppet v3.11.4_7.6.1 ### Added From ccce756ba20a79b102f021e4e4a819b282f7ea83 Mon Sep 17 00:00:00 2001 From: Rshad Zhran Date: Tue, 24 Mar 2020 18:49:44 +0100 Subject: [PATCH 35/35] Fix typo in variable name --- manifests/manager.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/manager.pp b/manifests/manager.pp index a3f14925..127f5f1d 100644 --- a/manifests/manager.pp +++ b/manifests/manager.pp @@ -156,7 +156,7 @@ $vulnerability_detector_provider_canonical = $wazuh::params_manager::vulnerability_detector_provider_canonical, $vulnerability_detector_provider_canonical_enabled = $wazuh::params_manager::vulnerability_detector_provider_canonical_enabled, $vulnerability_detector_provider_canonical_os = $wazuh::params_manager::vulnerability_detector_provider_canonical_os, - $vulnerability_detector_provider_debian_canonical_interval = $wazuh::params_manager::vulnerability_detector_provider_canonical_update_interval, + $vulnerability_detector_provider_canonical_update_interval = $wazuh::params_manager::vulnerability_detector_provider_canonical_update_interval, $vulnerability_detector_provider_debian = $wazuh::params_manager::vulnerability_detector_provider_debian, $vulnerability_detector_provider_debian_enabled = $wazuh::params_manager::vulnerability_detector_provider_debian_enabled,