wazuh · rshad · Mar 24, 2020 · Feb 14, 2020 · Feb 17, 2020 · Feb 19, 2020
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,32 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+## Wazuh Puppet v3.12.0_7.6.1
+
+### Added
+
+- Update to Wazuh version 3.12.0_7.6.1
+
+- Add a parameter ossec_rootcheck_ignore_list ([@Hexta](https://github.com/Hexta)) [PR#212](https://github.com/wazuh/wazuh-puppet/pull/212)
+
+- Add a parameter wazuh_api::manage_nodejs_package ([@Hexta](https://github.com/Hexta)) [PR#213](https://github.com/wazuh/wazuh-puppet/pull/213)
+
+- Upgrade to NodeJS v10 ([@xr09](https://github.com/xr09)) [PR#230](https://github.com/wazuh/wazuh-puppet/pull/230)
+
+- Always treat $ossec_emailnotification as a boolean ([@alanwevans](https://github.com/alanwevans)) [PR#229](https://github.com/wazuh/wazuh-puppet/pull/229)
+
+- Adapt active-response definition ([@rshad](https://github.com/rshad)) [PR#234](https://github.com/wazuh/wazuh-puppet/pull/234)
+
+### Fixed
+
+- Fixes #215: Fix audit package name for Debian ([@djmgit](https://github.com/djmgit)) [PR#216](https://github.com/wazuh/wazuh-puppet/pull/216)
+
+- Fixes #227 : Add system_audit subsection in rootcheck ([@djmgit](https://github.com/djmgit)) [PR#228](https://github.com/wazuh/wazuh-puppet/pull/228)
+
+- Fixes #225 : Option to configure audit rules from this module itself ([@djmgit](https://github.com/djmgit)) [PR#226](https://github.com/wazuh/wazuh-puppet/pull/226)
+
+- Fixes #221 : No kern.log, auth.log, mail.log in default localfile config for Debian family ([@rshad](https://github.com/rshad)) [Issue#221](https://github.com/wazuh/wazuh-puppet/issues/221)
+
 ## Wazuh Puppet v3.11.4_7.6.1
 
 ### Added

diff --git a/VERSION b/VERSION
@@ -1,2 +1,2 @@
-WAZUH-PUPPET_VERSION="v3.11.4"
+WAZUH-PUPPET_VERSION="v3.12.0"
 REVISION="31140"
diff --git a/manifests/activeresponse.pp b/manifests/activeresponse.pp
@@ -1,20 +1,30 @@
 # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 #Define for a specific ossec active-response
 define wazuh::activeresponse(
-  $command_name,
-  $ar_location           = 'local',
-  $ar_level              = 7,
-  $ar_agent_id           = '',
-  $ar_rules_id           = [],
-  $ar_timeout            = 300,
-  $ar_repeated_offenders = '',
+  $active_response_name               = 'Rendering active-response template',
+  $active_response_disabled           = undef,
+  $active_response_linux_ca_store     = undef,
+  $active_response_ca_verification    = undef,
+  $active_response_command            = undef,
+  $active_response_location           = undef,
+  $active_response_level              = undef,
+  $active_response_agent_id           = undef,
+  $active_response_rules_id           = [],
+  $active_response_timeout            = undef,
+  $active_response_repeated_offenders = [],
+
+  $target_arg                         = 'ossec.conf',
+  $order_arg                          = undef,
+  $before_arg                         = undef,
+  $content_arg                        = 'wazuh/fragments/_activeresponse.erb'
 ) {
 
   require wazuh::params_manager
 
-  concat::fragment { $name:
-    target  => 'ossec.conf',
-    order   => 55,
-    content => template('wazuh/fragments/_activeresponse.erb')
+  concat::fragment { $active_response_name:
+    target  => $target_arg,
+    order   => $order_arg,
+    before  => $before_arg,
+    content => template($content_arg)
   }
 }
diff --git a/manifests/agent.pp b/manifests/agent.pp
@@ -79,9 +79,11 @@
   $ossec_rootcheck_check_ports       = $wazuh::params_agent::ossec_rootcheck_check_ports,
   $ossec_rootcheck_check_if          = $wazuh::params_agent::ossec_rootcheck_check_if,
   $ossec_rootcheck_frequency         = $wazuh::params_agent::ossec_rootcheck_frequency,
+  $ossec_rootcheck_ignore_list       = $wazuh::params_agent::ossec_rootcheck_ignore_list,
   $ossec_rootcheck_rootkit_files     = $wazuh::params_agent::ossec_rootcheck_rootkit_files,
   $ossec_rootcheck_rootkit_trojans   = $wazuh::params_agent::ossec_rootcheck_rootkit_trojans,
   $ossec_rootcheck_skip_nfs          = $wazuh::params_agent::ossec_rootcheck_skip_nfs,
+  $ossec_rootcheck_system_audit      = $wazuh::params_agent::ossec_rootcheck_system_audit,
 
 
   # rootcheck windows
@@ -166,6 +168,7 @@
   $ossec_syscheck_auto_ignore        = $wazuh::params_agent::ossec_syscheck_auto_ignore,
   $ossec_syscheck_directories_1      = $wazuh::params_agent::ossec_syscheck_directories_1,
   $ossec_syscheck_directories_2      = $wazuh::params_agent::ossec_syscheck_directories_2,
+
   $ossec_syscheck_whodata_directories_1            = $wazuh::params_agent::ossec_syscheck_whodata_directories_1,
   $ossec_syscheck_realtime_directories_1           = $wazuh::params_agent::ossec_syscheck_realtime_directories_1,
   $ossec_syscheck_whodata_directories_2            = $wazuh::params_agent::ossec_syscheck_whodata_directories_2,
@@ -177,11 +180,24 @@
   $ossec_syscheck_skip_nfs           = $wazuh::params_agent::ossec_syscheck_skip_nfs,
   $ossec_syscheck_windows_audit_interval      = $wazuh::params_agent::windows_audit_interval,
 
+  # Audit
+  $audit_manage_rules                = $wazuh::params_agent::audit_manage_rules,
+  $audit_buffer_bytes                = $wazuh::params_agent::audit_buffer_bytes,
+  $audit_backlog_wait_time           = $wazuh::params_agent::audit_backlog_wait_time,
+  $audit_rules                       = $wazuh::params_agent::audit_rules,
+
   # active-response
-  $ossec_active_response_disabled          =  $wazuh::params_agent::active_response_disabled,
-  $ossec_active_response_linux_ca_store    =  $wazuh::params_agent::active_response_linux_ca_store,
-  $ossec_active_response_windows_ca_store  =  $wazuh::params_agent::active_response_windows_ca_store,
-  $ossec_active_response_ca_verification   =  $wazuh::params_agent::active_response_ca_verification,
+  $ossec_active_response_disabled             =  $wazuh::params_agent::active_response_disabled,
+  $ossec_active_response_linux_ca_store       =  $wazuh::params_agent::active_response_linux_ca_store,
+
+  $ossec_active_response_ca_verification      =  $wazuh::params_agent::active_response_ca_verification,
+  $ossec_active_response_command              =  $wazuh::params_agent::active_response_command,
+  $ossec_active_response_location             =  $wazuh::params_agent::active_response_location,
+  $ossec_active_response_level                =  $wazuh::params_agent::active_response_level,
+  $ossec_active_response_agent_id             =  $wazuh::params_agent::active_response_agent_id,
+  $ossec_active_response_rules_id             =  $wazuh::params_agent::active_response_rules_id,
+  $ossec_active_response_timeout              =  $wazuh::params_agent::active_response_timeout,
+  $ossec_active_response_repeated_offenders   =  $wazuh::params_agent::active_response_repeated_offenders,
 
   # Agent Labels
   $ossec_labels                      = $wazuh::params_agent::ossec_labels,
@@ -208,12 +224,11 @@
   validate_string($agent_service_name)
 
   if (( $ossec_syscheck_whodata_directories_1 == 'yes' ) or ( $ossec_syscheck_whodata_directories_2 == 'yes' )) {
-    package { 'Installing Audit...':
-      name   => 'audit',
-    }
-    service { 'auditd':
-      ensure => running,
-      enable => true,
+    class { "wazuh::audit":
+      audit_manage_rules => $audit_manage_rules,
+      audit_backlog_wait_time => $audit_backlog_wait_time,
+      audit_buffer_bytes => $audit_buffer_bytes,
+      audit_rules => $audit_rules,
     }
   }
 
@@ -398,12 +413,19 @@
     }
   }
   if ($configure_active_response == true) {
-    concat::fragment {
-      'ossec.conf_active_response':
-        target  => 'ossec.conf',
-        order   => 40,
-        before  => Service[$agent_service_name],
-        content => template($ossec_active_response_template);
+    wazuh::activeresponse { 'blockWebattack':
+      active_response_disabled           =>  $ossec_active_response_disabled,
+      active_response_linux_ca_store     =>  $ossec_active_response_linux_ca_store,
+      active_response_ca_verification    =>  $ossec_active_response_ca_verification,
+      active_response_command            =>  $ossec_active_response_command,
+      active_response_location           =>  $ossec_active_response_location,
+      active_response_level              =>  $ossec_active_response_level,
+      active_response_agent_id           =>  $ossec_active_response_agent_id,
+      active_response_rules_id           =>  $ossec_active_response_rules_id,
+      active_response_timeout            =>  $ossec_active_response_timeout,
+      active_response_repeated_offenders =>  $ossec_active_response_repeated_offenders,
+      order_arg                          => 40,
+      before_arg                         => Service[$agent_service_name]
     }
   }
 

diff --git a/manifests/audit.pp b/manifests/audit.pp
@@ -0,0 +1,43 @@
+class wazuh::audit (
+  $audit_manage_rules = false,
+  $audit_buffer_bytes = "8192",
+  $audit_backlog_wait_time = "0",
+  $audit_rules = [],
+) {
+
+  case $::kernel {
+    'Linux': {
+      case $::operatingsystem {
+        'Debian', 'debian', 'Ubuntu', 'ubuntu': {
+          package { 'Installing Audit...':
+            name => 'auditd',
+          }
+        }
+        default: {
+          package { 'Installing Audit...':
+            name => 'audit'
+          }
+        }
+      }
+
+      service { 'auditd':
+        ensure => running,
+        enable => true,
+      }
+
+      if $audit_manage_rules == true {
+        file { '/etc/audit/rules.d/audit.rules':
+          ensure => present
+        }
+
+        $audit_rules.each |String $rule| {
+          file_line { "Append rule ${rule} to /etc/audit/rules.d/audit.rules":
+            path    => '/etc/audit/rules.d/audit.rules',
+            line    => $rule,
+            require => File['/etc/audit/rules.d/audit.rules']
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/manifests/filebeat.pp b/manifests/filebeat.pp
@@ -8,8 +8,8 @@
   $filebeat_package = 'filebeat',
   $filebeat_service = 'filebeat',
   $filebeat_version = '7.6.1',
-  $wazuh_app_version = '3.11.4_7.6.1',
-  $wazuh_extensions_version = 'v3.11.4',
+  $wazuh_app_version = '3.12.0_7.6.1',
+  $wazuh_extensions_version = 'v3.12.0',
   $wazuh_filebeat_module = 'wazuh-filebeat-0.1.tar.gz',
 ){
 

diff --git a/manifests/kibana.pp b/manifests/kibana.pp
@@ -4,7 +4,7 @@
   $kibana_package = 'kibana',
   $kibana_service = 'kibana',
   $kibana_version = '7.6.1',
-  $kibana_app_version = '3.11.4_7.6.1',
+  $kibana_app_version = '3.12.0_7.6.1',
   $kibana_elasticsearch_ip = 'localhost',
   $kibana_elasticsearch_port = '9200',
 

diff --git a/manifests/manager.pp b/manifests/manager.pp
@@ -62,6 +62,16 @@
       $ossec_cluster_template                       = $wazuh::params_manager::ossec_cluster_template,
       $ossec_active_response_template               = $wazuh::params_manager::ossec_active_response_template,
 
+      # active-response
+      $ossec_active_response_command                =  $wazuh::params_manager::active_response_command,
+      $ossec_active_response_location               =  $wazuh::params_manager::active_response_location,
+      $ossec_active_response_level                  =  $wazuh::params_manager::active_response_level,
+      $ossec_active_response_agent_id               =  $wazuh::params_manager::active_response_agent_id,
+      $ossec_active_response_rules_id               =  $wazuh::params_manager::active_response_rules_id,
+      $ossec_active_response_timeout                =  $wazuh::params_manager::active_response_timeout,
+      $ossec_active_response_repeated_offenders     =  $wazuh::params_manager::active_response_repeated_offenders,
+
+
       ## Rootcheck
 
       $ossec_rootcheck_disabled             = $wazuh::params_manager::ossec_rootcheck_disabled,
@@ -73,32 +83,34 @@
       $ossec_rootcheck_check_ports          = $wazuh::params_manager::ossec_rootcheck_check_ports,
       $ossec_rootcheck_check_if             = $wazuh::params_manager::ossec_rootcheck_check_if,
       $ossec_rootcheck_frequency            = $wazuh::params_manager::ossec_rootcheck_frequency,
+      $ossec_rootcheck_ignore_list          = $wazuh::params_manager::ossec_rootcheck_ignore_list,
       $ossec_rootcheck_rootkit_files        = $wazuh::params_manager::ossec_rootcheck_rootkit_files,
       $ossec_rootcheck_rootkit_trojans      = $wazuh::params_manager::ossec_rootcheck_rootkit_trojans,
       $ossec_rootcheck_skip_nfs             = $wazuh::params_manager::ossec_rootcheck_skip_nfs,
+      $ossec_rootcheck_system_audit         = $wazuh::params_manager::ossec_rootcheck_system_audit,
 
       # SCA
 
-  ## Amazon
-  $sca_amazon_amazon_enabled = $wazuh::params_manager::sca_amazon_enabled,
-  $sca_amazon_amazon_scan_on_start = $wazuh::params_manager::sca_amazon_scan_on_start,
-  $sca_amazon_amazon_interval = $wazuh::params_manager::sca_amazon_interval,
-  $sca_amazon_amazon_skip_nfs = $wazuh::params_manager::sca_amazon_skip_nfs,
-  $sca_amazon_amazon_policies = $wazuh::params_manager::sca_amazon_policies,
+      ## Amazon
+      $sca_amazon_amazon_enabled = $wazuh::params_manager::sca_amazon_enabled,
+      $sca_amazon_amazon_scan_on_start = $wazuh::params_manager::sca_amazon_scan_on_start,
+      $sca_amazon_amazon_interval = $wazuh::params_manager::sca_amazon_interval,
+      $sca_amazon_amazon_skip_nfs = $wazuh::params_manager::sca_amazon_skip_nfs,
+      $sca_amazon_amazon_policies = $wazuh::params_manager::sca_amazon_policies,
 
-  ## RHEL
-  $sca_rhel_enabled = $wazuh::params_manager::sca_rhel_enabled,
-  $sca_rhel_scan_on_start = $wazuh::params_manager::sca_rhel_scan_on_start,
-  $sca_rhel_interval = $wazuh::params_manager::sca_rhel_interval,
-  $sca_rhel_skip_nfs = $wazuh::params_manager::sca_rhel_skip_nfs,
-  $sca_rhel_policies = $wazuh::params_manager::sca_rhel_policies,
+      ## RHEL
+      $sca_rhel_enabled = $wazuh::params_manager::sca_rhel_enabled,
+      $sca_rhel_scan_on_start = $wazuh::params_manager::sca_rhel_scan_on_start,
+      $sca_rhel_interval = $wazuh::params_manager::sca_rhel_interval,
+      $sca_rhel_skip_nfs = $wazuh::params_manager::sca_rhel_skip_nfs,
+      $sca_rhel_policies = $wazuh::params_manager::sca_rhel_policies,
 
-  ## <Linux else>
-  $sca_else_enabled = $wazuh::params_manager::sca_else_enabled,
-  $sca_else_scan_on_start = $wazuh::params_manager::sca_else_scan_on_start,
-  $sca_else_interval = $wazuh::params_manager::sca_else_interval,
-  $sca_else_skip_nfs = $wazuh::params_manager::sca_else_skip_nfs,
-  $sca_else_policies = $wazuh::params_manager::sca_else_policies,
+      ## <Linux else>
+      $sca_else_enabled = $wazuh::params_manager::sca_else_enabled,
+      $sca_else_scan_on_start = $wazuh::params_manager::sca_else_scan_on_start,
+      $sca_else_interval = $wazuh::params_manager::sca_else_interval,
+      $sca_else_skip_nfs = $wazuh::params_manager::sca_else_skip_nfs,
+      $sca_else_policies = $wazuh::params_manager::sca_else_policies,
 
 
       ## Wodles
@@ -144,7 +156,7 @@
       $vulnerability_detector_provider_canonical                 = $wazuh::params_manager::vulnerability_detector_provider_canonical,
       $vulnerability_detector_provider_canonical_enabled         = $wazuh::params_manager::vulnerability_detector_provider_canonical_enabled,
       $vulnerability_detector_provider_canonical_os              = $wazuh::params_manager::vulnerability_detector_provider_canonical_os,
-      $vulnerability_detector_provider_debian_canonical_interval = $wazuh::params_manager::vulnerability_detector_provider_canonical_update_interval,
+      $vulnerability_detector_provider_canonical_update_interval = $wazuh::params_manager::vulnerability_detector_provider_canonical_update_interval,
 
       $vulnerability_detector_provider_debian                    = $wazuh::params_manager::vulnerability_detector_provider_debian,
       $vulnerability_detector_provider_debian_enabled            = $wazuh::params_manager::vulnerability_detector_provider_debian_enabled,
@@ -173,7 +185,6 @@
       $syslog_output_format                 = $wazuh::params_manager::syslog_output_format,
 
       # Authd configuration
-
       $ossec_auth_disabled                  = $wazuh::params_manager::ossec_auth_disabled,
       $ossec_auth_port                      = $wazuh::params_manager::ossec_auth_port,
       $ossec_auth_use_source_ip             = $wazuh::params_manager::ossec_auth_use_source_ip,
@@ -190,7 +201,6 @@
 
 
       # syscheck
-
       $ossec_syscheck_disabled              = $wazuh::params_manager::ossec_syscheck_disabled,
       $ossec_syscheck_frequency             = $wazuh::params_manager::ossec_syscheck_frequency,
       $ossec_syscheck_scan_on_start         = $wazuh::params_manager::ossec_syscheck_scan_on_start,
@@ -279,7 +289,8 @@
 
   # This allows arrays of integers, sadly
   # (commented due to stdlib version requirement)
-  if ($ossec_emailnotification == true) {
+  validate_bool($ossec_emailnotification)
+  if ($ossec_emailnotification) {
     if $ossec_smtp_server == undef {
       fail('$ossec_emailnotification is enabled but $smtp_server was not set')
     }
@@ -490,12 +501,16 @@
       }
   }
   if ($configure_active_response == true){
-    concat::fragment {
-        'ossec.conf_active_response':
-          order   => 90,
-          target  => 'ossec.conf',
-          content => template($ossec_active_response_template);
-      }
+    wazuh::activeresponse { 'blockWebattack':
+      active_response_command            => $ossec_active_response_command,
+      active_response_location           => $ossec_active_response_location,
+      active_response_level              => $ossec_active_response_level,
+      active_response_agent_id           => $ossec_active_response_agent_id,
+      active_response_rules_id           => $ossec_active_response_rules_id,
+      active_response_timeout            => $ossec_active_response_timeout,
+      active_response_repeated_offenders => $ossec_active_response_repeated_offenders,
+      order_arg                          => 90
+    }
   }
   concat::fragment {
     'ossec.conf_footer':