digital-forensics-labs/SecGen
1
0
Fork 0
mirror of https://github.com/cliffe/SecGen.git synced 2026-02-21 11:18:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

WIP: ELK + Wazuh installing correctly

Browse Source
This commit is contained in:
ts
2019-10-29 11:37:51 +00:00
parent 77dcd2ff26
commit 2c9bd2f34d
99 changed files with 4217 additions and 1381 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
lib/templates/Puppetfile.erb
View File

@@ -9,6 +9,7 @@
forge "https://forgeapi.puppetlabs.com"
mod 'puppetlabs-stdlib', '4.25.1' # stdlib enables parsejson() in manifests and other useful functions
mod 'puppetlabs-concat', '5.2.0'
mod 'SecGen-secgen_functions', :path => '<%= SECGEN_FUNCTIONS_PUPPET_DIR %>'
<% @currently_processing_system.module_selections.each do |selected_module| -%>

5
modules/utilities/unix/logging/wazuh/.gitattributes vendored Normal file
View File

@@ -0,0 +1,5 @@
*.rb eol=lf
*.erb eol=lf
*.pp eol=lf
*.sh eol=lf
*.epp eol=lf

41
modules/utilities/unix/logging/wazuh/.gitignore vendored Normal file
View File

@@ -0,0 +1,41 @@
.git/
.*.sw[op]
.metadata
.yardoc
.yardwarns
*.iml
/.bundle/
/.idea/
/.vagrant/
/coverage/
/bin/
/doc/
/Gemfile.local
/Gemfile.lock
/junit/
/log/
/pkg/
/spec/fixtures/manifests/
/spec/fixtures/modules/
/tmp/
/vendor/
/convert_report.txt
/update_report.txt
.DS_Store
.project
.envrc
/inventory.yaml
./kitchen/modules/.kitchen/logs/
*.lock
kitchen/.tmp/
kitchen/.kitchen/
kitchen/venv
kitchen/*.xml
kitchen/test/Dockerfile
*.log
*.pyc
kitchen/.tmp/
kitchen/.librarian/
kitchen/.pytest_cache/
kitchen/.*
kitchen/modules/

54
modules/utilities/unix/logging/wazuh/.travis.yml Normal file
View File

@@ -0,0 +1,54 @@
---
dist: trusty
language: ruby
cache: bundler
before_install:
- bundle -v
- rm -f Gemfile.lock
- gem update --system $RUBYGEMS_VERSION
- gem --version
- bundle -v
script:
- 'bundle exec rake $CHECK'
bundler_args: --without system_tests
rvm:
- 2.5.3
stages:
- static
- spec
- acceptance
-
if: tag =~ ^v\d
name: deploy
matrix:
fast_finish: true
include:
-
env: CHECK="check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop syntax lint metadata_lint"
stage: static
-
env: PUPPET_GEM_VERSION="~> 5.0" CHECK=parallel_spec
rvm: 2.4.5
stage: spec
-
env: PUPPET_GEM_VERSION="~> 6.0" CHECK=parallel_spec
rvm: 2.5.3
stage: spec
-
env: DEPLOY_TO_FORGE=yes
stage: deploy
branches:
only:
- master
- /^v\d/
notifications:
email: false
deploy:
provider: puppetforge
user: puppet
password:
secure: ""
on:
tags: true
all_branches: true
condition: "$DEPLOY_TO_FORGE = yes"

94
modules/utilities/unix/logging/wazuh/CHANGELOG.md
View File

@@ -1,6 +1,96 @@
# Change Log
All notable changes to this project will be documented in this file.
## Wazuh Puppet v3.10.2_7.3.2
### Added
- Update to Wazuh version 3.10.2_7.3.2
## Wazuh Puppet v3.10.0_7.3.2
### Added
- Update to Wazuh version 3.10.0_7.3.2
- Change Wazuh Filebeat Module to production. ([@jm404](https://github.com/jm404)) [#1bc6b792af68ff26fc0dfc9125e5d33f7831b32e](https://github.com/wazuh/wazuh-puppet/commit/1bc6b792af68ff26fc0dfc9125e5d33f7831b32e)
## Fixed
- Fixes for Ossec email notifications' config ([rshad](https://github.com/rshad)) [PR#150](https://github.com/wazuh/wazuh-puppet/pull/150)
## Wazuh Puppet v3.9.5_7.2.1
### Added
- Update to Wazuh version 3.9.5_7.2.1
## Fixed
- Fixed linting problems ([@jm404](https://github.com/jm404)) [#ca923c7](https://github.com/wazuh/wazuh-puppet/commit/ca923c71a8f13c75d1f8a0a4807dda6f3ba114a6)
## Wazuh Puppet v3.9.4_7.2.0
### Added
- Update to Wazuh version 3.9.4_7.2.0
- Added Filebeat module and adapted Elasticsearch IP ([rshad](https://github.com/rshad)) [PR#144](https://github.com/wazuh/wazuh-puppet/pull/144)
- Added Kitchen testing for Wazuh deployment with Puppet. ([rshad](https://github.com/rshad)) [PR#139](https://github.com/wazuh/wazuh-puppet/pull/139)
- Added Ubuntu as a recognized operating system to Puppet manifests. ([rshad](https://github.com/rshad)) [PR#141](https://github.com/wazuh/wazuh-puppet/pull/141)
- Wazuh Agent is now able to register and report to different IPs. ([@jm404](https://github.com/jm404)) [PR#136](https://github.com/wazuh/wazuh-puppet/pull/136)
### Fixed
- Fixed integration when group is not specified. ([TheoPoc](https://github.com/TheoPoc)) [PR#142](https://github.com/wazuh/wazuh-puppet/pull/142)
### Changed
- Moved command and email_alert templates to templates/fragments. ([rshad](https://github.com/rshad)) [PR#143](https://github.com/wazuh/wazuh-puppet/pull/143)
## Wazuh Puppet v3.9.3_7.2.0
### Added
- Update to Wazuh version 3.9.3_7.2.0
## Wazuh Puppet v3.9.2_7.1.1
### Added
- Update to Wazuh version 3.9.2_7.1.1
## Wazuh Puppet v3.9.1_7.1.0
### Added
- Created required files for Filebeat installation. ([@jm404](https://github.com/jm404)) [#f36be695](https://github.com/wazuh/wazuh-puppet/commit/f36be69558f012a75717150bd6a48f9b9a45b3c8)
- Created required files for Elasticsearch installation. ([@jm404](https://github.com/jm404)) [#890fb88](https://github.com/wazuh/wazuh-puppet/commit/890fb88cdb4f18ea67caaf09943792145ac245bd)
- Created required files for Kibana installation. ([@jm404](https://github.com/jm404)) [#ac31a02](https://github.com/wazuh/wazuh-puppet/commit/ac31a02c5a6771e5e480db378934b23e2dc59b03)
- Added configuration variables to make `ossec.conf` more flexible. ([@jm404](https://github.com/jm404)) [#5631753](https://github.com/wazuh/wazuh-puppet/commit/5631753cf4c3967d7fc08fc53d2535d78d4e19b7)
- Now it's possible to install an agent without registering it. ([@jm404](https://github.com/jm404)) [#63e1a13](https://github.com/wazuh/wazuh-puppet/commit/63e1a1390edbaef4387c4397c16636514525eeaa)
- Added support for Amazon-Linux-2. ([@jm404](https://github.com/jm404)) [#823eeec](https://github.com/wazuh/wazuh-puppet/commit/823eeec502c4a100dc6946f25388b9d04833c105)
### Changed
- The `server.pp` manifest has been renamed to `manager.pp`. ([@jm404](https://github.com/jm404)) [#f859f87](https://github.com/wazuh/wazuh-puppet/commit/f859f879e5bd6e83b4adf54ebbe44adfc60c0f03)
- The `client.pp` manifest moved to `agent.pp`. ([@jm404](https://github.com/jm404)) [#69fe628](https://github.com/wazuh/wazuh-puppet/commit/69fe628bfbfec171fce3754b22f1d04b67d58d81)
## Removed
- Registration method `export` deleted due to security issues. ([@jm404](https://github.com/jm404)) [#f77fe49](https://github.com/wazuh/wazuh-puppet/commit/f77fe496b4e290b0b3a70272c66d26f8ee7d0012)
- Eliminated `inotify-tools `. ([@jm404](https://github.com/jm404)) [#628db1e](https://github.com/wazuh/wazuh-puppet/commit/628db1e4d5236b195ee1c50945fb6ff7553a5b23)
- Deleted `_common.erb` fragment in order to give flexibility to Agent and Manager. ([@jm404](https://github.com/jm404)) [#92114ea](https://github.com/wazuh/wazuh-puppet/commit/92114ea205be4fa6783115b01b1148a2a6dc7c2d)
## [v3.9.1]
### Added
@@ -76,8 +166,8 @@ All notable changes to this project will be documented in this file.
- Fix username (puppet to puppetlabs). ([#74](https://github.com/wazuh/wazuh-puppet/pull/74))
## Change Log old version.
## 2017-xx-xx support@wazuh.com - 2.0.23
* Fixed issue #18 with the pull request #17. (thanks @lemrouch)

79
modules/utilities/unix/logging/wazuh/Gemfile
View File

@@ -1,24 +1,71 @@
source 'https://rubygems.org'
source ENV['GEM_SOURCE'] || 'https://rubygems.org'
group :test do
gem 'rake'
gem 'puppet', ENV['PUPPET_GEM_VERSION'] || '~> 3.8.0'
gem 'rspec', '< 3.2.0'
gem 'rspec-puppet', git: 'https://github.com/rodjek/rspec-puppet.git'
gem 'rspec-puppet-facts'
gem 'autorun'
def location_for(place_or_version, fake_version = nil)
git_url_regex = %r{\A(?<url>(https?|git)[:@][^#]*)(#(?<branch>.*))?}
file_url_regex = %r{\Afile:\/\/(?<path>.*)}
gem 'puppetlabs_spec_helper'
if place_or_version && (git_url = place_or_version.match(git_url_regex))
[fake_version, { git: git_url[:url], branch: git_url[:branch], require: false }].compact
elsif place_or_version && (file_url = place_or_version.match(file_url_regex))
['>= 0', { path: File.expand_path(file_url[:path]), require: false }]
else
[place_or_version, { require: false }]
end
end
ruby_version_segments = Gem::Version.new(RUBY_VERSION.dup).segments
minor_version = ruby_version_segments[0..1].join('.')
group :development do
gem 'puppet-blacksmith'
gem 'guard-rake'
gem 'yard'
gem "fast_gettext", '1.1.0', require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.1.0')
gem "fast_gettext", require: false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.1.0')
gem "json_pure", '<= 2.0.1', require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0')
gem "json", '= 1.8.1', require: false if Gem::Version.new(RUBY_VERSION.dup) == Gem::Version.new('2.1.9')
gem "json", '= 2.0.4', require: false if Gem::Requirement.create('~> 2.4.2').satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
gem "json", '= 2.1.0', require: false if Gem::Requirement.create(['>= 2.5.0', '< 2.7.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
gem "puppet-module-posix-default-r#{minor_version}", require: false, platforms: [:ruby]
gem "puppet-module-posix-dev-r#{minor_version}", require: false, platforms: [:ruby]
gem "puppet-module-win-default-r#{minor_version}", require: false, platforms: [:mswin, :mingw, :x64_mingw]
gem "puppet-module-win-dev-r#{minor_version}", require: false, platforms: [:mswin, :mingw, :x64_mingw]
end
group :system_tests do
gem 'beaker'
gem 'beaker-rspec'
gem 'beaker-puppet_install_helper'
puppet_version = ENV['PUPPET_GEM_VERSION']
facter_version = ENV['FACTER_GEM_VERSION']
hiera_version = ENV['HIERA_GEM_VERSION']
gems = {}
gems['puppet'] = location_for(puppet_version)
# If facter or hiera versions have been specified via the environment
# variables
gems['facter'] = location_for(facter_version) if facter_version
gems['hiera'] = location_for(hiera_version) if hiera_version
if Gem.win_platform? && puppet_version =~ %r{^(file:///|git://)}
# If we're using a Puppet gem on Windows which handles its own win32-xxx gem
# dependencies (>= 3.5.0), set the maximum versions (see PUP-6445).
gems['win32-dir'] = ['<= 0.4.9', require: false]
gems['win32-eventlog'] = ['<= 0.6.5', require: false]
gems['win32-process'] = ['<= 0.7.5', require: false]
gems['win32-security'] = ['<= 0.2.5', require: false]
gems['win32-service'] = ['0.8.8', require: false]
end
gems.each do |gem_name, gem_params|
gem gem_name, *gem_params
end
# Evaluate Gemfile.local and ~/.gemfile if they exist
extra_gemfiles = [
"#{__FILE__}.local",
File.join(Dir.home, '.gemfile'),
]
extra_gemfiles.each do |gemfile|
if File.file?(gemfile) && File.readable?(gemfile)
eval(File.read(gemfile), binding)
end
end
# vim: syntax=ruby

139
modules/utilities/unix/logging/wazuh/README.md
View File

@@ -15,71 +15,78 @@ This module installs and configure Wazuh agent and manager.
## Directory structure
├── wazuh-puppet
├── files
│ │ ├── client.keys
│ │ ├── ossec-logrotate.te
│ ├── wazuh-winagent-v2.1.1-1.exe
├── manifest
│ │ ├── activeresponse.pp
├── addlog.pp
├── agentkey.pp
├── client.pp
├── collect_agent_keys.pp
├── command.pp
├── email_alert.pp
├── export_agent_key.pp
├── init.pp
├── params.pp
├── repo.pp
├── reports.pp
├── server.pp
│ ├── spec
├── classes
│ │ ├── client_spec.rb
│ │ ├── init_spec.rb
│ │ ├── server_spec.rb
│ │
│ │ ├── spec_helper.rb
├── templates
├── api
│ │ ├── config.js.erb
│ ├── fragments
│ │ ├── _activeresponse.erb
│ │ │ ├── _common.erb
│ │ ├── _localfile.erb
│ │ ├── _reports.erb
│ │ ├── _rootcheck_linux.erb
│ │ ├── _rootcheck_windows.erb
│ │ ├── _syscheck_linux.erb
│ │ ├── _syscheck_windows.erb
│ │ ├── _wodle_openscap.erb
│ ├── command.erb
│ ├── email_alert.erb
│ ├── local_decoder.xml.erb
│ ├── local_rules.xmk.erb
│ ├── ossec_shared_agent.conf.erb
│ ├── process_list.erb
│ ├── wazuh_agent.conf.erb
│ ├── wazuh_manager.conf.erb
|
├── tests
│ ├── init.pp
|
├── README.md
├── VERSION
├── CHANGELOG.md
├── .travis.yml
├── Gemfile
│ ├── LICENSE.txt
│ ├── Rakefile
│ ├── checksums.json
│ ├── metadata.json
wazuh-puppet/
├── CHANGELOG.md
├── checksums.json
├── files
   └── ossec-logrotate.te
├── Gemfile
├── LICENSE.txt
├── manifests
   ├── activeresponse.pp
   ├── addlog.pp
   ├── agent.pp
   ├── command.pp
   ├── elasticsearch.pp
   ├── email_alert.pp
   ├── filebeat.pp
   ├── init.pp
   ├── integration.pp
   ├── kibana.pp
   ├── manager.pp
   ├── params_agent.pp
   ├── params_elastic.pp
   ├── params_manager.pp
   ├── repo_elastic.pp
   ├── repo.pp
   ├── reports.pp
   └── wazuh_api.pp
├── metadata.json
├── Rakefile
├── README.md
├── spec
   ├── classes
   │   ├── client_spec.rb
   │   ├── init_spec.rb
   │   └── server_spec.rb
   └── spec_helper.rb
├── templates
   ├── api
   │   └── config.js.erb
   ├── default_commands.erb
   ├── elasticsearch_yml.erb
   ├── filebeat_yml.erb
   ├── fragments
   │   ├── _activeresponse.erb
   │   ├── _auth.erb
   │   ├── _cluster.erb
   │   ├── _command.erb
   │   ├── _default_activeresponse.erb
│ ├── _email_alert.erb
   │   ├── _integration.erb
   │   ├── _localfile.erb
   │   ├── _localfile_generation.erb
   │   ├── _reports.erb
│   │   ├── _rootcheck.erb
   │   ├── _ruleset.erb
   │   ├── _sca.erb
│   │   ├── _syscheck.erb
   │   ├── _wodle_cis_cat.erb
   │   ├── _wodle_openscap.erb
   │   ├── _wodle_osquery.erb
   │   ├── _wodle_syscollector.erb
   │   └── _wodle_vulnerability_detector.erb
   ├── jvm_options.erb
   ├── kibana_yml.erb
   ├── local_decoder.xml.erb
   ├── local_rules.xml.erb
│   ├── ossec_shared_agent.conf.erb
│   ├── process_list.erb
│   ├── wazuh_agent.conf.erb
│   └── wazuh_manager.conf.erb
├── tests
│   └── init.pp
└── VERSION
## Branches
@@ -100,7 +107,7 @@ This Puppet module has been authored by Nicolas Zin, and updated by Jonathan Gaz
## License and copyright
WAZUH
Copyright (C) 2016-2018 Wazuh Inc. (License GPLv2)
Copyright (C) 2019 Wazuh Inc. (License GPLv2)
Based on OSSEC
Copyright (C) 2015 Trend Micro Inc.

84
modules/utilities/unix/logging/wazuh/Rakefile
View File

@@ -1,18 +1,76 @@
require 'rubygems'
require 'puppetlabs_spec_helper/rake_tasks'
require 'puppet-lint/tasks/puppet-lint'
PuppetLint.configuration.send('disable_80chars')
PuppetLint.configuration.ignore_paths = ["spec/**/*.pp", "pkg/**/*.pp"]
require 'puppet-syntax/tasks/puppet-syntax'
require 'puppet_blacksmith/rake_tasks' if Bundler.rubygems.find_name('puppet-blacksmith').any?
require 'github_changelog_generator/task' if Bundler.rubygems.find_name('github_changelog_generator').any?
require 'puppet-strings/tasks' if Bundler.rubygems.find_name('puppet-strings').any?
desc "Validate manifests, templates, and ruby files"
task :validate do
Dir['manifests/**/*.pp'].each do |manifest|
sh "puppet parser validate --noop #{manifest}"
def changelog_user
return unless Rake.application.top_level_tasks.include? "changelog"
returnVal = nil || JSON.load(File.read('metadata.json'))['author']
raise "unable to find the changelog_user in .sync.yml, or the author in metadata.json" if returnVal.nil?
puts "GitHubChangelogGenerator user:#{returnVal}"
returnVal
end
def changelog_project
return unless Rake.application.top_level_tasks.include? "changelog"
returnVal = nil || JSON.load(File.read('metadata.json'))['name']
raise "unable to find the changelog_project in .sync.yml or the name in metadata.json" if returnVal.nil?
puts "GitHubChangelogGenerator project:#{returnVal}"
returnVal
end
def changelog_future_release
return unless Rake.application.top_level_tasks.include? "changelog"
returnVal = "v%s" % JSON.load(File.read('metadata.json'))['version']
raise "unable to find the future_release (version) in metadata.json" if returnVal.nil?
puts "GitHubChangelogGenerator future_release:#{returnVal}"
returnVal
end
PuppetLint.configuration.send('disable_relative')
if Bundler.rubygems.find_name('github_changelog_generator').any?
GitHubChangelogGenerator::RakeTask.new :changelog do |config|
raise "Set CHANGELOG_GITHUB_TOKEN environment variable eg 'export CHANGELOG_GITHUB_TOKEN=valid_token_here'" if Rake.application.top_level_tasks.include? "changelog" and ENV['CHANGELOG_GITHUB_TOKEN'].nil?
config.user = "#{changelog_user}"
config.project = "#{changelog_project}"
config.future_release = "#{changelog_future_release}"
config.exclude_labels = ['maintenance']
config.header = "# Change log\n\nAll notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org)."
config.add_pr_wo_labels = true
config.issues = false
config.merge_prefix = "### UNCATEGORIZED PRS; GO LABEL THEM"
config.configure_sections = {
"Changed" => {
"prefix" => "### Changed",
"labels" => ["backwards-incompatible"],
},
"Added" => {
"prefix" => "### Added",
"labels" => ["feature", "enhancement"],
},
"Fixed" => {
"prefix" => "### Fixed",
"labels" => ["bugfix"],
},
}
end
Dir['spec/**/*.rb','lib/**/*.rb'].each do |ruby_file|
sh "ruby -c #{ruby_file}" unless ruby_file =~ /spec\/fixtures/
end
Dir['templates/**/*.erb'].each do |template|
sh "erb -P -x -T '-' #{template} | ruby -c"
else
desc 'Generate a Changelog from GitHub'
task :changelog do
raise <<EOM
The changelog tasks depends on unreleased features of the github_changelog_generator gem.
Please manually add it to your .sync.yml for now, and run `pdk update`:
---
Gemfile:
optional:
':development':
- gem: 'github_changelog_generator'
git: 'https://github.com/skywinder/github-changelog-generator'
ref: '20ee04ba1234e9e83eb2ffb5056e23d641c7a018'
condition: "Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.2.2')"
EOM
end
end

4
modules/utilities/unix/logging/wazuh/VERSION
View File

@@ -1,2 +1,2 @@
WAZUH-PUPPET_VERSION="v3.9.1"
REVISION="3901"
WAZUH-PUPPET_VERSION="v3.10.2"
REVISION="31020"

4
modules/utilities/unix/logging/wazuh/checksums.json
View File

@@ -25,8 +25,8 @@
"templates/90_ossec.conf.erb": "698695c984a8d6829d3a331b8a4196ec",
"templates/99_ossec_agent.conf.erb": "386ab8ad1d31566eed64a06e0a8d4d9a",
"templates/activeresponse.erb": "8a3bd90af1c0b8199af57f37bf5314d2",
"templates/command.erb": "e37530e43ad73dbfe1e17c0d9da042f9",
"templates/email_alert.erb": "3aa50ecb0e284ed3a443ee89d21260b0",
"templates/fragments/_command.erb": "e37530e43ad73dbfe1e17c0d9da042f9",
"templates/fragments/_email_alert.erb": "3aa50ecb0e284ed3a443ee89d21260b0",
"templates/ossec_shared_agent.conf.erb": "131307a6afdf7e83053cdbc9f6d44368",
"tests/init.pp": "2eac4e89d806c23f7d72d6ac924d1921"
}

BIN
modules/utilities/unix/logging/wazuh/files/wazuh-agent-3.8.2-1.msi
View File

Binary file not shown.

BIN
modules/utilities/unix/logging/wazuh/files/wazuh-agent-3.9.0-1.msi
View File

Binary file not shown.

BIN
modules/utilities/unix/logging/wazuh/files/wazuh-agent-3.9.1-1.msi
View File

Binary file not shown.

10
modules/utilities/unix/logging/wazuh/kitchen/Gemfile Normal file
View File

@@ -0,0 +1,10 @@
# frozen_string_literal: true
source "https://rubygems.org"
# gem "rails"
gem "test-kitchen"
gem "kitchen-puppet"
gem "kitchen-vagrant"
gem 'kitchen-docker', '~> 2.3'
gem "puppet"
gem "librarian-puppet"

26
modules/utilities/unix/logging/wazuh/kitchen/Puppetfile Normal file
View File

@@ -0,0 +1,26 @@
#!/usr/bin/env ruby
#^syntax detection
forge "https://forgeapi.puppetlabs.com"
# use dependencies defined in metadata.json
#metadata
mod "wazuh/wazuh"
# use dependencies defined in Modulefile
# modulefile
# A module from the Puppet Forge
# mod 'puppetlabs-stdlib'
# A module from git
# mod 'puppetlabs-ntp',
# :git => 'git://github.com/puppetlabs/puppetlabs-ntp.git'
# A module from a git branch/tag
# mod 'puppetlabs-apt',
# :git => 'https://github.com/puppetlabs/puppetlabs-apt.git',
# :ref => '1.4.x'
# A module from Github pre-packaged tarball
# mod 'puppetlabs-apache', '0.6.0', :github_tarball => 'puppetlabs/puppetlabs-apache'

227
modules/utilities/unix/logging/wazuh/kitchen/README.md Normal file
View File

@@ -0,0 +1,227 @@
**KITCHEN-PUPPET TESTING**
**1.Building Kitchen Directory Structure**
```
├── chefignore
├── Gemfile
├── hieradata
├── kitchen.yml
├── manifests
├── modules `should contain wazuh-puppet module`
├── Puppetfile
├── run.sh
├── test
```
Find more details in the [official documentation](https://kitchen.ci/)
**2. Required Gems**
Kitchen basically works with `Ruby` gems and so, all required packages are available as gems. In our case, we would need the following gems to be installed. Found in the file `Gemfile` :
```
vagrant@master:~/wazuh-puppet/kitchen$ cat Gemfile
# frozen_string_literal: true
source "https://rubygems.org"
# gem "rails"
gem "test-kitchen"
gem "kitchen-puppet"
gem "kitchen-vagrant"
gem 'kitchen-docker', '~> 2.3'
gem "puppet"
gem "librarian-puppet"
```
As we can see, we have gems for docker, vagrant, puppet, and kitchen itself.
Once we have our list of gems prepared, we install them running the following command:
```
bundle install
```
**3. Adding Dependencies**
A step which is already applied here is the creation of `Puppetfile` using `puppet-librerian` by running the command:
```
± librarian-puppet init
create Puppetfile
```
As you can see the, `Puppetfile` already exist with the following content:
```
#!/usr/bin/env ruby
#^syntax detection
forge "https://forgeapi.puppetlabs.com"
# use dependencies defined in metadata.json
#metadata
mod "wazuh/wazuh"
# use dependencies defined in Modulefile
# modulefile
# A module from the Puppet Forge
# mod 'puppetlabs-stdlib'
# A module from git
# mod 'puppetlabs-ntp',
# :git => 'git://github.com/puppetlabs/puppetlabs-ntp.git'
# A module from a git branch/tag
# mod 'puppetlabs-apt',
# :git => 'https://github.com/puppetlabs/puppetlabs-apt.git',
# :ref => '1.4.x'
# A module from Github pre-packaged tarball
# mod 'puppetlabs-apache', '0.6.0', :github_tarball => 'puppetlabs/puppetlabs-apache'
```
Once `Puppetfile` is prepared, then we run need to get the requested module, by running:
```
librarian-puppet install
```
**4. Kitchen Environment Configuration**
In the file `kitchen.yml` we have to configure the machines were our tests will be running. This configuration includes information, such as :
* The virtualization tool `vagrant` or `docker`,
* The operating system image,
* Testing suites `testinfra` for example, etc ...
- An initial example of `kitchen.yml` would be:
```
vagrant@master:~/wazuh-puppet/kitchen$ cat kitchen.yml
---
driver:
name: docker
provisioner:
name: puppet_apply
manifests_path: manifests
modules_path: modules
hiera_data_path: hieradata
platforms:
- name: ubuntu-manager_00
run_options: --ip 10.1.0.19
driver_config:
image: ubuntu:14.04
platform: ubuntu
hostname: manager00_ubuntu
- name: ubuntu-agent
driver_config:
image: ubuntu:14.04
platform: ubuntu
hostname: agent00_ubuntu
suites:
- name: default
manifest: site.pp
verifier:
name: shell
command: py.test -v test/base
```
**5. Put Kitchen in action**
Once we have `kitchen.yml` prepared, then we can create the environment by running:
```
kitchen create
```
This way we will only have our machines created without installing the desired components to be tested. These components are represented by Wazuh stack components such as `wazuh-manager`, `wazuh-agent`, etc ...
**5. Install the required components to be tested then**
In `Puppet` case, to specify the `manifests` to be installed, we should configure the file 'manifests/site.pp', which by now it looks like:
```
node 'manager00_ubuntu' {
class { "wazuh::manager":
configure_wodle_openscap => false
}
}
node 'agent00_ubuntu' {
class { "wazuh::agent":
ossec_ip => "manager_ip",
configure_wodle_openscap => false
}
}
```
As you can see, we only want to install `wazuh-manager` and `wazuh-agent`.
**6. Kitchen Converging: Installing the packages to be tested**
Once `site.pp` is prepared, we run:
```
kitchen converge
```
**7. Testing**
`Kitchen` offers a large variety of testing types, such as:
* Bats tests.
* Serverspec tests.
* Testinfra tests.
* <Maybe there are more ' to be discovered later' >
In our case, we think that `testinfra` is the best choice based on old experience. so and in order to implemente `testinfra` tests, we should indicate the testing suite command in `kitchen.yml` as indicated before:
```
suites:
- name: default
manifest: site.pp
verifier:
name: shell
command: py.test -v test/base
```
In the folder test/base, we put our tests. By now we implemented 2 tests, one for `wazuh-manager` and another one for `wazuh-agent`. Please check both here:
* [manager](https://github.com/wazuh/wazuh-puppet/blob/v3.9.5_7.2.1/kitchen/test/base/test_wazuh_manager.py)
* [agent](https://github.com/wazuh/wazuh-puppet/blob/v3.9.5_7.2.1/kitchen/test/base/test_wazuh_agent.py)
Once we have our suite prepared, then we run:
```
kitchen verify
```
And in a successful testing attempt we can get something like:
```
-----> Starting Kitchen (v2.2.5)
-----> Verifying <default-ubuntu-manager-00>...
[Shell] Verify on instance default-ubuntu-manager-00 ...
============================= test session starts ==============================
platform linux -- Python 3.4.3, pytest-4.6.4, py-1.8.0, pluggy-0.12.0 -- /usr/bin/python3.4
cachedir: .pytest_cache
rootdir: /home/vagrant/wazuh-puppet/kitchen
plugins: testinfra-3.0.5
collecting ... collected 8 items
test/base/test_wazuh_agent.py::test_wazuh_agent_package SKIPPED [ 12%]
test/base/test_wazuh_agent.py::test_wazuh_processes_running[ossec-agentd-ossec] SKIPPED [ 25%]
test/base/test_wazuh_agent.py::test_wazuh_processes_running[ossec-execd-root] SKIPPED [ 37%]
test/base/test_wazuh_agent.py::test_wazuh_processes_running[ossec-syscheckd-root] SKIPPED [ 50%]
test/base/test_wazuh_agent.py::test_wazuh_processes_running[wazuh-modulesd-root] SKIPPED [ 62%]
test/base/test_wazuh_manager.py::test_wazuh_agent_package PASSED [ 75%]
test/base/test_wazuh_manager.py::test_wazuh_packages_are_installed PASSED [ 87%]
test/base/test_wazuh_manager.py::test_wazuh_services_are_running PASSED [100%]
===================== 3 passed, 5 skipped in 1.18 seconds ======================
Finished verifying <default-ubuntu-manager-00> (0m2.16s).
-----> Kitchen is finished. (0m4.51s)
```

1
modules/utilities/unix/logging/wazuh/kitchen/chefignore Normal file
View File

@@ -0,0 +1 @@
.kitchen

12
modules/utilities/unix/logging/wazuh/kitchen/clean.sh Normal file
View File

@@ -0,0 +1,12 @@
#!/bin/bash
echo "Deleting Old logs, old instances files, etc ..."
rm -rf .kitchen/logs/* # removing old logs
rm -rf .kitchen/def* # removing old .yml files associated for old kitchen instances
rm -rf ./manifests/se* # removing all temporal manifests files.
echo "Kitchen is destroying old instances ..."
kitchen destroy all # destroying all existing kitchen instances
echo "Docker is stopping and deleting old containers of they do exist"
docker ps --filter name=kitchen -aq | xargs docker stop | xargs docker rm

0
modules/utilities/unix/logging/wazuh/kitchen/hieradata/common.yaml Normal file
View File

0
modules/utilities/unix/logging/wazuh/kitchen/hieradata/roles/default.yaml Normal file
View File

53
modules/utilities/unix/logging/wazuh/kitchen/kitchen.yml Normal file
View File

@@ -0,0 +1,53 @@
---
driver:
name: docker
privileged: true
use_sudo: false
use_internal_docker_network: true
provisioner:
name: puppet_apply
manifests_path: manifests
modules_path: modules
hiera_data_path: hieradata
platforms:
- name: ubuntu-manager_00_kitchen
driver_config:
image: ubuntu:14.04
platform: ubuntu
hostname: manager00_ubuntu
- name: ubuntu-agent-kitchen
driver_config:
image: ubuntu:14.04
platform: ubuntu
hostname: agent00_ubuntu
- name: centos-manager_00_kitchen
driver_config:
image: centos:7
platform: centos
hostname: manager00_centos
run_command: /usr/sbin/init
dockerfile: test/Dockerfile
build_options:
rm: true
- name: centos-agent_kitchen
driver_config:
image: centos:7
platform: centos
hostname: agent00_centos
run_command: /usr/sbin/init
run_command: /usr/lib/systemd/systemd
dockerfile: test/Dockerfile
build_options:
rm: true
suites:
- name: default
manifest: site.pp
verifier:
name: shell
command: py.test -v test/base

24
modules/utilities/unix/logging/wazuh/kitchen/manifests/site.pp Normal file
View File

@@ -0,0 +1,24 @@
node 'manager00_ubuntu' {
class { 'wazuh::manager':
configure_wodle_openscap => false
}
}
node 'agent00_ubuntu' {
class { 'wazuh::agent':
wazuh_register_endpoint => '10.1.0.9',
wazuh_reporting_endpoint => '10.1.0.9',
configure_wodle_openscap => false
}
}
node 'manager00_centos' {
class { 'wazuh::manager':
configure_wodle_openscap => true
}
}
node 'agent00_centos' {
class { 'wazuh::agent':
wazuh_register_endpoint => '10.1.0.11',
wazuh_reporting_endpoint => '10.1.0.11',
configure_wodle_openscap => true
}
}

24
modules/utilities/unix/logging/wazuh/kitchen/manifests/site.pp.template Normal file
View File

@@ -0,0 +1,24 @@
node 'manager00_ubuntu' {
class { "wazuh::manager":
configure_wodle_openscap => false
}
}
node 'agent00_ubuntu' {
class { "wazuh::agent":
wazuh_register_endpoint => "ubuntu_manager_ip",
wazuh_reporting_endpoint => "ubuntu_manager_ip",
configure_wodle_openscap => false
}
}
node 'manager00_centos' {
class { "wazuh::manager":
configure_wodle_openscap => true
}
}
node 'agent00_centos' {
class { "wazuh::agent":
wazuh_register_endpoint => "centos_manager_ip",
wazuh_reporting_endpoint => "centos_manager_ip",
configure_wodle_openscap => true
}
}

53
modules/utilities/unix/logging/wazuh/kitchen/run.sh Normal file
View File

@@ -0,0 +1,53 @@
#!/bin/bash
# Adding Wazuh module from Puppet forge.
#LIBRARIAN_OUTPUT="$(librarian-puppet show)"
#
#if [[ $LIBRARIAN_OUTPUT == *"wazuh"* ]]; then
# echo "Librarian-Puppet: Wazuh module already installed .. Continue"
#else
# echo "Installing Wazuh module"
# librarian-puppet install
#
# sed -i "s/'Debian', 'debian'/&, 'Ubuntu', 'ubuntu'/" modules/wazuh/manifests/manager.pp
# sed -i "s/'Debian', 'debian'/&, 'Ubuntu', 'ubuntu'/" modules/wazuh/manifests/agent.pp
#fi
mkdir -p modules/wazuh
cp -r ../files ./modules/wazuh/
cp -r ../templates/ ./modules/wazuh/
cp -r ../manifests/ ./modules/wazuh/
echo "Deleting Old logs, old instances files, etc ..."
rm -rf .kitchen/logs/* # removing old logs
rm -rf .kitchen/def* # removing old .yml files associated for old kitchen instances
rm -rf ./manifests/se* # removing all temporal manifests files.
echo "Kitchen is destroying old instances ..."
kitchen destroy all # destroying all existing kitchen instances
echo "Docker is stopping and deleting old containers of they do exist"
docker ps --filter name=kitchen -aq | xargs docker stop | xargs docker rm
echo "Kitchen is creating the new instances"
kitchen create # creating new kitchen instances
echo "Getting Wazuh managers IPs to the agents"
ubuntu_manager_ip="$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' `docker ps | awk '{print $NF}' | grep ubuntu | grep manager`)"
centos_manager_ip="$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' `docker ps | awk '{print $NF}' | grep centos | grep manager`)"
echo "getting a copy of ./manifests/site.pp.template"
cp ./manifests/site.pp.template ./manifests/site.pp
echo "Assigning Wazuh managers IPs to the corresponding agents."
sed -i 's/ubuntu_manager_ip/'${ubuntu_manager_ip}'/g' ./manifests/site.pp
sed -i 's/centos_manager_ip/'${centos_manager_ip}'/g' ./manifests/site.pp
echo "Kitchen is converging ..."
kitchen converge
echo "Kitchen is testing ..."
kitchen verify

20
modules/utilities/unix/logging/wazuh/kitchen/test/Dockerfile.template Normal file
View File

@@ -0,0 +1,20 @@
FROM centos:7
ENV container docker
RUN yum clean all
RUN yum install -y sudo openssh-server openssh-clients which curl
RUN [ -f "/etc/ssh/ssh_host_rsa_key" ] || ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
RUN [ -f "/etc/ssh/ssh_host_dsa_key" ] || ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
RUN if ! getent passwd kitchen; then useradd -d /home/kitchen -m -s /bin/bash -p '*' kitchen; fi
RUN echo "kitchen ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
RUN echo "Defaults !requiretty" >> /etc/sudoers
RUN mkdir -p /home/kitchen/.ssh
RUN chown -R kitchen /home/kitchen/.ssh
RUN chmod 0700 /home/kitchen/.ssh
RUN touch /home/kitchen/.ssh/authorized_keys
RUN chown kitchen /home/kitchen/.ssh/authorized_keys
RUN chmod 0600 /home/kitchen/.ssh/authorized_keys
RUN mkdir -p /run/sshd
RUN echo YOUR_PUBLIC_KEY >> /home/kitchen/.ssh/authorized_keys
EXPOSE 1515/tcp
EXPOSE 1515/udp
RUN yum install -y openssl

28
modules/utilities/unix/logging/wazuh/kitchen/test/base/test_wazuh_agent.py Normal file
View File

@@ -0,0 +1,28 @@
import functools
import os
import pytest
import testinfra
test_host = testinfra.get_host('paramiko://{KITCHEN_USERNAME}@{KITCHEN_HOSTNAME}:{KITCHEN_PORT}'.format(**os.environ), ssh_identity_file=os.environ.get('KITCHEN_SSH_KEY'))
@pytest.mark.filterwarnings('ignore')
@pytest.mark.skipif('manager' in os.environ.get('KITCHEN_INSTANCE'), reason='Skip on wazuh manager instances')
def test_wazuh_agent_package(host):
name = "wazuh-agent"
version = "3.10.2"
pkg = host.package(name)
assert pkg.is_installed
assert pkg.version.startswith(version)
@pytest.mark.filterwarnings('ignore')
@pytest.mark.skipif('manager' in os.environ.get('KITCHEN_INSTANCE'), reason='Skip on wazuh manager instances')
@pytest.mark.parametrize("wazuh_service, wazuh_owner", (
("ossec-agentd", "ossec"),
("ossec-execd", "root"),
("ossec-syscheckd", "root"),
("wazuh-modulesd", "root"),
))
def test_wazuh_processes_running(host, wazuh_service, wazuh_owner):
master = host.process.get(user=wazuh_owner, comm=wazuh_service)
assert master.args == "/var/ossec/bin/" + wazuh_service

59
modules/utilities/unix/logging/wazuh/kitchen/test/base/test_wazuh_manager.py Normal file
View File

@@ -0,0 +1,59 @@
import functools
import os
import pytest
import testinfra
test_host = testinfra.get_host('paramiko://{KITCHEN_USERNAME}@{KITCHEN_HOSTNAME}:{KITCHEN_PORT}'.format(**os.environ), ssh_identity_file=os.environ.get('KITCHEN_SSH_KEY'))
@pytest.mark.filterwarnings('ignore')
@pytest.mark.skipif('agent' in os.environ.get('KITCHEN_INSTANCE'), reason='Skip on wazuh manager instances')
def test_wazuh_agent_package(host):
name = "wazuh-manager"
version = "3.10.2"
pkg = host.package(name)
assert pkg.is_installed
assert pkg.version.startswith(version)
@pytest.mark.filterwarnings('ignore')
@pytest.mark.skipif('agent' in os.environ.get('KITCHEN_INSTANCE'), reason='Skip on wazuh manager instances')
def get_wazuh_version():
"""This return the version of Wazuh."""
return "3.10.2"
@pytest.mark.filterwarnings('ignore')
@pytest.mark.skipif('agent' in os.environ.get('KITCHEN_INSTANCE'), reason='Skip on wazuh manager instances')
def test_wazuh_packages_are_installed(host):
"""Test if the main packages are installed."""
manager = host.package("wazuh-manager")
#api = host.package("wazuh-api")
distribution = host.system_info.distribution.lower()
if distribution == 'centos':
if host.system_info.release == "7":
assert manager.is_installed
assert manager.version.startswith(get_wazuh_version())
#assert api.is_installed
#assert api.version.startswith(get_wazuh_version())
elif host.system_info.release.startswith("6"):
assert manager.is_installed
assert manager.version.startswith(get_wazuh_version())
elif distribution == 'ubuntu':
assert manager.is_installed
assert manager.version.startswith(get_wazuh_version())
@pytest.mark.skipif('agent' in os.environ.get('KITCHEN_INSTANCE'), reason='Skip on wazuh manager instances')
def test_wazuh_services_are_running(host):
"""Test if the services are enabled and running.
When assert commands are commented, this means that the service command has
a wrong exit code: https://github.com/wazuh/wazuh-ansible/issues/107
"""
manager = host.service("wazuh-manager")
distribution = host.system_info.distribution.lower()
if distribution == 'centos':
# assert manager.is_running
assert manager.is_enabled
elif distribution == 'ubuntu':
# assert manager.is_running
assert manager.is_enabled

1
modules/utilities/unix/logging/wazuh/kitchen/test/bin/python Normal file
View File

@@ -0,0 +1 @@
python3

1
modules/utilities/unix/logging/wazuh/kitchen/test/bin/python3 Normal file
View File

@@ -0,0 +1 @@
/usr/bin/python3

10
modules/utilities/unix/logging/wazuh/kitchen/test/conftest.py Normal file
View File

@@ -0,0 +1,10 @@
import functools
import os
import pytest
import testinfra
test_host = testinfra.get_host('paramiko://{KITCHEN_USERNAME}@{KITCHEN_HOSTNAME}:{KITCHEN_PORT}'.format(**os.environ), ssh_identity_file=os.environ.get('KITCHEN_SSH_KEY'))
@pytest.fixture
def host():
return test_host

10
modules/utilities/unix/logging/wazuh/kitchen/test/conftest.py.old Normal file
View File

@@ -0,0 +1,10 @@
import functools
import os
import pytest
import testinfra
test_host = testinfra.get_host('paramiko://{KITCHEN_USERNAME}@{KITCHEN_HOSTNAME}:{KITCHEN_PORT}'.format(**os.environ), ssh_identity_file=os.environ.get('KITCHEN_SSH_KEY'))
@pytest.fixture
def host():
return test_host

3
modules/utilities/unix/logging/wazuh/kitchen/test/integration/default/bats/verify_installed.bats Normal file
View File

@@ -0,0 +1,3 @@
@test 'wazuh is up and running' {
pgrep wazuh
}

0
modules/utilities/unix/logging/wazuh/kitchen/test/integration/default/serverspec/wazuh_spec.rb Normal file
View File

4
modules/utilities/unix/logging/wazuh/kitchen/test/integration/test_wazuh.py Normal file
View File

@@ -0,0 +1,4 @@
def test_wazuh_manager_service_running(host):
service = host.service('wazuh-manager')
assert service.is_running
assert service.is_enabled

1
modules/utilities/unix/logging/wazuh/kitchen/test/lib64 Normal file
View File

@@ -0,0 +1 @@
lib

3
modules/utilities/unix/logging/wazuh/kitchen/test/pyvenv.cfg Normal file
View File

@@ -0,0 +1,3 @@
home = /usr/bin
include-system-site-packages = false
version = 3.4.3

4
modules/utilities/unix/logging/wazuh/manifests/activeresponse.pp
View File

@@ -1,4 +1,4 @@
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
#Define for a specific ossec active-response
define wazuh::activeresponse(
$command_name,
@@ -10,7 +10,7 @@ define wazuh::activeresponse(
$ar_repeated_offenders = '',
) {
require wazuh::params
require wazuh::params_manager
concat::fragment { $name:
target => 'ossec.conf',

12
modules/utilities/unix/logging/wazuh/manifests/addlog.pp
View File

@@ -1,18 +1,18 @@
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
#Define a log-file to add to ossec
define wazuh::addlog(
$logfile = undef,
$logtype = 'syslog',
$logcommand = undef,
$logcommand = undef,
$commandalias = undef,
$frequency = undef,
) {
require wazuh::params
require wazuh::params_manager
concat::fragment { "ossec.conf_localfile-${logfile}":
target => 'ossec.conf',
content => template('wazuh/fragments/_localfile.erb'),
order => 20,
content => template('wazuh/fragments/_localfile_generation.erb'),
order => 21,
}
}
}

481
modules/utilities/unix/logging/wazuh/manifests/agent.pp Normal file
View File

@@ -0,0 +1,481 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Setup for ossec client
class wazuh::agent(
# Versioning and package names
$agent_package_version = $wazuh::params_agent::agent_package_version,
$agent_package_name = $wazuh::params_agent::agent_package_name,
$agent_service_name = $wazuh::params_agent::agent_service_name,
# Manage repository
$manage_repo = $wazuh::params_agent::manage_repo,
# Authd registration options
$manage_client_keys = $wazuh::params_agent::manage_client_keys,
$agent_name = $wazuh::params_agent::agent_name,
$agent_group = $wazuh::params_agent::agent_group,
$wazuh_agent_cert = $wazuh::params_agent::wazuh_agent_cert,
$wazuh_agent_key = $wazuh::params_agent::wazuh_agent_key,
$wazuh_agent_cert_path = $wazuh::params_agent::wazuh_agent_cert_path,
$wazuh_agent_key_path = $wazuh::params_agent::wazuh_agent_key_path,
$agent_auth_password = $wazuh::params_agent::agent_auth_password,
$wazuh_manager_root_ca_pem = $wazuh::params_agent::wazuh_manager_root_ca_pem,
$wazuh_manager_root_ca_pem_path = $wazuh::params_agent::wazuh_manager_root_ca_pem_path,
## ossec.conf generation parameters
# Generation variables
$configure_rootcheck = $wazuh::params_agent::configure_rootcheck,
$configure_wodle_openscap = $wazuh::params_agent::configure_wodle_openscap,
$configure_wodle_cis_cat = $wazuh::params_agent::configure_wodle_cis_cat,
$configure_wodle_osquery = $wazuh::params_agent::configure_wodle_osquery,
$configure_wodle_syscollector = $wazuh::params_agent::configure_wodle_syscollector,
$configure_sca = $wazuh::params_agent::configure_sca,
$configure_syscheck = $wazuh::params_agent::configure_syscheck,
$configure_localfile = $wazuh::params_agent::configure_localfile,
$configure_active_response = $wazuh::params_agent::configure_active_response,
# Templates paths
$ossec_conf_template = $wazuh::params_agent::ossec_conf_template,
$ossec_rootcheck_template = $wazuh::params_agent::ossec_rootcheck_template,
$ossec_wodle_openscap_template = $wazuh::params_agent::ossec_wodle_openscap_template,
$ossec_wodle_cis_cat_template = $wazuh::params_agent::ossec_wodle_cis_cat_template,
$ossec_wodle_osquery_template = $wazuh::params_agent::ossec_wodle_osquery_template,
$ossec_wodle_syscollector_template = $wazuh::params_agent::ossec_wodle_syscollector_template,
$ossec_sca_template = $wazuh::params_agent::ossec_sca_template,
$ossec_syscheck_template = $wazuh::params_agent::ossec_syscheck_template,
$ossec_localfile_template = $wazuh::params_agent::ossec_localfile_template,
$ossec_ruleset = $wazuh::params_agent::ossec_ruleset,
$ossec_auth = $wazuh::params_agent::ossec_auth,
$ossec_cluster = $wazuh::params_agent::ossec_cluster,
$ossec_active_response_template = $wazuh::params_agent::ossec_active_response_template,
# Server configuration
$wazuh_register_endpoint = $wazuh::params_agent::wazuh_register_endpoint,
$wazuh_reporting_endpoint = $wazuh::params_agent::wazuh_reporting_endpoint,
$ossec_port = $wazuh::params_agent::ossec_port,
$ossec_protocol = $wazuh::params_agent::ossec_protocol,
$ossec_notify_time = $wazuh::params_agent::ossec_notify_time,
$ossec_time_reconnect = $wazuh::params_agent::ossec_time_reconnect,
$ossec_auto_restart = $wazuh::params_agent::ossec_auto_restart,
$ossec_crypto_method = $wazuh::params_agent::ossec_crypto_method,
$client_buffer_queue_size = $wazuh::params_agent::client_buffer_queue_size,
$client_buffer_events_per_second = $wazuh::params_agent::client_buffer_events_per_second,
# Rootcheck
$ossec_rootcheck_disabled = $wazuh::params_agent::ossec_rootcheck_disabled,
$ossec_rootcheck_check_files = $wazuh::params_agent::ossec_rootcheck_check_files,
$ossec_rootcheck_check_trojans = $wazuh::params_agent::ossec_rootcheck_check_trojans,
$ossec_rootcheck_check_dev = $wazuh::params_agent::ossec_rootcheck_check_dev,
$ossec_rootcheck_check_sys = $wazuh::params_agent::ossec_rootcheck_check_sys,
$ossec_rootcheck_check_pids = $wazuh::params_agent::ossec_rootcheck_check_pids,
$ossec_rootcheck_check_ports = $wazuh::params_agent::ossec_rootcheck_check_ports,
$ossec_rootcheck_check_if = $wazuh::params_agent::ossec_rootcheck_check_if,
$ossec_rootcheck_frequency = $wazuh::params_agent::ossec_rootcheck_frequency,
$ossec_rootcheck_rootkit_files = $wazuh::params_agent::ossec_rootcheck_rootkit_files,
$ossec_rootcheck_rootkit_trojans = $wazuh::params_agent::ossec_rootcheck_rootkit_trojans,
$ossec_rootcheck_skip_nfs = $wazuh::params_agent::ossec_rootcheck_skip_nfs,
## Wodles
# Openscap
$wodle_openscap_disabled = $wazuh::params_agent::wodle_openscap_disabled,
$wodle_openscap_timeout = $wazuh::params_agent::wodle_openscap_timeout,
$wodle_openscap_interval = $wazuh::params_agent::wodle_openscap_interval,
$wodle_openscap_scan_on_start = $wazuh::params_agent::wodle_openscap_scan_on_start,
# Ciscat
$wodle_ciscat_disabled = $wazuh::params_agent::wodle_ciscat_disabled,
$wodle_ciscat_timeout = $wazuh::params_agent::wodle_ciscat_timeout,
$wodle_ciscat_interval = $wazuh::params_agent::wodle_ciscat_interval,
$wodle_ciscat_scan_on_start = $wazuh::params_agent::wodle_ciscat_scan_on_start,
$wodle_ciscat_java_path = $wazuh::params_agent::wodle_ciscat_java_path,
$wodle_ciscat_ciscat_path = $wazuh::params_agent::wodle_ciscat_ciscat_path,
#Osquery
$wodle_osquery_disabled = $wazuh::params_agent::wodle_osquery_disabled,
$wodle_osquery_run_daemon = $wazuh::params_agent::wodle_osquery_run_daemon,
$wodle_osquery_log_path = $wazuh::params_agent::wodle_osquery_log_path,
$wodle_osquery_config_path = $wazuh::params_agent::wodle_osquery_config_path,
$wodle_osquery_add_labels = $wazuh::params_agent::wodle_osquery_add_labels,
# Syscollector
$wodle_syscollector_disabled = $wazuh::params_agent::wodle_syscollector_disabled,
$wodle_syscollector_interval = $wazuh::params_agent::wodle_syscollector_interval,
$wodle_syscollector_scan_on_start = $wazuh::params_agent::wodle_syscollector_scan_on_start,
$wodle_syscollector_hardware = $wazuh::params_agent::wodle_syscollector_hardware,
$wodle_syscollector_os = $wazuh::params_agent::wodle_syscollector_os,
$wodle_syscollector_network = $wazuh::params_agent::wodle_syscollector_network,
$wodle_syscollector_packages = $wazuh::params_agent::wodle_syscollector_packages,
$wodle_syscollector_ports = $wazuh::params_agent::wodle_syscollector_ports,
$wodle_syscollector_processes = $wazuh::params_agent::wodle_syscollector_processes,
# Localfile
$ossec_local_files = $wazuh::params_agent::default_local_files,
# Syscheck
$ossec_syscheck_disabled = $wazuh::params_agent::ossec_syscheck_disabled,
$ossec_syscheck_frequency = $wazuh::params_agent::ossec_syscheck_frequency,
$ossec_syscheck_scan_on_start = $wazuh::params_agent::ossec_syscheck_scan_on_start,
$ossec_syscheck_alert_new_files = $wazuh::params_agent::ossec_syscheck_alert_new_files,
$ossec_syscheck_auto_ignore = $wazuh::params_agent::ossec_syscheck_auto_ignore,
$ossec_syscheck_directories_1 = $wazuh::params_agent::ossec_syscheck_directories_1,
$ossec_syscheck_directories_2 = $wazuh::params_agent::ossec_syscheck_directories_2,
$ossec_syscheck_ignore_list = $wazuh::params_agent::ossec_syscheck_ignore_list,
$ossec_syscheck_ignore_type_1 = $wazuh::params_agent::ossec_syscheck_ignore_type_1,
$ossec_syscheck_ignore_type_2 = $wazuh::params_agent::ossec_syscheck_ignore_type_2,
$ossec_syscheck_nodiff = $wazuh::params_agent::ossec_syscheck_nodiff,
$ossec_syscheck_skip_nfs = $wazuh::params_agent::ossec_syscheck_skip_nfs,
## Selinux
$selinux = $wazuh::params_agent::selinux,
$manage_firewall = $wazuh::params_agent::manage_firewall,
## Windows
$download_path = $wazuh::params_agent::download_path,
) inherits wazuh::params_agent {
# validate_bool(
# $ossec_active_response, $ossec_rootcheck,
# $selinux, $manage_repo,
# )
# This allows arrays of integers, sadly
# (commented due to stdlib version requirement)
validate_string($agent_package_name)
validate_string($agent_service_name)
if (($manage_client_keys == 'yes')){
if ( ( $wazuh_register_endpoint == undef ) ) {
fail('The $wazuh_register_endpoint parameter is needed in order to register the Agent.')
}
}
case $::kernel {
'Linux' : {
if $manage_repo {
class { 'wazuh::repo':}
if $::osfamily == 'Debian' {
Class['wazuh::repo'] -> Class['apt::update'] -> Package[$agent_package_name]
} else {
Class['wazuh::repo'] -> Package[$agent_package_name]
}
}
package { $agent_package_name:
ensure => $agent_package_version, # lint:ignore:security_package_pinned_version
}
}
'windows' : {
file { 'wazuh-agent':
path => "${download_path}wazuh-agent-${agent_package_version}.msi",
owner => 'Administrator',
group => 'Administrators',
mode => '0774',
source => "http://packages.wazuh.com/3.x/windows/wazuh-agent-${agent_package_version}.msi",
source_permissions => ignore
}
if ( $manage_client_keys == 'yes' ) {
package { $agent_package_name:
ensure => $agent_package_version, # lint:ignore:security_package_pinned_version
provider => 'windows',
source => "${download_path}/wazuh-agent-${agent_package_version}.msi",
install_options => [ '/q', "ADDRESS=${wazuh_register_endpoint}", "AUTHD_SERVER=${wazuh_register_endpoint}" ],
require => File["${download_path}wazuh-agent-${agent_package_version}.msi"],
}
}
else {
package { $agent_package_name:
ensure => $agent_package_version, # lint:ignore:security_package_pinned_version
provider => 'windows',
source => "${download_path}wazuh-agent-${agent_package_version}.msi",
install_options => [ '/q' ], # silent installation
require => File["${download_path}wazuh-agent-${agent_package_version}.msi"],
}
}
}
default: { fail('OS not supported') }
}
## ossec.conf generation concats
case $::operatingsystem{
'Redhat', 'redhat':{
$apply_template_os = 'rhel'
if ( $::operatingsystemrelease =~ /^7.*/ ){
$rhel_version = '7'
}elsif ( $::operatingsystemrelease =~ /^6.*/ ){
$rhel_version = '6'
}elsif ( $::operatingsystemrelease =~ /^5.*/ ){
$rhel_version = '5'
}else{
fail('This ossec module has not been tested on your distribution')
}
}'Debian', 'debian', 'Ubuntu', 'ubuntu':{
$apply_template_os = 'debian'
if ( $::lsbdistcodename == 'wheezy') or ($::lsbdistcodename == 'jessie'){
$debian_additional_templates = 'yes'
}
}'Amazon':{
$apply_template_os = 'amazon'
}'CentOS','Centos','centos':{
$apply_template_os = 'centos'
}
default: { fail('This ossec module has not been tested on your distribution') }
}
concat { 'ossec.conf':
path => $wazuh::params_agent::config_file,
owner => $wazuh::params_agent::config_owner,
group => $wazuh::params_agent::config_group,
mode => $wazuh::params_agent::config_mode,
require => Package[$agent_package_name],
}
concat::fragment {
default:
target => 'ossec.conf';
'ossec.conf_header':
order => 00,
before => Service[$agent_service_name],
content => "<ossec_config>\n";
'ossec.conf_agent':
order => 10,
before => Service[$agent_service_name],
content => template($ossec_conf_template);
}
if ($configure_rootcheck == true){
concat::fragment {
'ossec.conf_rootcheck':
target => 'ossec.conf',
order => 15,
before => Service[$agent_service_name],
content => template($ossec_rootcheck_template);
}
}
if ($configure_wodle_openscap == true){
concat::fragment {
'ossec.conf_openscap':
target => 'ossec.conf',
order => 16,
before => Service[$agent_service_name],
content => template($ossec_wodle_openscap_template);
}
}
if ($configure_wodle_cis_cat == true){
concat::fragment {
'ossec.conf_cis_cat':
target => 'ossec.conf',
order => 17,
before => Service[$agent_service_name],
content => template($ossec_wodle_cis_cat_template);
}
}
if ($configure_wodle_osquery == true){
concat::fragment {
'ossec.conf_osquery':
target => 'ossec.conf',
order => 18,
before => Service[$agent_service_name],
content => template($ossec_wodle_osquery_template);
}
}
if ($configure_wodle_syscollector == true){
concat::fragment {
'ossec.conf_syscollector':
target => 'ossec.conf',
order => 19,
before => Service[$agent_service_name],
content => template($ossec_wodle_syscollector_template);
}
}
if ($configure_sca == true){
concat::fragment {
'ossec.conf_sca':
target => 'ossec.conf',
order => 25,
before => Service[$agent_service_name],
content => template($ossec_sca_template);
}
}
if ($configure_syscheck == true){
concat::fragment {
'ossec.conf_syscheck':
target => 'ossec.conf',
order => 30,
before => Service[$agent_service_name],
content => template($ossec_syscheck_template);
}
}
if ($configure_localfile == true){
concat::fragment {
'ossec.conf_localfile':
target => 'ossec.conf',
order => 35,
before => Service[$agent_service_name],
content => template($ossec_localfile_template);
}
}
if ($configure_active_response == true){
concat::fragment {
'ossec.conf_active_response':
target => 'ossec.conf',
order => 40,
before => Service[$agent_service_name],
content => template($ossec_active_response_template);
}
}
concat::fragment {
'ossec.conf_footer':
target => 'ossec.conf',
order => 99,
before => Service[$agent_service_name],
content => '</ossec_config>';
}
if ($manage_client_keys == 'yes'){
if ($::kernel == 'Linux') {
# Is this really Linux only?
file { $::wazuh::params_agent::keys_file:
owner => $wazuh::params_agent::keys_owner,
group => $wazuh::params_agent::keys_group,
mode => $wazuh::params_agent::keys_mode,
}
# https://documentation.wazuh.com/current/user-manual/registering/use-registration-service.html#verify-manager-via-ssl
$agent_auth_base_command = "/var/ossec/bin/agent-auth -m ${wazuh_register_endpoint}"
if $wazuh_manager_root_ca_pem != undef {
validate_string($wazuh_manager_root_ca_pem)
file { '/var/ossec/etc/rootCA.pem':
owner => $wazuh::params::keys_owner,
group => $wazuh::params::keys_group,
mode => $wazuh::params::keys_mode,
content => $wazuh_manager_root_ca_pem,
require => Package[$agent_package_name],
}
$agent_auth_option_manager = '-v /var/ossec/etc/rootCA.pem'
}elsif $wazuh_manager_root_ca_pem_path != undef {
validate_string($wazuh_manager_root_ca_pem)
$agent_auth_option_manager = "-v ${wazuh_manager_root_ca_pem_path}"
} else {
$agent_auth_option_manager = '' # Avoid errors when compounding final command
}
if $agent_name != undef {
validate_string($agent_name)
$agent_auth_option_name = "-A \"${agent_name}\""
}else{
$agent_auth_option_name = ''
}
if $agent_group != undef {
validate_string($agent_group)
$agent_auth_option_group = "-G \"${agent_group}\""
}else{
$agent_auth_option_group = ''
}
# https://documentation.wazuh.com/current/user-manual/registering/use-registration-service.html#verify-agents-via-ssl
if ($wazuh_agent_cert != undef) and ($wazuh_agent_key != undef) {
validate_string($wazuh_agent_cert)
validate_string($wazuh_agent_key)
file { '/var/ossec/etc/sslagent.cert':
owner => $wazuh::params_agent::keys_owner,
group => $wazuh::params_agent::keys_group,
mode => $wazuh::params_agent::keys_mode,
content => $wazuh_agent_cert,
require => Package[$agent_package_name],
}
file { '/var/ossec/etc/sslagent.key':
owner => $wazuh::params_agent::keys_owner,
group => $wazuh::params_agent::keys_group,
mode => $wazuh::params_agent::keys_mode,
content => $wazuh_agent_key,
require => Package[$agent_package_name],
}
$agent_auth_option_agent = '-x /var/ossec/etc/sslagent.cert -k /var/ossec/etc/sslagent.key'
}
if ($wazuh_agent_cert_path != undef) and ($wazuh_agent_key_path != undef) {
validate_string($wazuh_agent_cert_path)
validate_string($wazuh_agent_key_path)
$agent_auth_option_agent = "-x ${wazuh_agent_cert_path} -k ${wazuh_agent_key_path}"
}
$agent_auth_command = "${agent_auth_base_command} ${agent_auth_option_manager} ${agent_auth_option_name}\
${agent_auth_option_group} ${agent_auth_option_agent}"
if $agent_auth_password {
exec { 'agent-auth-with-pwd':
command => "${agent_auth_command} -P '${agent_auth_password}'",
unless => "/bin/egrep -q '.' ${::wazuh::params_agent::keys_file}",
require => Concat['ossec.conf'],
before => Service[$agent_service_name],
}
} else {
exec { 'agent-auth-without-pwd':
command => $agent_auth_command,
unless => "/bin/egrep -q '.' ${::wazuh::params_agent::keys_file}",
require => Concat['ossec.conf'],
before => Service[$agent_service_name],
}
}
if $wazuh_reporting_endpoint != undef {
service { $agent_service_name:
ensure => running,
enable => true,
hasstatus => $wazuh::params_agent::service_has_status,
pattern => $wazuh::params_agent::agent_service_name,
provider => $wazuh::params_agent::ossec_service_provider,
require => Package[$agent_package_name],
}
}
}
}
if ( ( $manage_client_keys != 'yes') or ( $wazuh_reporting_endpoint == undef ) ){
service { $agent_service_name:
ensure => stopped,
enable => false,
hasstatus => $wazuh::params_agent::service_has_status,
pattern => $agent_service_name,
provider => $wazuh::params_agent::ossec_service_provider,
require => Package[$agent_package_name],
}
}
# SELinux
# Requires selinux module specified in metadata.json
if ($::osfamily == 'RedHat' and $selinux == true) {
selinux::module { 'ossec-logrotate':
ensure => 'present',
source_te => 'puppet:///modules/wazuh/ossec-logrotate.te',
}
}
# Manage firewall
if $manage_firewall {
include firewall
firewall { '1514 wazuh-agent':
dport => $ossec_port,
proto => $ossec_protocol,
action => 'accept',
state => [
'NEW',
'RELATED',
'ESTABLISHED'],
}
}
}

23
modules/utilities/unix/logging/wazuh/manifests/agentkey.pp
View File

@@ -1,23 +0,0 @@
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
# utility function to fill up /var/ossec/etc/client.keys
define wazuh::agentkey(
$agent_id,
$agent_name,
$agent_ip_address,
$agent_seed = 'xaeS7ahf',
) {
require wazuh::params
if ! $agent_id { fail('wazuh::agentkey: $agent_id is missing')}
if ! $agent_seed { fail('wazuh::agentkey: $agent_seed is missing')}
$agentkey1 = md5("${agent_id} ${agent_seed}")
$agentkey2 = md5("${agent_name} ${agent_ip_address} ${agent_seed}")
concat::fragment { "var_ossec_etc_client.keys_${agent_name}_part":
target => $wazuh::params::keys_file,
order => $agent_id,
content => "${agent_id} ${agent_name} ${agent_ip_address} ${agentkey1}${agentkey2}\n",
}
}

265
modules/utilities/unix/logging/wazuh/manifests/client.pp
View File

@@ -1,265 +0,0 @@
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
# Setup for ossec client
class wazuh::client(
$ossec_active_response = true,
$ossec_rootcheck = true,
$ossec_rootcheck_frequency = 36000,
$ossec_rootcheck_checkports = true,
$ossec_rootcheck_checkfiles = true,
$ossec_server_ip = undef,
$ossec_server_hostname = undef,
$wazuh_manager_address = undef,
$ossec_server_port = '1514',
$ossec_server_protocol = 'udp',
$ossec_server_notify_time = undef,
$ossec_server_time_reconnect = undef,
$ossec_scanpaths = [],
$ossec_ignorepaths = [],
$ossec_ignorepaths_regex = [],
$ossec_local_files = $::wazuh::params::default_local_files,
$ossec_syscheck_frequency = 43200,
$ossec_prefilter = false,
$ossec_service_provider = $::wazuh::params::ossec_service_provider,
$ossec_config_profiles = [],
$selinux = false,
$agent_name = $::hostname,
$agent_ip_address = $::ipaddress,
$agent_group = 'default',
$manage_repo = true,
$manage_epel_repo = true,
$agent_package_name = $::wazuh::params::agent_package,
$agent_package_version = 'installed',
$agent_service_name = $::wazuh::params::agent_service,
$agent_auto_restart = 'yes',
# client_buffer configuration
$client_buffer_queue_size = 5000,
$client_buffer_events_per_second = 500,
$manage_client_keys = 'authd',
$agent_auth_password = undef,
$wazuh_manager_root_ca_pem = undef,
$wazuh_manager_root_ca_pem_path = undef,
$wazuh_agent_cert = undef,
$wazuh_agent_key = undef,
$wazuh_agent_cert_path = undef,
$wazuh_agent_key_path = undef,
$agent_seed = undef,
$max_clients = 3000,
$ar_repeated_offenders = '',
$enable_wodle_openscap = false,
$wodle_openscap_content = $::wazuh::params::wodle_openscap_content,
$service_has_status = $::wazuh::params::service_has_status,
$ossec_conf_template = 'wazuh/wazuh_agent.conf.erb',
Boolean $manage_firewall = $::wazuh::params::manage_firewall,
) inherits wazuh::params {
validate_bool(
$ossec_active_response, $ossec_rootcheck,
$selinux, $manage_repo, $manage_epel_repo
)
# This allows arrays of integers, sadly
# (commented due to stdlib version requirement)
validate_array($ossec_ignorepaths)
validate_string($agent_package_name)
validate_string($agent_service_name)
if ( ( $ossec_server_ip == undef ) and ( $ossec_server_hostname == undef ) and ( $wazuh_manager_address == undef ) ) {
fail('must pass either $ossec_server_ip or $ossec_server_hostname or $wazuh_manager_address to Class[\'wazuh::client\'].')
}
case $::kernel {
'Linux' : {
if $manage_repo {
class { 'wazuh::repo': redhat_manage_epel => $manage_epel_repo }
if $::osfamily == 'Debian' {
Class['wazuh::repo'] -> Class['apt::update'] -> Package[$agent_package_name]
} else {
Class['wazuh::repo'] -> Package[$agent_package_name]
}
}
package { $agent_package_name:
ensure => $agent_package_version, # lint:ignore:security_package_pinned_version
}
}
'windows' : {
file {
'C:/wazuh-agent-3.9.1-1.msi':
owner => 'Administrators',
group => 'Administrators',
mode => '0774',
source => 'puppet:///modules/wazuh/wazuh-agent-3.9.1-1.msi',
source_permissions => ignore
}
if ( $manage_client_keys == 'authd' ) {
package { $agent_package_name:
ensure => $agent_package_version, # lint:ignore:security_package_pinned_version
provider => 'windows',
source => 'C:/wazuh-agent-3.9.1-1.msi',
install_options => [ '/q', "ADDRESS=${ossec_server_ip}", "AUTHD_SERVER=${ossec_server_ip}" ], # silent installation
require => File['C:/wazuh-agent-3.9.1-1.msi'],
}
}
else {
package { $agent_package_name:
ensure => $agent_package_version, # lint:ignore:security_package_pinned_version
provider => 'windows',
source => 'C:/wazuh-agent-3.9.1-1.msi',
install_options => [ '/q' ], # silent installation
require => File['C:/wazuh-agent-3.9.1-1.msi'],
}
}
}
default: { fail('OS not supported') }
}
service { $agent_service_name:
ensure => running,
enable => true,
hasstatus => $service_has_status,
pattern => $agent_service_name,
provider => $ossec_service_provider,
require => Package[$agent_package_name],
}
concat { 'ossec.conf':
path => $wazuh::params::config_file,
owner => $wazuh::params::config_owner,
group => $wazuh::params::config_group,
mode => $wazuh::params::config_mode,
require => Package[$agent_package_name],
notify => Service[$agent_service_name],
}
concat::fragment {
default:
target => 'ossec.conf',
notify => Service[$agent_service_name];
'ossec.conf_header':
order => 00,
content => "<ossec_config>\n";
'ossec.conf_agent':
order => 10,
content => template($ossec_conf_template);
'ossec.conf_footer':
order => 99,
content => '</ossec_config>';
}
if ( $manage_client_keys == 'export' ) {
concat { $wazuh::params::keys_file:
owner => $wazuh::params::keys_owner,
group => $wazuh::params::keys_group,
mode => $wazuh::params::keys_mode,
notify => Service[$agent_service_name],
require => Package[$agent_package_name]
}
# A separate module to avoid storeconfigs warnings when not managing keys
class { 'wazuh::export_agent_key':
max_clients => $max_clients,
agent_name => $agent_name,
agent_ip_address => $agent_ip_address,
agent_seed => $agent_seed,
}
} elsif ($manage_client_keys == 'authd') {
if ($::kernel == 'Linux') {
# Is this really Linux only?
$ossec_server_address = pick($ossec_server_ip, $ossec_server_hostname)
file { $::wazuh::params::keys_file:
owner => $wazuh::params::keys_owner,
group => $wazuh::params::keys_group,
mode => $wazuh::params::keys_mode,
}
# https://documentation.wazuh.com/current/user-manual/registering/use-registration-service.html#verify-manager-via-ssl
$agent_auth_base_command = "/var/ossec/bin/agent-auth -m ${ossec_server_address} -A ${agent_name} -G ${agent_group} -D /var/ossec/"
if $wazuh_manager_root_ca_pem != undef {
validate_string($wazuh_manager_root_ca_pem)
file { '/var/ossec/etc/rootCA.pem':
owner => $wazuh::params::keys_owner,
group => $wazuh::params::keys_group,
mode => $wazuh::params::keys_mode,
content => $wazuh_manager_root_ca_pem,
require => Package[$agent_package_name],
}
$agent_auth_option_manager = '-v /var/ossec/etc/rootCA.pem'
}
if $wazuh_manager_root_ca_pem_path != undef {
validate_string($wazuh_manager_root_ca_pem)
$agent_auth_option_manager = "-v ${wazuh_manager_root_ca_pem_path}"
}
# https://documentation.wazuh.com/current/user-manual/registering/use-registration-service.html#verify-agents-via-ssl
if ($wazuh_agent_cert != undef) and ($wazuh_agent_key != undef) {
validate_string($wazuh_agent_cert)
validate_string($wazuh_agent_key)
file { '/var/ossec/etc/sslagent.cert':
owner => $wazuh::params::keys_owner,
group => $wazuh::params::keys_group,
mode => $wazuh::params::keys_mode,
content => $wazuh_agent_cert,
require => Package[$agent_package_name],
}
file { '/var/ossec/etc/sslagent.key':
owner => $wazuh::params::keys_owner,
group => $wazuh::params::keys_group,
mode => $wazuh::params::keys_mode,
content => $wazuh_agent_key,
require => Package[$agent_package_name],
}
$agent_auth_option_agent = '-x /var/ossec/etc/sslagent.cert -k /var/ossec/etc/sslagent.key'
}
if ($wazuh_agent_cert_path != undef) and ($wazuh_agent_key_path != undef) {
validate_string($wazuh_agent_cert_path)
validate_string($wazuh_agent_key_path)
$agent_auth_option_agent = "-x ${wazuh_agent_cert_path} -k ${wazuh_agent_key_path}"
}
$agent_auth_command = "${agent_auth_base_command} ${agent_auth_option_manager} ${agent_auth_option_agent}"
if $agent_auth_password {
exec { 'agent-auth-with-pwd':
command => "${agent_auth_command} -P '${agent_auth_password}'",
unless => "/bin/egrep -q '.' ${::wazuh::params::keys_file}",
require => Package[$agent_package_name],
notify => Service[$agent_service_name],
before => File[$wazuh::params::keys_file]
}
} else {
exec { 'agent-auth-without-pwd':
command => $agent_auth_command,
unless => "/bin/egrep -q '.' ${::wazuh::params::keys_file}",
require => Package[$agent_package_name],
notify => Service[$agent_service_name],
before => File[$wazuh::params::keys_file],
}
}
}
}
# SELinux
# Requires selinux module specified in metadata.json
if ($::osfamily == 'RedHat' and $selinux == true) {
selinux::module { 'ossec-logrotate':
ensure => 'present',
source_te => 'puppet:///modules/wazuh/ossec-logrotate.te',
}
}
# Manage firewall
if $manage_firewall {
include firewall
firewall { '1514 wazuh-agent':
dport => $ossec_server_port,
proto => $ossec_server_protocol,
action => 'accept',
state => [
'NEW',
'RELATED',
'ESTABLISHED'],
}
}
}

21
modules/utilities/unix/logging/wazuh/manifests/cluster.pp
View File

@@ -1,21 +0,0 @@
#Define for a specific ossec cluster
define wazuh::cluster(
$cl_name,
$cl_node_name = 'node01',
$cl_node_type = 'master',
$cl_key = '',
$cl_port = '1516',
$cl_bin_addr = '0.0.0.0',
$cl_node = ['NODE_IP','NODE_IP2'],
$cl_hidden = 'no',
$cl_disabled = 'yes',
) {
require wazuh::params
concat::fragment { $name:
target => 'ossec.conf',
order => 95,
content => template('wazuh/fragments/_cluster.erb')
}
}

5
modules/utilities/unix/logging/wazuh/manifests/collect_agent_keys.pp
View File

@@ -1,5 +0,0 @@
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
# Class to collect the agent keys
class wazuh::collect_agent_keys {
Wazuh::Agentkey<<| |>>
}

8
modules/utilities/unix/logging/wazuh/manifests/command.pp
View File

@@ -1,4 +1,4 @@
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Define an ossec command
define wazuh::command(
$command_name,
@@ -6,12 +6,12 @@ define wazuh::command(
$command_expect = 'srcip',
$timeout_allowed = true,
) {
require wazuh::params
require wazuh::params_manager
if ($timeout_allowed) { $command_timeout_allowed='yes' } else { $command_timeout_allowed='no' }
concat::fragment { $name:
target => 'ossec.conf',
order => 45,
content => template('wazuh/command.erb'),
order => 46,
content => template('wazuh/fragments/_command.erb'),
}
}

74
modules/utilities/unix/logging/wazuh/manifests/elasticsearch.pp Normal file
View File

@@ -0,0 +1,74 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Setup for elasticsearch
class wazuh::elasticsearch (
# Elasticsearch.yml configuration
$elasticsearch_cluster_name = 'es-wazuh',
$elasticsearch_node_name = 'es-node-01',
$elasticsearch_node_master = true,
$elasticsearch_node_data = true,
$elasticsearch_node_ingest = true,
$elasticsearch_node_max_local_storage_nodes = '1',
$elasticsearch_service = 'elasticsearch',
$elasticsearch_package = 'elasticsearch',
$elasticsearch_version = '7.3.2',
$elasticsearch_path_data = '/var/lib/elasticsearch',
$elasticsearch_path_logs = '/var/log/elasticsearch',
$elasticsearch_ip = '<YOUR_ELASTICSEARCH_IP>',
$elasticsearch_port = '9200',
$elasticsearch_discovery_option = 'discovery.type: single-node',
$elasticsearch_cluster_initial_master_nodes = "#cluster.initial_master_nodes: ['es-node-01']",
# JVM options
$jvm_options_memmory = '1g',
){
# install package
package { 'Installing elasticsearch...':
ensure => $elasticsearch_version,
name => $elasticsearch_package,
}
file { 'Configure elasticsearch.yml':
owner => 'elasticsearch',
path => '/etc/elasticsearch/elasticsearch.yml',
group => 'elasticsearch',
mode => '0644',
notify => Service[$elasticsearch_service], ## Restarts the service
content => template('wazuh/elasticsearch_yml.erb')
}
file { 'Configure jvm.options':
owner => 'elasticsearch',
path => '/etc/elasticsearch/jvm.options',
group => 'elasticsearch',
mode => '0660',
notify => Service[$elasticsearch_service], ## Restarts the service
content => template('wazuh/jvm_options.erb')
}
service { 'elasticsearch':
ensure => running,
enable => true,
}
exec { 'Insert line limits':
path => '/usr/bin:/bin/',
command => "echo 'elasticsearch - nofile 65535\nelasticsearch - memlock unlimited' >> /etc/security/limits.conf",
}
exec { 'Verify Elasticsearch folders owner':
path => '/usr/bin:/bin',
command => "chown elasticsearch:elasticsearch -R /etc/elasticsearch\
&& chown elasticsearch:elasticsearch -R /usr/share/elasticsearch\
&& chown elasticsearch:elasticsearch -R /var/lib/elasticsearch",
}
}

8
modules/utilities/unix/logging/wazuh/manifests/email_alert.pp
View File

@@ -1,14 +1,14 @@
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Define an email alert
define wazuh::email_alert(
$alert_email,
$alert_group = false
) {
require wazuh::params
require wazuh::params_manager
concat::fragment { $name:
target => 'ossec.conf',
order => 65,
content => template('wazuh/email_alert.erb'),
order => 66,
content => template('wazuh/fragments/_email_alert.erb'),
}
}

22
modules/utilities/unix/logging/wazuh/manifests/export_agent_key.pp
View File

@@ -1,22 +0,0 @@
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
#Export agent key
class wazuh::export_agent_key(
$max_clients,
$agent_name,
$agent_ip_address,
$agent_seed,
) {
wazuh::agentkey{ "ossec_agent_${agent_name}_client":
agent_id => fqdn_rand($max_clients),
agent_name => $agent_name,
agent_ip_address => $agent_ip_address,
agent_seed => $agent_seed,
}
@@wazuh::agentkey{ "ossec_agent_${agent_name}_server":
agent_id => fqdn_rand($max_clients),
agent_name => $agent_name,
agent_ip_address => $agent_ip_address,
agent_seed => $agent_seed,
}
}

57
modules/utilities/unix/logging/wazuh/manifests/filebeat.pp Normal file
View File

@@ -0,0 +1,57 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Setup for Filebeat
class wazuh::filebeat (
$filebeat_elasticsearch_ip = '<YOUR_ELASTICSEARCH_IP>',
$filebeat_elasticsearch_port = '9200',
$elasticsearch_server_ip = "\"${filebeat_elasticsearch_ip}:${filebeat_elasticsearch_port}\"",
$filebeat_package = 'filebeat',
$filebeat_service = 'filebeat',
$filebeat_version = '7.3.2',
$wazuh_app_version = '3.10.2_7.3.2',
$wazuh_extensions_version = 'v3.10.2',
$wazuh_filebeat_module = 'wazuh-filebeat-0.1.tar.gz',
){
class {'wazuh::repo_elastic':}
package { 'Installing Filebeat...':
ensure => $filebeat_version,
name => $filebeat_package,
}
file { 'Configure filebeat.yml':
owner => 'root',
path => '/etc/filebeat/filebeat.yml',
group => 'root',
mode => '0644',
notify => Service[$filebeat_service], ## Restarts the service
content => template('wazuh/filebeat_yml.erb'),
}
exec { 'Installing wazuh-template.json...':
path => '/usr/bin',
command => "curl -so /etc/filebeat/wazuh-template.json 'https://raw.githubusercontent.com/wazuh/wazuh/${wazuh_extensions_version}/extensions/elasticsearch/7.x/wazuh-template.json'",
notify => Service['filebeat']
}
exec { 'Installing filebeat module ... Downloading package':
path => '/usr/bin',
command => "curl -o /root/${$wazuh_filebeat_module} https://packages.wazuh.com/3.x/filebeat/${$wazuh_filebeat_module}",
}
exec { 'Unpackaging ...':
command => '/bin/tar -xzvf /root/wazuh-filebeat-0.1.tar.gz -C /usr/share/filebeat/module',
notify => Service['filebeat']
}
file { '/usr/share/filebeat/module/wazuh':
ensure => 'directory',
mode => '0755',
}
service { 'filebeat':
ensure => running,
enable => true,
}
}

2
modules/utilities/unix/logging/wazuh/manifests/init.pp
View File

@@ -1,3 +1,3 @@
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Blank container class
class wazuh { }

6
modules/utilities/unix/logging/wazuh/manifests/integration.pp
View File

@@ -1,4 +1,4 @@
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
#Define for a specific ossec integration
define wazuh::integration(
$hook_url = '',
@@ -11,11 +11,11 @@ define wazuh::integration(
$in_max_log = '',
) {
require wazuh::params
require wazuh::params_manager
concat::fragment { $name:
target => 'ossec.conf',
order => 60,
content => template('wazuh/fragments/_integration.erb')
}
}
}

65
modules/utilities/unix/logging/wazuh/manifests/kibana.pp Normal file
View File

@@ -0,0 +1,65 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Setup for Kibana
class wazuh::kibana (
$kibana_package = 'kibana',
$kibana_service = 'kibana',
$kibana_version = '7.3.2',
$kibana_app_version = '3.10.2_7.3.2',
$kibana_elasticsearch_ip = '<YOUR_ELASTICSEARCH_IP>',
$kibana_elasticsearch_port = '9200',
$kibana_server_port = '5601',
$kibana_server_host = '0.0.0.0',
$kibana_elasticsearch_server_hosts ="http://${kibana_elasticsearch_ip}:${kibana_elasticsearch_port}",
){
# install package
package { 'Installing Kibana...':
ensure => $kibana_version,
name => $kibana_package,
}
file { 'Configure kibana.yml':
owner => 'kibana',
path => '/etc/kibana/kibana.yml',
group => 'kibana',
mode => '0644',
notify => Service[$kibana_service],
content => template('wazuh/kibana_yml.erb'),
}
service { 'kibana':
ensure => running,
enable => true,
}
exec {'Waiting for elasticsearch...':
path => '/usr/bin',
command => "curl -s -XGET http://${kibana_elasticsearch_ip}:${kibana_elasticsearch_port}",
tries => 100,
try_sleep => 3,
}
exec {'Installing Wazuh App...':
path => '/usr/bin',
command => "sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-${kibana_app_version}.zip",
creates => '/usr/share/kibana/plugins/wazuh/package.json',
notify => Service[$kibana_service],
}
exec {'Enabling and restarting kibana...':
path => '/usr/bin:/bin',
command => 'systemctl daemon-reload && systemctl enable kibana && systemctl restart kibana',
}
exec { 'Verify Kibana folders owner':
path => '/usr/bin:/bin',
command => "chown -R kibana:kibana /usr/share/kibana/optimize\
&& chown -R kibana:kibana /usr/share/kibana/plugins",
}
}

516
modules/utilities/unix/logging/wazuh/manifests/manager.pp Normal file
View File

@@ -0,0 +1,516 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Main ossec server config
class wazuh::manager (
# Installation
$server_package_version = $wazuh::params_manager::server_package_version,
$manage_repos = $::wazuh::params_manager::manage_repos,
$manage_firewall = $wazuh::params_manager::manage_firewall,
### Ossec.conf blocks
## Global
$ossec_emailnotification = $wazuh::params_manager::ossec_emailnotification,
$ossec_emailto = $wazuh::params_manager::ossec_emailto,
$ossec_smtp_server = $wazuh::params_manager::ossec_smtp_server,
$ossec_emailfrom = $wazuh::params_manager::ossec_emailfrom,
$ossec_email_maxperhour = $wazuh::params_manager::ossec_email_maxperhour,
$ossec_email_idsname = $wazuh::params_manager::ossec_email_idsname,
$ossec_white_list = $wazuh::params_manager::ossec_white_list,
$ossec_alert_level = $wazuh::params_manager::ossec_alert_level,
$ossec_email_alert_level = $wazuh::params_manager::ossec_email_alert_level,
$ossec_remote_connection = $wazuh::params_manager::ossec_remote_connection,
$ossec_remote_port = $wazuh::params_manager::ossec_remote_port,
$ossec_remote_protocol = $wazuh::params_manager::ossec_remote_protocol,
$ossec_remote_queue_size = $wazuh::params_manager::ossec_remote_queue_size,
# ossec.conf generation parameters
$configure_rootcheck = $wazuh::params_manager::configure_rootcheck,
$configure_wodle_openscap = $wazuh::params_manager::configure_wodle_openscap,
$configure_wodle_cis_cat = $wazuh::params_manager::configure_wodle_cis_cat,
$configure_wodle_osquery = $wazuh::params_manager::configure_wodle_osquery,
$configure_wodle_syscollector = $wazuh::params_manager::configure_wodle_syscollector,
$configure_vulnerability_detector = $wazuh::params_manager::configure_vulnerability_detector,
$configure_sca = $wazuh::params_manager::configure_sca,
$configure_syscheck = $wazuh::params_manager::configure_syscheck,
$configure_command = $wazuh::params_manager::configure_command,
$configure_localfile = $wazuh::params_manager::configure_localfile,
$configure_ruleset = $wazuh::params_manager::configure_ruleset,
$configure_auth = $wazuh::params_manager::configure_auth,
$configure_cluster = $wazuh::params_manager::configure_cluster,
$configure_active_response = $wazuh::params_manager::configure_active_response,
# ossec.conf templates paths
$ossec_manager_template = $wazuh::params_manager::ossec_manager_template,
$ossec_rootcheck_template = $wazuh::params_manager::ossec_rootcheck_template,
$ossec_wodle_openscap_template = $wazuh::params_manager::ossec_wodle_openscap_template,
$ossec_wodle_cis_cat_template = $wazuh::params_manager::ossec_wodle_cis_cat_template,
$ossec_wodle_osquery_template = $wazuh::params_manager::ossec_wodle_osquery_template,
$ossec_wodle_syscollector_template = $wazuh::params_manager::ossec_wodle_syscollector_template,
$ossec_wodle_vulnerability_detector_template = $wazuh::params_manager::ossec_wodle_vulnerability_detector_template,
$ossec_sca_template = $wazuh::params_manager::ossec_sca_template,
$ossec_syscheck_template = $wazuh::params_manager::ossec_syscheck_template,
$ossec_default_commands_template = $wazuh::params_manager::ossec_default_commands_template,
$ossec_localfile_template = $wazuh::params_manager::ossec_localfile_template,
$ossec_ruleset_template = $wazuh::params_manager::ossec_ruleset_template,
$ossec_auth_template = $wazuh::params_manager::ossec_auth_template,
$ossec_cluster_template = $wazuh::params_manager::ossec_cluster_template,
$ossec_active_response_template = $wazuh::params_manager::ossec_active_response_template,
## Rootcheck
$ossec_rootcheck_disabled = $wazuh::params_manager::ossec_rootcheck_disabled,
$ossec_rootcheck_check_files = $wazuh::params_manager::ossec_rootcheck_check_files,
$ossec_rootcheck_check_trojans = $wazuh::params_manager::ossec_rootcheck_check_trojans,
$ossec_rootcheck_check_dev = $wazuh::params_manager::ossec_rootcheck_check_dev,
$ossec_rootcheck_check_sys = $wazuh::params_manager::ossec_rootcheck_check_sys,
$ossec_rootcheck_check_pids = $wazuh::params_manager::ossec_rootcheck_check_pids,
$ossec_rootcheck_check_ports = $wazuh::params_manager::ossec_rootcheck_check_ports,
$ossec_rootcheck_check_if = $wazuh::params_manager::ossec_rootcheck_check_if,
$ossec_rootcheck_frequency = $wazuh::params_manager::ossec_rootcheck_frequency,
$ossec_rootcheck_rootkit_files = $wazuh::params_manager::ossec_rootcheck_rootkit_files,
$ossec_rootcheck_rootkit_trojans = $wazuh::params_manager::ossec_rootcheck_rootkit_trojans,
$ossec_rootcheck_skip_nfs = $wazuh::params_manager::ossec_rootcheck_skip_nfs,
## Wodles
#openscap
$wodle_openscap_disabled = $wazuh::params_manager::wodle_openscap_disabled,
$wodle_openscap_timeout = $wazuh::params_manager::wodle_openscap_timeout,
$wodle_openscap_interval = $wazuh::params_manager::wodle_openscap_interval,
$wodle_openscap_scan_on_start = $wazuh::params_manager::wodle_openscap_scan_on_start,
#cis-cat
$wodle_ciscat_disabled = $wazuh::params_manager::wodle_ciscat_disabled,
$wodle_ciscat_timeout = $wazuh::params_manager::wodle_ciscat_timeout,
$wodle_ciscat_interval = $wazuh::params_manager::wodle_ciscat_interval,
$wodle_ciscat_scan_on_start = $wazuh::params_manager::wodle_ciscat_scan_on_start,
$wodle_ciscat_java_path = $wazuh::params_manager::wodle_ciscat_java_path,
$wodle_ciscat_ciscat_path = $wazuh::params_manager::wodle_ciscat_ciscat_path,
#osquery
$wodle_osquery_disabled = $wazuh::params_manager::wodle_osquery_disabled,
$wodle_osquery_run_daemon = $wazuh::params_manager::wodle_osquery_run_daemon,
$wodle_osquery_log_path = $wazuh::params_manager::wodle_osquery_log_path,
$wodle_osquery_config_path = $wazuh::params_manager::wodle_osquery_config_path,
$wodle_osquery_add_labels = $wazuh::params_manager::wodle_osquery_add_labels,
#syscollector
$wodle_syscollector_disabled = $wazuh::params_manager::wodle_syscollector_disabled,
$wodle_syscollector_interval = $wazuh::params_manager::wodle_syscollector_interval,
$wodle_syscollector_scan_on_start = $wazuh::params_manager::wodle_syscollector_scan_on_start,
$wodle_syscollector_hardware = $wazuh::params_manager::wodle_syscollector_hardware,
$wodle_syscollector_os = $wazuh::params_manager::wodle_syscollector_os,
$wodle_syscollector_network = $wazuh::params_manager::wodle_syscollector_network,
$wodle_syscollector_packages = $wazuh::params_manager::wodle_syscollector_packages,
$wodle_syscollector_ports = $wazuh::params_manager::wodle_syscollector_ports,
$wodle_syscollector_processes = $wazuh::params_manager::wodle_syscollector_processes,
#vulnerability-detector
$wodle_vulnerability_detector_disabled = $wazuh::params_manager::wodle_vulnerability_detector_disabled,
$wodle_vulnerability_detector_interval = $wazuh::params_manager::wodle_vulnerability_detector_interval,
$wodle_vulnerability_detector_ignore_time = $wazuh::params_manager::wodle_vulnerability_detector_ignore_time,
$wodle_vulnerability_detector_run_on_start = $wazuh::params_manager::wodle_vulnerability_detector_run_on_start,
$wodle_vulnerability_detector_ubuntu_disabled = $wazuh::params_manager::wodle_vulnerability_detector_ubuntu_disabled,
$wodle_vulnerability_detector_ubuntu_update = $wazuh::params_manager::wodle_vulnerability_detector_ubuntu_update,
$wodle_vulnerability_detector_redhat_disable = $wazuh::params_manager::wodle_vulnerability_detector_redhat_disable,
$wodle_vulnerability_detector_redhat_update_from = $wazuh::params_manager::wodle_vulnerability_detector_redhat_update_from,
$wodle_vulnerability_detector_redhat_update = $wazuh::params_manager::wodle_vulnerability_detector_redhat_update,
$wodle_vulnerability_detector_debian_9_disable = $wazuh::params_manager::wodle_vulnerability_detector_debian_9_disable,
$wodle_vulnerability_detector_debian_9_update = $wazuh::params_manager::wodle_vulnerability_detector_debian_9_update,
# syslog
$syslog_output = $::wazuh::params_manager::syslog_output,
$syslog_output_level = $wazuh::params_manager::syslog_output_level,
$syslog_output_port = $wazuh::params_manager::syslog_output_port,
$syslog_output_server = $wazuh::params_manager::syslog_output_server,
$syslog_output_format = $wazuh::params_manager::syslog_output_format,
# Authd configuration
$ossec_auth_disabled = $wazuh::params_manager::ossec_auth_disabled,
$ossec_auth_port = $wazuh::params_manager::ossec_auth_port,
$ossec_auth_use_source_ip = $wazuh::params_manager::ossec_auth_use_source_ip,
$ossec_auth_force_insert = $wazuh::params_manager::ossec_auth_force_insert,
$ossec_auth_force_time = $wazuh::params_manager::ossec_auth_force_time,
$ossec_auth_purgue = $wazuh::params_manager::ossec_auth_purgue,
$ossec_auth_use_password = $wazuh::params_manager::ossec_auth_use_password,
$ossec_auth_limit_maxagents = $wazuh::params_manager::ossec_auth_limit_maxagents,
$ossec_auth_ciphers = $wazuh::params_manager::ossec_auth_ciphers,
$ossec_auth_ssl_verify_host = $wazuh::params_manager::ossec_auth_ssl_verify_host,
$ossec_auth_ssl_manager_cert = $wazuh::params_manager::ossec_auth_ssl_manager_cert,
$ossec_auth_ssl_manager_key = $wazuh::params_manager::ossec_auth_ssl_manager_key,
$ossec_auth_ssl_auto_negotiate = $wazuh::params_manager::ossec_auth_ssl_auto_negotiate,
# syscheck
$ossec_syscheck_disabled = $wazuh::params_manager::ossec_syscheck_disabled,
$ossec_syscheck_frequency = $wazuh::params_manager::ossec_syscheck_frequency,
$ossec_syscheck_scan_on_start = $wazuh::params_manager::ossec_syscheck_scan_on_start,
$ossec_syscheck_alert_new_files = $wazuh::params_manager::ossec_syscheck_alert_new_files,
$ossec_syscheck_auto_ignore = $wazuh::params_manager::ossec_syscheck_auto_ignore,
$ossec_syscheck_directories_1 = $wazuh::params_manager::ossec_syscheck_directories_1,
$ossec_syscheck_directories_2 = $wazuh::params_manager::ossec_syscheck_directories_2,
$ossec_syscheck_ignore_list = $wazuh::params_manager::ossec_syscheck_ignore_list,
$ossec_syscheck_ignore_type_1 = $wazuh::params_manager::ossec_syscheck_ignore_type_1,
$ossec_syscheck_ignore_type_2 = $wazuh::params_manager::ossec_syscheck_ignore_type_2,
$ossec_syscheck_nodiff = $wazuh::params_manager::ossec_syscheck_nodiff,
$ossec_syscheck_skip_nfs = $wazuh::params_manager::ossec_syscheck_skip_nfs,
# Cluster
$ossec_cluster_name = $wazuh::params_manager::ossec_cluster_name,
$ossec_cluster_node_name = $wazuh::params_manager::ossec_cluster_node_name,
$ossec_cluster_node_type = $wazuh::params_manager::ossec_cluster_node_type,
$ossec_cluster_key = $wazuh::params_manager::ossec_cluster_key,
$ossec_cluster_port = $wazuh::params_manager::ossec_cluster_port,
$ossec_cluster_bind_addr = $wazuh::params_manager::ossec_cluster_bind_addr,
$ossec_cluster_nodes = $wazuh::params_manager::ossec_cluster_nodes,
$ossec_cluster_hidden = $wazuh::params_manager::ossec_cluster_hidden,
$ossec_cluster_disabled = $wazuh::params_manager::ossec_cluster_disabled,
#----- End of ossec.conf parameters -------
$ossec_cluster_enable_firewall = $wazuh::params_manager::ossec_cluster_enable_firewall,
$ossec_prefilter = $wazuh::params_manager::ossec_prefilter,
$ossec_integratord_enabled = $wazuh::params_manager::ossec_integratord_enabled,
$manage_client_keys = $wazuh::params_manager::manage_client_keys,
$agent_auth_password = $wazuh::params_manager::agent_auth_password,
$ar_repeated_offenders = $wazuh::params_manager::ar_repeated_offenders,
$local_decoder_template = $wazuh::params_manager::local_decoder_template,
$decoder_exclude = $wazuh::params_manager::decoder_exclude,
$local_rules_template = $wazuh::params_manager::local_rules_template,
$rule_exclude = $wazuh::params_manager::rule_exclude,
$shared_agent_template = $wazuh::params_manager::shared_agent_template,
$wazuh_manager_verify_manager_ssl = $wazuh::params_manager::wazuh_manager_verify_manager_ssl,
$wazuh_manager_server_crt = $wazuh::params_manager::wazuh_manager_server_crt,
$wazuh_manager_server_key = $wazuh::params_manager::wazuh_manager_server_key,
$ossec_local_files = $::wazuh::params_manager::default_local_files,
) inherits wazuh::params_manager {
validate_bool(
$manage_repos, $syslog_output,$wazuh_manager_verify_manager_ssl
)
validate_array(
$decoder_exclude, $rule_exclude
)
## Determine which kernel and family puppet is running on. Will be used on _localfile, _rootcheck, _syscheck & _sca
if ($::kernel == 'windows') {
$kernel = 'Linux'
}else{
$kernel = 'Linux'
if ($::osfamily == 'Debian'){
$os_family = 'debian'
}else{
$os_family = 'centos'
}
}
# This allows arrays of integers, sadly
# (commented due to stdlib version requirement)
if ($ossec_emailnotification == true) {
if $ossec_smtp_server == undef {
fail('$ossec_emailnotification is enabled but $smtp_server was not set')
}
validate_string($ossec_smtp_server)
validate_string($ossec_emailfrom)
validate_array($ossec_emailto)
}
if $::osfamily == 'windows' {
fail('The ossec module does not yet support installing the OSSEC HIDS server on Windows')
}
# Install wazuh-repository
if $manage_repos {
# TODO: Allow filtering of EPEL requirement
class { 'wazuh::repo':}
if $::osfamily == 'Debian' {
Class['wazuh::repo'] -> Class['apt::update'] -> Package[$wazuh::params_manager::server_package]
} else {
Class['wazuh::repo'] -> Package[$wazuh::params_manager::server_package]
}
}
# Install and configure Wazuh-manager package
package { $wazuh::params_manager::server_package:
ensure => $server_package_version, # lint:ignore:security_package_pinned_version
}
file {
default:
owner => $wazuh::params_manager::config_owner,
group => $wazuh::params_manager::config_group,
mode => $wazuh::params_manager::config_mode,
notify => Service[$wazuh::params_manager::server_service],
require => Package[$wazuh::params_manager::server_package];
$wazuh::params_manager::shared_agent_config_file:
validate_cmd => $wazuh::params_manager::validate_cmd_conf,
content => template($shared_agent_template);
'/var/ossec/etc/rules/local_rules.xml':
content => template($local_rules_template);
'/var/ossec/etc/decoders/local_decoder.xml':
content => template($local_decoder_template);
$wazuh::params_manager::processlist_file:
content => template('wazuh/process_list.erb');
}
service { $wazuh::params_manager::server_service:
ensure => running,
enable => true,
hasstatus => $wazuh::params_manager::service_has_status,
pattern => $wazuh::params_manager::server_service,
provider => $wazuh::params_manager::ossec_service_provider,
require => Package[$wazuh::params_manager::server_package],
}
## Declaring variables for localfile and wodles generation
case $::operatingsystem{
'Redhat', 'redhat':{
$apply_template_os = 'rhel'
if ( $::operatingsystemrelease =~ /^7.*/ ){
$rhel_version = '7'
}elsif ( $::operatingsystemrelease =~ /^6.*/ ){
$rhel_version = '6'
}elsif ( $::operatingsystemrelease =~ /^5.*/ ){
$rhel_version = '5'
}else{
fail('This ossec module has not been tested on your distribution')
}
}'Debian', 'debian', 'Ubuntu', 'ubuntu':{
$apply_template_os = 'debian'
if ( $::lsbdistcodename == 'wheezy') or ($::lsbdistcodename == 'jessie'){
$debian_additional_templates = 'yes'
}
}'Amazon':{
$apply_template_os = 'amazon'
}'CentOS','Centos','centos':{
$apply_template_os = 'centos'
}
default: { fail('This ossec module has not been tested on your distribution') }
}
concat { 'ossec.conf':
path => $wazuh::params_manager::config_file,
owner => $wazuh::params_manager::config_owner,
group => $wazuh::params_manager::config_group,
mode => $wazuh::params_manager::config_mode,
require => Package[$wazuh::params_manager::server_package],
notify => Service[$wazuh::params_manager::server_service],
}
concat::fragment {
'ossec.conf_header':
target => 'ossec.conf',
order => 00,
content => "<ossec_config>\n";
'ossec.conf_main':
target => 'ossec.conf',
order => 01,
content => template($ossec_manager_template);
}
if($configure_rootcheck == true){
concat::fragment {
'ossec.conf_rootcheck':
order => 10,
target => 'ossec.conf',
content => template($ossec_rootcheck_template);
}
}
if ($configure_wodle_openscap == true){
concat::fragment {
'ossec.conf_wodle_openscap':
order => 15,
target => 'ossec.conf',
content => template($ossec_wodle_openscap_template);
}
}
if ($configure_wodle_cis_cat == true){
concat::fragment {
'ossec.conf_wodle_ciscat':
order => 20,
target => 'ossec.conf',
content => template($ossec_wodle_cis_cat_template);
}
}
if ($configure_wodle_osquery== true){
concat::fragment {
'ossec.conf_wodle_osquery':
order => 25,
target => 'ossec.conf',
content => template($ossec_wodle_osquery_template);
}
}
if ($configure_wodle_syscollector == true){
concat::fragment {
'ossec.conf_wodle_syscollector':
order => 30,
target => 'ossec.conf',
content => template($ossec_wodle_syscollector_template);
}
}
if ($configure_sca == true){
concat::fragment {
'ossec.conf_sca':
order => 40,
target => 'ossec.conf',
content => template($ossec_sca_template);
}
}
if($configure_vulnerability_detector == true){
concat::fragment {
'ossec.conf_wodle_vulnerability_detector':
order => 45,
target => 'ossec.conf',
content => template($ossec_wodle_vulnerability_detector_template);
}
}
if($configure_syscheck == true){
concat::fragment {
'ossec.conf_syscheck':
order => 55,
target => 'ossec.conf',
content => template($ossec_syscheck_template);
}
}
if ($configure_command == true){
concat::fragment {
'ossec.conf_command':
order => 60,
target => 'ossec.conf',
content => template($ossec_default_commands_template);
}
}
if ($configure_localfile == true){
concat::fragment {
'ossec.conf_localfile':
order => 65,
target => 'ossec.conf',
content => template($ossec_localfile_template);
}
}
if($configure_ruleset == true){
concat::fragment {
'ossec.conf_ruleset':
order => 75,
target => 'ossec.conf',
content => template($ossec_ruleset_template);
}
}
if ($configure_auth == true){
concat::fragment {
'ossec.conf_auth':
order => 80,
target => 'ossec.conf',
content => template($ossec_auth_template);
}
}
if ($configure_cluster == true){
concat::fragment {
'ossec.conf_cluster':
order => 85,
target => 'ossec.conf',
content => template($ossec_cluster_template);
}
}
if ($configure_active_response == true){
concat::fragment {
'ossec.conf_active_response':
order => 90,
target => 'ossec.conf',
content => template($ossec_active_response_template);
}
}
concat::fragment {
'ossec.conf_footer':
target => 'ossec.conf',
order => 99,
content => "</ossec_config>\n";
}
if ( $manage_client_keys == 'yes') {
# TODO: ensure the authd service is started if manage_client_keys == authd
# (see https://github.com/wazuh/wazuh/issues/80)
file { $wazuh::params_manager::authd_pass_file:
owner => $wazuh::params_manager::keys_owner,
group => $wazuh::params_manager::keys_group,
mode => $wazuh::params_manager::keys_mode,
content => $agent_auth_password,
require => Package[$wazuh::params_manager::server_package],
}
}
# https://documentation.wazuh.com/current/user-manual/registering/use-registration-service.html#verify-manager-via-ssl
if $wazuh_manager_verify_manager_ssl {
if ($wazuh_manager_server_crt != undef) and ($wazuh_manager_server_key != undef) {
validate_string(
$wazuh_manager_server_crt, $wazuh_manager_server_key
)
file { '/var/ossec/etc/sslmanager.key':
content => $wazuh_manager_server_key,
owner => 'root',
group => 'ossec',
mode => '0640',
require => Package[$wazuh::params_manager::server_package],
notify => Service[$wazuh::params_manager::server_service],
}
file { '/var/ossec/etc/sslmanager.cert':
content => $wazuh_manager_server_crt,
owner => 'root',
group => 'ossec',
mode => '0640',
require => Package[$wazuh::params_manager::server_package],
notify => Service[$wazuh::params_manager::server_service],
}
}
}
# Manage firewall
if $manage_firewall == true {
include firewall
firewall { '1514 wazuh-manager':
dport => $ossec_remote_port,
proto => $ossec_remote_protocol,
action => 'accept',
state => [
'NEW',
'RELATED',
'ESTABLISHED'],
}
}
if $ossec_cluster_enable_firewall == 'yes'{
include firewall
firewall { '1516 wazuh-manager':
dport => $ossec_cluster_port,
proto => $ossec_remote_protocol,
action => 'accept',
state => [
'NEW',
'RELATED',
'ESTABLISHED'],
}
}
}

226
modules/utilities/unix/logging/wazuh/manifests/params.pp
View File

@@ -1,226 +0,0 @@
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
# Paramas file
class wazuh::params {
case $::kernel {
'Linux': {
$config_file = '/var/ossec/etc/ossec.conf'
$shared_agent_config_file = '/var/ossec/etc/shared/agent.conf'
$config_mode = '0640'
$config_owner = 'root'
$config_group = 'ossec'
$keys_file = '/var/ossec/etc/client.keys'
$keys_mode = '0640'
$keys_owner = 'root'
$keys_group = 'ossec'
$manage_firewall = false
$authd_pass_file = '/var/ossec/etc/authd.pass'
$validate_cmd_conf = '/var/ossec/bin/verify-agent-conf -f %'
$processlist_file = '/var/ossec/bin/.process_list'
$processlist_mode = '0640'
$processlist_owner = 'root'
$processlist_group = 'ossec'
# this hash is currently only covering the basic config section of config.js
# TODO: allow customization of the entire config.js
# for reference: https://documentation.wazuh.com/current/user-manual/api/configuration.html
$api_config_params = [
{'name' => 'ossec_path', 'value' => '/var/ossec'},
{'name' => 'host', 'value' => '0.0.0.0'},
{'name' => 'port', 'value' => '55000'},
{'name' => 'https', 'value' => 'no'},
{'name' => 'basic_auth', 'value' => 'yes'},
{'name' => 'BehindProxyServer', 'value' => 'no'},
]
case $::osfamily {
'Debian': {
$agent_service = 'wazuh-agent'
$agent_package = 'wazuh-agent'
$service_has_status = false
$ossec_service_provider = undef
$api_service_provider = undef
$default_local_files = [
{ 'location' => '/var/log/syslog' , 'log_format' => 'syslog'},
{ 'location' => '/var/log/kern.log' , 'log_format' => 'syslog'},
{ 'location' => '/var/log/auth.log' , 'log_format' => 'syslog'},
{ 'location' => '/var/log/mail.log' , 'log_format' => 'syslog'},
{ 'location' => '/var/log/dpkg.log', 'log_format' => 'syslog'},
{ 'location' => '/var/ossec/logs/active-responses.log', 'log_format' => 'syslog'},
]
case $::lsbdistcodename {
'xenial': {
$server_service = 'wazuh-manager'
$server_package = 'wazuh-manager'
$api_service = 'wazuh-api'
$api_package = 'wazuh-api'
$wodle_openscap_content = {
'ssg-ubuntu-1604-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_common'],
},
}
}
'jessie': {
$server_service = 'wazuh-manager'
$server_package = 'wazuh-manager'
$api_service = 'wazuh-api'
$api_package = 'wazuh-api'
$wodle_openscap_content = {
'ssg-debian-8-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_common'],
},
'cve-debian-oval.xml' => {
'type' => 'oval',
}
}
}
/^(wheezy|stretch|sid|precise|trusty|vivid|wily|xenial|bionic)$/: {
$server_service = 'wazuh-manager'
$server_package = 'wazuh-manager'
$api_service = 'wazuh-api'
$api_package = 'wazuh-api'
$wodle_openscap_content = undef
}
default: {
fail("Module ${module_name} is not supported on ${::operatingsystem}")
}
}
}
'Linux', 'RedHat': {
$agent_service = 'wazuh-agent'
$agent_package = 'wazuh-agent'
$server_service = 'wazuh-manager'
$server_package = 'wazuh-manager'
$api_service = 'wazuh-api'
$api_package = 'wazuh-api'
$service_has_status = true
$default_local_files =[
{ 'location' => '/var/log/messages' , 'log_format' => 'syslog'},
{ 'location' => '/var/log/secure' , 'log_format' => 'syslog'},
{ 'location' => '/var/log/maillog', 'log_format' => 'syslog'},
{ 'location' => '/var/log/yum.log' , 'log_format' => 'syslog'},
{ 'location' => '/var/log/httpd/access_log' , 'log_format' => 'apache'},
{ 'location' => '/var/log/httpd/error_log' , 'log_format' => 'apache'},
]
case $::operatingsystem {
'Amazon': {
# Amazon is based on Centos-6 with some improvements
# taken from RHEL-7 but uses SysV-Init, not Systemd.
# Probably best to leave this undef until we can
# write/find a release-specific file.
$wodle_openscap_content = undef
}
'CentOS': {
if ( $::operatingsystemrelease =~ /^6.*/ ) {
$ossec_service_provider = 'redhat'
$api_service_provider = 'redhat'
$wodle_openscap_content = {
'ssg-centos-6-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_server',]
}
}
}
if ( $::operatingsystemrelease =~ /^7.*/ ) {
$ossec_service_provider = 'systemd'
$api_service_provider = 'systemd'
$wodle_openscap_content = {
'ssg-centos-7-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_common',]
}
}
}
}
/^(RedHat|OracleLinux)$/: {
if ( $::operatingsystemrelease =~ /^6.*/ ) {
$ossec_service_provider = 'redhat'
$api_service_provider = 'redhat'
$wodle_openscap_content = {
'ssg-rhel-6-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_server',]
},
'cve-redhat-6-ds.xml' => {
'type' => 'xccdf',
}
}
}
if ( $::operatingsystemrelease =~ /^7.*/ ) {
$ossec_service_provider = 'systemd'
$api_service_provider = 'systemd'
$wodle_openscap_content = {
'ssg-rhel-7-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_common',]
},
'cve-redhat-7-ds.xml' => {
'type' => 'xccdf',
}
}
}
}
'Fedora': {
if ( $::operatingsystemrelease =~ /^(23|24|25).*/ ) {
$ossec_service_provider = 'redhat'
$api_service_provider = 'redhat'
$wodle_openscap_content = {
'ssg-fedora-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_standard', 'xccdf_org.ssgproject.content_profile_common',]
},
}
}
}
default: { fail('This ossec module has not been tested on your distribution') }
}
}
default: { fail('This ossec module has not been tested on your distribution') }
}
}
'windows': {
$config_file = regsubst(sprintf('c:/Program Files (x86)/ossec-agent/ossec.conf'), '\\\\', '/')
$shared_agent_config_file = regsubst(sprintf('c:/Program Files (x86)/ossec-agent/shared/agent.conf'), '\\\\', '/')
$config_owner = 'Administrator'
$config_group = 'Administrators'
$manage_firewall = false
$keys_file = regsubst(sprintf('c:/Program Files (x86)/ossec-agent/client.keys'), '\\\\', '/')
$keys_mode = '0440'
$keys_owner = 'Administrator'
$keys_group = 'Administrators'
$agent_service = 'OssecSvc'
$agent_package = 'Wazuh Agent 3.9.1'
$server_service = ''
$server_package = ''
$api_service = ''
$api_package = ''
$service_has_status = true
# TODO
$validate_cmd_conf = undef
# Pushed by shared agent config now
$default_local_files = [
{'location' => 'Security' , 'log_format' => 'eventchannel', 'query' => 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]'},
{'location' => 'System' , 'log_format' => 'eventlog' },
{'location' => 'active-response\active-responses.log' , 'log_format' => 'syslog' },
]
}
default: { fail('This ossec module has not been tested on your distribution') }
}
}

376
modules/utilities/unix/logging/wazuh/manifests/params_agent.pp Normal file
View File

@@ -0,0 +1,376 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Wazuh-Agent configuration parameters
class wazuh::params_agent {
case $::kernel {
'Linux': {
# Versions
$agent_package_version = '3.10.2-1'
$agent_package_name = 'wazuh-agent'
$agent_service_name = 'wazuh-agent'
# Authd Registration options
$manage_client_keys = 'yes' # Enable/Disable agent registration
$agent_name = undef
$agent_group = undef
$wazuh_agent_cert = undef
$wazuh_agent_key = undef
$wazuh_agent_cert_path = undef
$wazuh_agent_key_path = undef
$agent_auth_password = undef
$wazuh_manager_root_ca_pem = undef
$wazuh_manager_root_ca_pem_path = undef
## Wazuh config folders and modes
$config_file = '/var/ossec/etc/ossec.conf'
$shared_agent_config_file = '/var/ossec/etc/shared/agent.conf'
$config_mode = '0640'
$config_owner = 'root'
$config_group = 'ossec'
$keys_file = '/var/ossec/etc/client.keys'
$keys_mode = '0640'
$keys_owner = 'root'
$keys_group = 'ossec'
$manage_firewall = false
$authd_pass_file = '/var/ossec/etc/authd.pass'
$validate_cmd_conf = '/var/ossec/bin/verify-agent-conf -f %'
$processlist_file = '/var/ossec/bin/.process_list'
$processlist_mode = '0640'
$processlist_owner = 'root'
$processlist_group = 'ossec'
# ossec.conf generation parameters
## Ossec.conf generation variables
$configure_rootcheck = true
$configure_wodle_openscap = false # TODO WAS: true
$configure_wodle_cis_cat = false # TODO WAS: true
$configure_wodle_osquery = false # TODO WAS: true
$configure_wodle_syscollector = false # TODO WAS: true
$configure_sca = true
$configure_syscheck = true
$configure_localfile = true
$configure_active_response = true
# ossec.conf templates paths
$ossec_conf_template = 'wazuh/wazuh_agent.conf.erb'
$ossec_rootcheck_template = 'wazuh/fragments/_rootcheck.erb'
$ossec_wodle_openscap_template = 'wazuh/fragments/_wodle_openscap.erb'
$ossec_wodle_cis_cat_template = 'wazuh/fragments/_wodle_cis_cat.erb'
$ossec_wodle_osquery_template = 'wazuh/fragments/_wodle_osquery.erb'
$ossec_wodle_syscollector_template = 'wazuh/fragments/_wodle_syscollector.erb'
$ossec_sca_template = 'wazuh/fragments/_sca.erb'
$ossec_syscheck_template = 'wazuh/fragments/_syscheck.erb'
$ossec_localfile_template = 'wazuh/fragments/_localfile.erb'
$ossec_ruleset = 'wazuh/fragments/_ruleset.erb'
$ossec_auth = 'wazuh/fragments/_auth.erb'
$ossec_cluster = 'wazuh/fragments/_cluster.erb'
$ossec_active_response_template = 'wazuh/fragments/_default_activeresponse.erb'
### Ossec.conf blocks
## Server block configuration
$wazuh_register_endpoint = undef
$wazuh_reporting_endpoint = undef
$ossec_port = '1514'
$ossec_protocol = 'udp'
$ossec_notify_time = 10
$ossec_time_reconnect = 60
$ossec_auto_restart = 'yes'
$ossec_crypto_method = 'aes'
$client_buffer_queue_size = 5000
$client_buffer_events_per_second = 500
# Rootcheck
$ossec_rootcheck_disabled = 'no'
$ossec_rootcheck_check_files = 'yes'
$ossec_rootcheck_check_trojans = 'yes'
$ossec_rootcheck_check_dev = 'yes'
$ossec_rootcheck_check_sys = 'yes'
$ossec_rootcheck_check_pids = 'yes'
$ossec_rootcheck_check_ports = 'yes'
$ossec_rootcheck_check_if = 'yes'
$ossec_rootcheck_frequency = 43200
$ossec_rootcheck_rootkit_files = '/var/ossec/etc/shared/rootkit_files.txt'
$ossec_rootcheck_rootkit_trojans = '/var/ossec/etc/shared/rootkit_trojans.txt'
$ossec_rootcheck_skip_nfs = 'yes'
## Wodles
#openscap
$wodle_openscap_disabled = 'no'
$wodle_openscap_timeout = '1800'
$wodle_openscap_interval = '1d'
$wodle_openscap_scan_on_start = 'yes'
#cis-cat
$wodle_ciscat_disabled = 'yes'
$wodle_ciscat_timeout = '1800'
$wodle_ciscat_interval = '1d'
$wodle_ciscat_scan_on_start = 'yes'
$wodle_ciscat_java_path = 'wodles/java'
$wodle_ciscat_ciscat_path = 'wodles/ciscat'
#osquery
$wodle_osquery_disabled = 'yes'
$wodle_osquery_run_daemon = 'yes'
$wodle_osquery_log_path = '/var/log/osquery/osqueryd.results.log'
$wodle_osquery_config_path = '/etc/osquery/osquery.conf'
$wodle_osquery_add_labels = 'yes'
#syscollector
$wodle_syscollector_disabled = true
$wodle_syscollector_interval = '1d'
$wodle_syscollector_scan_on_start = 'yes'
$wodle_syscollector_hardware = 'yes'
$wodle_syscollector_os = 'yes'
$wodle_syscollector_network = 'yes'
$wodle_syscollector_packages = 'yes'
$wodle_syscollector_ports = 'yes'
$wodle_syscollector_processes = 'yes'
# localfile
$ossec_local_files = $::wazuh::params_agent::default_local_files
#syscheck
$ossec_syscheck_disabled = 'no'
$ossec_syscheck_frequency = '43200'
$ossec_syscheck_scan_on_start = 'yes'
$ossec_syscheck_alert_new_files = undef
$ossec_syscheck_auto_ignore = undef
$ossec_syscheck_directories_1 = '/etc,/usr/bin,/usr/sbin'
$ossec_syscheck_directories_2 = '/bin,/sbin,/boot'
$ossec_syscheck_ignore_list = ['/etc/mtab',
'/etc/hosts.deny',
'/etc/mail/statistics',
'/etc/random-seed',
'/etc/random.seed',
'/etc/adjtime',
'/etc/httpd/logs',
'/etc/utmpx',
'/etc/wtmpx',
'/etc/cups/certs',
'/etc/dumpdates',
'/etc/svc/volatile',
'/sys/kernel/security',
'/sys/kernel/debug',
'/dev/core',
]
$ossec_syscheck_ignore_type_1 = '^/proc'
$ossec_syscheck_ignore_type_2 = ".log$|.swp$"
$ossec_syscheck_nodiff = '/etc/ssl/private.key'
$ossec_syscheck_skip_nfs = 'yes'
# others
$selinux = false
$manage_repo = true
case $::osfamily {
'Debian': {
$agent_service = 'wazuh-agent'
$agent_package = 'wazuh-agent'
$service_has_status = false
$ossec_service_provider = undef
$api_service_provider = undef
$default_local_files = [
{ 'location' => '/var/log/syslog' , 'log_format' => 'syslog'},
{ 'location' => '/var/log/kern.log' , 'log_format' => 'syslog'},
{ 'location' => '/var/log/auth.log' , 'log_format' => 'syslog'},
{ 'location' => '/var/log/dpkg.log', 'log_format' => 'syslog'},
{ 'location' => '/var/ossec/logs/active-responses.log', 'log_format' => 'syslog'},
{ 'location' => '/var/log/messages' , 'log_format' => 'syslog'},
]
case $::lsbdistcodename {
'xenial': {
$server_service = 'wazuh-manager'
$server_package = 'wazuh-manager'
$api_service = 'wazuh-api'
$api_package = 'wazuh-api'
$wodle_openscap_content = {
'ssg-ubuntu-1604-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_common'],
},'cve-ubuntu-xenial-oval.xml' => {
'type' => 'oval'
}
}
}
'jessie': {
$server_service = 'wazuh-manager'
$server_package = 'wazuh-manager'
$api_service = 'wazuh-api'
$api_package = 'wazuh-api'
$wodle_openscap_content = {
'ssg-debian-8-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_common'],
},
'cve-debian-8-oval.xml' => {
'type' => 'oval',
}
}
}
/^(wheezy|stretch|sid|precise|trusty|vivid|wily|xenial|bionic)$/: {
$server_service = 'wazuh-manager'
$server_package = 'wazuh-manager'
$api_service = 'wazuh-api'
$api_package = 'wazuh-api'
$wodle_openscap_content = undef
}
default: {
fail("Module ${module_name} is not supported on ${::operatingsystem}")
}
}
}
'RedHat': {
$agent_service = 'wazuh-agent'
$agent_package = 'wazuh-agent'
$server_service = 'wazuh-manager'
$server_package = 'wazuh-manager'
$api_service = 'wazuh-api'
$api_package = 'wazuh-api'
$service_has_status = true
$default_local_files =[
{ 'location' => '/var/log/audit/audit.log' , 'log_format' => 'audit'},
{ 'location' => '/var/ossec/logs/active-responses.log' , 'log_format' => 'syslog'},
{ 'location' => '/var/log/messages', 'log_format' => 'syslog'},
{ 'location' => '/var/log/secure' , 'log_format' => 'syslog'},
{ 'location' => '/var/log/maillog' , 'log_format' => 'syslog'},
]
case $::operatingsystem {
'Amazon': {
# Amazon is based on Centos-6 with some improvements
# taken from RHEL-7 but uses SysV-Init, not Systemd.
# Probably best to leave this undef until we can
# write/find a release-specific file.
$wodle_openscap_content = undef
}
'CentOS': {
if ( $::operatingsystemrelease =~ /^6.*/ ) {
$ossec_service_provider = 'redhat'
$api_service_provider = 'redhat'
$wodle_openscap_content = {
'ssg-centos-6-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_server',]
}
}
}
if ( $::operatingsystemrelease =~ /^7.*/ ) {
$ossec_service_provider = 'systemd'
$api_service_provider = 'systemd'
$wodle_openscap_content = {
'ssg-centos-7-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_common',]
}
}
}
}
/^(RedHat|OracleLinux)$/: {
if ( $::operatingsystemrelease =~ /^6.*/ ) {
$ossec_service_provider = 'redhat'
$api_service_provider = 'redhat'
$wodle_openscap_content = {
'ssg-rhel-6-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_server',]
},
'cve-redhat-6-ds.xml' => {
'type' => 'xccdf',
}
}
}
if ( $::operatingsystemrelease =~ /^7.*/ ) {
$ossec_service_provider = 'systemd'
$api_service_provider = 'systemd'
$wodle_openscap_content = {
'ssg-rhel-7-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_common',]
},
'cve-redhat-7-ds.xml' => {
'type' => 'xccdf',
}
}
}
}
'Fedora': {
if ( $::operatingsystemrelease =~ /^(23|24|25).*/ ) {
$ossec_service_provider = 'redhat'
$api_service_provider = 'redhat'
$wodle_openscap_content = {
'ssg-fedora-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_standard', 'xccdf_org.ssgproject.content_profile_common',]
},
}
}
}
default: { fail('This ossec module has not been tested on your distribution') }
}
}
default: { fail('This ossec module has not been tested on your distribution') }
}
}
'windows': {
$config_file = regsubst(sprintf('c:/Program Files (x86)/ossec-agent/ossec.conf'), '\\\\', '/')
$shared_agent_config_file = regsubst(sprintf('c:/Program Files (x86)/ossec-agent/shared/agent.conf'), '\\\\', '/')
$config_owner = 'Administrator'
$config_group = 'Administrators'
$download_path = 'C:/'
$manage_firewall = false
$keys_file = regsubst(sprintf('c:/Program Files (x86)/ossec-agent/client.keys'), '\\\\', '/')
$keys_mode = '0440'
$keys_owner = 'Administrator'
$keys_group = 'Administrators'
$agent_service = 'OssecSvc'
$agent_package = 'Wazuh Agent 3.10.2'
$server_service = ''
$server_package = ''
$api_service = ''
$api_package = ''
$service_has_status = true
# TODO
$validate_cmd_conf = undef
# Pushed by shared agent config now
$default_local_files = [
{'location' => 'Security' , 'log_format' => 'eventchannel',
'query' => 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658\
and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID!= 4703 and EventID != 4907]'},
{'location' => 'System' , 'log_format' => 'eventlog' },
{'location' => 'active-response\active-responses.log' , 'log_format' => 'syslog' },
]
}
default: { fail('This ossec module has not been tested on your distribution') }
}
}

26
modules/utilities/unix/logging/wazuh/manifests/params_elastic.pp Normal file
View File

@@ -0,0 +1,26 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Elastic configuration parameters
class wazuh::params_elastic {
$elasticsearch_service = 'elasticsearch'
$elasticsearch_package = 'elasticsearch'
$config_owner = 'elasticsearch'
$config_group = 'elasticsearch'
$config_mode = '0640'
$elasticsearch_cluster_name = 'es-wazuh'
$elasticsearch_node_name = 'es-node-01'
$elasticsearch_node_master = true
$elasticsearch_node_data = true
$elasticsearch_node_ingest = true
$elasticsearch_node_max_local_storage_nodes = '1'
$elasticsearch_path_data = '/var/lib/elasticsearch'
$elasticsearch_path_logs = '/var/log/elasticsearch'
$elasticsearch_ip = 'localhost'
$elastcisearch_port = 9200
$elasticsearch_discovery_option = 'discovery.type: single-node'
$elasticsearch_cluster_initial_master_nodes = "#cluster.initial_master_nodes: ['es-node-01']"
}

435
modules/utilities/unix/logging/wazuh/manifests/params_manager.pp Normal file
View File

@@ -0,0 +1,435 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Paramas file
class wazuh::params_manager {
case $::kernel {
'Linux': {
# Installation
$server_package_version = '3.10.2-1'
$manage_repos = true
$manage_firewall = false
### Ossec.conf blocks
## Global
$ossec_emailnotification = false
$ossec_emailto = []
$ossec_smtp_server = 'smtp.example.wazuh.com'
$ossec_emailfrom = 'ossecm@example.wazuh.com'
$ossec_email_maxperhour = 12
$ossec_email_idsname = undef
$ossec_white_list = ['127.0.0.1','^localhost.localdomain$','10.0.0.2']
$ossec_alert_level = 3
$ossec_email_alert_level = 12
$ossec_remote_connection = 'secure'
$ossec_remote_port = 1514
$ossec_remote_protocol = 'udp'
$ossec_remote_queue_size = 131072
# ossec.conf generation parameters
$configure_rootcheck = true # TODO: WAS true
$configure_wodle_openscap = false # TODO: WAS true
$configure_wodle_cis_cat = false # TODO: WAS true
$configure_wodle_osquery = false # TODO: WAS true
$configure_wodle_syscollector = false # TODO: WAS true
$configure_vulnerability_detector = true
$configure_sca = true
$configure_syscheck = true
$configure_command = true
$configure_localfile = true
$configure_ruleset = true
$configure_auth = true
$configure_cluster = true
$configure_active_response = false
# ossec.conf templates paths
$ossec_manager_template = 'wazuh/wazuh_manager.conf.erb'
$ossec_rootcheck_template = 'wazuh/fragments/_rootcheck.erb'
$ossec_wodle_openscap_template = 'wazuh/fragments/_wodle_openscap.erb'
$ossec_wodle_cis_cat_template = 'wazuh/fragments/_wodle_cis_cat.erb'
$ossec_wodle_osquery_template = 'wazuh/fragments/_wodle_osquery.erb'
$ossec_wodle_syscollector_template = 'wazuh/fragments/_wodle_syscollector.erb'
$ossec_wodle_vulnerability_detector_template = 'wazuh/fragments/_wodle_vulnerability_detector.erb'
$ossec_sca_template = 'wazuh/fragments/_sca.erb'
$ossec_syscheck_template = 'wazuh/fragments/_syscheck.erb'
$ossec_default_commands_template = 'wazuh/default_commands.erb'
$ossec_localfile_template = 'wazuh/fragments/_localfile.erb'
$ossec_ruleset_template = 'wazuh/fragments/_ruleset.erb'
$ossec_auth_template = 'wazuh/fragments/_auth.erb'
$ossec_cluster_template = 'wazuh/fragments/_cluster.erb'
$ossec_active_response_template = 'wazuh/fragments/_default_activeresponse.erb'
## Rootcheck
$ossec_rootcheck_disabled = 'no'
$ossec_rootcheck_check_files = 'yes'
$ossec_rootcheck_check_trojans = 'yes'
$ossec_rootcheck_check_dev = 'yes'
$ossec_rootcheck_check_sys = 'yes'
$ossec_rootcheck_check_pids = 'yes'
$ossec_rootcheck_check_ports = 'yes'
$ossec_rootcheck_check_if = 'yes'
$ossec_rootcheck_frequency = 43200
$ossec_rootcheck_rootkit_files = '/var/ossec/etc/rootcheck/rootkit_files.txt'
$ossec_rootcheck_rootkit_trojans = '/var/ossec/etc/rootcheck/rootkit_trojans.txt'
$ossec_rootcheck_skip_nfs = 'yes'
## Wodles
#openscap
$wodle_openscap_disabled = true
$wodle_openscap_timeout = '1800'
$wodle_openscap_interval = '1d'
$wodle_openscap_scan_on_start = 'yes'
#cis-cat
$wodle_ciscat_disabled = true
$wodle_ciscat_timeout = '1800'
$wodle_ciscat_interval = '1d'
$wodle_ciscat_scan_on_start = 'yes'
$wodle_ciscat_java_path = 'wodles/java'
$wodle_ciscat_ciscat_path = 'wodles/ciscat'
#osquery
$wodle_osquery_disabled = true
$wodle_osquery_run_daemon = 'yes'
$wodle_osquery_log_path = '/var/log/osquery/osqueryd.results.log'
$wodle_osquery_config_path = '/etc/osquery/osquery.conf'
$wodle_osquery_add_labels = 'yes'
#syscollector
$wodle_syscollector_disabled = true
$wodle_syscollector_interval = '1h'
$wodle_syscollector_scan_on_start = 'yes'
$wodle_syscollector_hardware = 'yes'
$wodle_syscollector_os = 'yes'
$wodle_syscollector_network = 'yes'
$wodle_syscollector_packages = 'yes'
$wodle_syscollector_ports = 'yes'
$wodle_syscollector_processes = 'yes'
#vulnerability-detector
$wodle_vulnerability_detector_disabled = true
$wodle_vulnerability_detector_interval = '5m'
$wodle_vulnerability_detector_ignore_time = '6h'
$wodle_vulnerability_detector_run_on_start = 'yes'
$wodle_vulnerability_detector_ubuntu_disabled = 'yes'
$wodle_vulnerability_detector_ubuntu_update = '1h'
$wodle_vulnerability_detector_redhat_disable = 'yes'
$wodle_vulnerability_detector_redhat_update_from = '2010'
$wodle_vulnerability_detector_redhat_update = '1h'
$wodle_vulnerability_detector_debian_9_disable = 'yes'
$wodle_vulnerability_detector_debian_9_update = '1h'
# syslog
$syslog_output = false
$syslog_output_level = 2
$syslog_output_port = 514
$syslog_output_server = undef
$syslog_output_format = undef
# Authd configuration
$ossec_auth_disabled = 'no'
$ossec_auth_port = 1515
$ossec_auth_use_source_ip = 'yes'
$ossec_auth_force_insert = 'yes'
$ossec_auth_force_time = 0
$ossec_auth_purgue = 'yes'
$ossec_auth_use_password = 'no'
$ossec_auth_limit_maxagents = 'yes'
$ossec_auth_ciphers = 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH'
$ossec_auth_ssl_verify_host = 'no'
$ossec_auth_ssl_manager_cert = '/var/ossec/etc/sslmanager.cert'
$ossec_auth_ssl_manager_key = '/var/ossec/etc/sslmanager.key'
$ossec_auth_ssl_auto_negotiate = 'no'
# syscheck
$ossec_syscheck_disabled = 'no'
$ossec_syscheck_frequency = '43200'
$ossec_syscheck_scan_on_start = 'yes'
$ossec_syscheck_alert_new_files = 'yes'
$ossec_syscheck_auto_ignore = 'no'
$ossec_syscheck_directories_1 = '/etc,/usr/bin,/usr/sbin'
$ossec_syscheck_directories_2 = '/bin,/sbin,/boot'
$ossec_syscheck_ignore_list = ['/etc/mtab',
'/etc/hosts.deny',
'/etc/mail/statistics',
'/etc/random-seed',
'/etc/random.seed',
'/etc/adjtime',
'/etc/httpd/logs',
'/etc/utmpx',
'/etc/wtmpx',
'/etc/cups/certs',
'/etc/dumpdates',
'/etc/svc/volatile',
'/sys/kernel/security',
'/sys/kernel/debug',
'/dev/core',
]
$ossec_syscheck_ignore_type_1 = '^/proc'
$ossec_syscheck_ignore_type_2 = ".log$|.swp$"
$ossec_syscheck_nodiff = '/etc/ssl/private.key'
$ossec_syscheck_skip_nfs = 'yes'
# Cluster
$ossec_cluster_name = 'wazuh'
$ossec_cluster_node_name = 'node01'
$ossec_cluster_node_type = 'master'
$ossec_cluster_key = 'KEY'
$ossec_cluster_port = '1516'
$ossec_cluster_bind_addr = '0.0.0.0'
$ossec_cluster_nodes = ['NODE_IP']
$ossec_cluster_hidden = 'no'
$ossec_cluster_disabled = 'yes'
$ossec_cluster_enable_firewall = 'no'
#----- End of ossec.conf parameters -------
$ossec_prefilter = false
$ossec_integratord_enabled = false
$manage_client_keys = 'yes'
$agent_auth_password = undef
$ar_repeated_offenders = ''
$local_decoder_template = 'wazuh/local_decoder.xml.erb'
$decoder_exclude = []
$local_rules_template = 'wazuh/local_rules.xml.erb'
$rule_exclude = []
$shared_agent_template = 'wazuh/ossec_shared_agent.conf.erb'
$wazuh_manager_verify_manager_ssl = false
$wazuh_manager_server_crt = undef
$wazuh_manager_server_key = undef
## Wazuh config folders and modes
$config_file = '/var/ossec/etc/ossec.conf'
$shared_agent_config_file = '/var/ossec/etc/shared/agent.conf'
$config_mode = '0640'
$config_owner = 'root'
$config_group = 'ossec'
$keys_file = '/var/ossec/etc/client.keys'
$keys_mode = '0640'
$keys_owner = 'root'
$keys_group = 'ossec'
$authd_pass_file = '/var/ossec/etc/authd.pass'
$validate_cmd_conf = '/var/ossec/bin/verify-agent-conf -f %'
$processlist_file = '/var/ossec/bin/.process_list'
$processlist_mode = '0640'
$processlist_owner = 'root'
$processlist_group = 'ossec'
case $::osfamily {
'Debian': {
$agent_service = 'wazuh-agent'
$agent_package = 'wazuh-agent'
$service_has_status = false
$ossec_service_provider = undef
$api_service_provider = undef
$default_local_files = [
{ 'location' => '/var/log/syslog' , 'log_format' => 'syslog'},
{ 'location' => '/var/log/kern.log' , 'log_format' => 'syslog'},
{ 'location' => '/var/log/auth.log' , 'log_format' => 'syslog'},
{ 'location' => '/var/log/dpkg.log', 'log_format' => 'syslog'},
{ 'location' => '/var/ossec/logs/active-responses.log', 'log_format' => 'syslog'},
{ 'location' => '/var/log/messages' , 'log_format' => 'syslog'},
]
case $::lsbdistcodename {
'xenial': {
$server_service = 'wazuh-manager'
$server_package = 'wazuh-manager'
$api_service = 'wazuh-api'
$api_package = 'wazuh-api'
$wodle_openscap_content = {
'ssg-ubuntu-1604-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_common'],
},'cve-ubuntu-xenial-oval.xml' => {
'type' => 'oval'
}
}
}
'jessie': {
$server_service = 'wazuh-manager'
$server_package = 'wazuh-manager'
$api_service = 'wazuh-api'
$api_package = 'wazuh-api'
$wodle_openscap_content = {
'ssg-debian-8-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_common'],
},
'cve-debian-8-oval.xml' => {
'type' => 'oval',
}
}
}
/^(wheezy|stretch|sid|precise|trusty|vivid|wily|xenial|bionic)$/: {
$server_service = 'wazuh-manager'
$server_package = 'wazuh-manager'
$api_service = 'wazuh-api'
$api_package = 'wazuh-api'
$wodle_openscap_content = undef
}
default: {
fail("Module ${module_name} is not supported on ${::operatingsystem}")
}
}
}
'RedHat': {
$agent_service = 'wazuh-agent'
$agent_package = 'wazuh-agent'
$server_service = 'wazuh-manager'
$server_package = 'wazuh-manager'
$api_service = 'wazuh-api'
$api_package = 'wazuh-api'
$service_has_status = true
$default_local_files =[
{ 'location' => '/var/log/audit/audit.log' , 'log_format' => 'audit'},
{ 'location' => '/var/ossec/logs/active-responses.log' , 'log_format' => 'syslog'},
{ 'location' => '/var/log/messages', 'log_format' => 'syslog'},
{ 'location' => '/var/log/secure' , 'log_format' => 'syslog'},
{ 'location' => '/var/log/maillog' , 'log_format' => 'apache'},
]
case $::operatingsystem {
'Amazon': {
$ossec_service_provider = 'systemd'
$api_service_provider = 'systemd'
# Amazon is based on Centos-6 with some improvements
# taken from RHEL-7 but uses SysV-Init, not Systemd.
# Probably best to leave this undef until we can
# write/find a release-specific file.
$wodle_openscap_content = undef
}
'CentOS': {
if ( $::operatingsystemrelease =~ /^6.*/ ) {
$ossec_service_provider = 'redhat'
$api_service_provider = 'redhat'
$wodle_openscap_content = {
'ssg-centos-6-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_server',]
}
}
}
if ( $::operatingsystemrelease =~ /^7.*/ ) {
$ossec_service_provider = 'systemd'
$api_service_provider = 'systemd'
$wodle_openscap_content = {
'ssg-centos-7-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_common',]
}
}
}
}
/^(RedHat|OracleLinux)$/: {
if ( $::operatingsystemrelease =~ /^6.*/ ) {
$ossec_service_provider = 'redhat'
$api_service_provider = 'redhat'
$wodle_openscap_content = {
'ssg-rhel-6-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_server',]
},
'cve-redhat-6-ds.xml' => {
'type' => 'xccdf',
}
}
}
if ( $::operatingsystemrelease =~ /^7.*/ ) {
$ossec_service_provider = 'systemd'
$api_service_provider = 'systemd'
$wodle_openscap_content = {
'ssg-rhel-7-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_common',]
},
'cve-redhat-7-ds.xml' => {
'type' => 'xccdf',
}
}
}
}
'Fedora': {
if ( $::operatingsystemrelease =~ /^(23|24|25).*/ ) {
$ossec_service_provider = 'redhat'
$api_service_provider = 'redhat'
$wodle_openscap_content = {
'ssg-fedora-ds.xml' => {
'type' => 'xccdf',
profiles => ['xccdf_org.ssgproject.content_profile_standard', 'xccdf_org.ssgproject.content_profile_common',]
},
}
}
}
default: { fail('This ossec module has not been tested on your distribution') }
}
}
default: { fail('This ossec module has not been tested on your distribution') }
}
}
'windows': {
$config_file = regsubst(sprintf('c:/Program Files (x86)/ossec-agent/ossec.conf'), '\\\\', '/')
$shared_agent_config_file = regsubst(sprintf('c:/Program Files (x86)/ossec-agent/shared/agent.conf'), '\\\\', '/')
$config_owner = 'Administrator'
$config_group = 'Administrators'
$manage_firewall = false
$keys_file = regsubst(sprintf('c:/Program Files (x86)/ossec-agent/client.keys'), '\\\\', '/')
$keys_mode = '0440'
$keys_owner = 'Administrator'
$keys_group = 'Administrators'
$agent_service = 'OssecSvc'
$agent_package = 'Wazuh Agent 3.10.2'
$server_service = ''
$server_package = ''
$api_service = ''
$api_package = ''
$service_has_status = true
# TODO
$validate_cmd_conf = undef
# Pushed by shared agent config now
$default_local_files = [
{'location' => 'Security' , 'log_format' => 'eventchannel',
'query' => 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658\
and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID!= 4703 and EventID != 4907]'},
{'location' => 'System' , 'log_format' => 'eventlog' },
{'location' => 'active-response\active-responses.log' , 'log_format' => 'syslog' },
]
}
default: { fail('This ossec module has not been tested on your distribution') }
}
}

15
modules/utilities/unix/logging/wazuh/manifests/repo.pp
View File

@@ -1,7 +1,6 @@
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
# Repo installation
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Wazuh repository installation
class wazuh::repo (
$redhat_manage_epel = true,
) {
case $::osfamily {
@@ -55,16 +54,6 @@ class wazuh::repo (
baseurl => $baseurl
}
if $redhat_manage_epel {
# Set up EPEL repo
# NOTE: This relies on the 'epel' module referenced in metadata.json
package { 'inotify-tools':
ensure => present
}
include epel
Class['epel'] -> Package['inotify-tools']
}
}
default: { fail('This ossec module has not been tested on your distribution') }
}

69
modules/utilities/unix/logging/wazuh/manifests/repo_elastic.pp Normal file
View File

@@ -0,0 +1,69 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Installation of Elastic repository
class wazuh::repo_elastic (
) {
case $::osfamily {
'Debian' : {
if ! defined(Package['apt-transport-https']) {
ensure_packages(['apt-transport-https'], {'ensure' => 'present'})
}
# apt-key added by issue #34
apt::key { 'elastic':
id => '46095ACC8548582C1A2699A9D27D666CD88E42B4',
source => 'https://artifacts.elastic.co/GPG-KEY-elasticsearch',
}
case $::lsbdistcodename {
/(jessie|wheezy|stretch|sid|precise|trusty|vivid|wily|xenial|yakketi|bionic)/: {
apt::source { 'wazuh_elastic':
ensure => present,
comment => 'This is the Elastic repository',
location => 'https://artifacts.elastic.co/packages/7.x/apt',
release => 'stable',
repos => 'main',
include => {
'src' => false,
'deb' => true,
},
}
}
default: { fail('This ossec module has not been tested on your distribution (or lsb package not installed)') }
}
}
'Redhat' : {
case $::os[name] {
/^(CentOS|RedHat|OracleLinux|Fedora|Amazon)$/: {
if ( $::operatingsystemrelease =~ /^5.*/ ) {
$baseurl = 'https://artifacts.elastic.co/packages/7.x/yum'
$gpgkey = 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
} else {
$baseurl = 'https://artifacts.elastic.co/packages/7.x/yum'
$gpgkey = 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
}
}
default: { fail('This ossec module has not been tested on your distribution.') }
}
## Set up Elasticsearch repo
# Import GPG key
exec { 'Install Elasticsearch GPG key':
path => '/usr/bin',
command => 'rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch',
}
# Adding repo by Puppet yumrepo resource
yumrepo { 'elasticsearch':
ensure => 'present',
enabled => 1,
gpgcheck => 1,
gpgkey => $gpgkey,
baseurl => $baseurl,
name => 'elasticsearch',
}
}
default: { fail('This ossec module has not been tested on your distribution') }
}
}

4
modules/utilities/unix/logging/wazuh/manifests/reports.pp
View File

@@ -1,4 +1,4 @@
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
#Define for a Reports section
define wazuh::reports(
Optional[String] $r_group = undef,
@@ -13,7 +13,7 @@ define wazuh::reports(
Optional[Enum['yes', 'no']] $r_showlogs = undef,
) {
require wazuh::params
require wazuh::params_manager
concat::fragment { $name:
target => 'ossec.conf',

293
modules/utilities/unix/logging/wazuh/manifests/server.pp
View File

@@ -1,293 +0,0 @@
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
# Main ossec server config
class wazuh::server (
$smtp_server = undef,
$ossec_emailto = [],
$ossec_emailfrom = "wazuh@${::domain}",
$ossec_active_response = true,
$ossec_rootcheck = true,
$ossec_rootcheck_frequency = 36000,
$ossec_rootcheck_checkports = true,
$ossec_rootcheck_checkfiles = true,
$ossec_global_host_information_level = 8,
$ossec_global_stat_level = 8,
$ossec_email_alert_level = 7,
$ossec_ignorepaths = [],
$ossec_ignorepaths_regex = [],
$ossec_scanpaths = [ {'path' => '/etc,/usr/bin,/usr/sbin', 'report_changes' => 'no', 'realtime' => 'no'}, {'path' => '/bin,/sbin', 'report_changes' => 'yes', 'realtime' => 'yes'} ],
$ossec_white_list = [],
$ossec_extra_rules_config = [],
$ossec_local_files = $::wazuh::params::default_local_files,
$ossec_emailnotification = true,
$ossec_email_maxperhour = '12',
$ossec_email_idsname = undef,
$ossec_syscheck_frequency = 79200,
$ossec_auto_ignore = 'yes',
$ossec_prefilter = false,
$ossec_service_provider = $::wazuh::params::ossec_service_provider,
$api_service_provider = $::wazuh::params::api_service_provider,
$ossec_server_port = '1514',
$ossec_server_protocol = 'udp',
$ossec_integratord_enabled = false,
$server_package_version = 'installed',
$api_package_version = 'installed',
$api_config_params = $::wazuh::params::api_config_params,
$manage_repos = true,
$manage_epel_repo = true,
$manage_client_keys = 'authd',
$install_wazuh_api = false,
$wazuh_api_enable_https = false,
$wazuh_api_server_crt = undef,
$wazuh_api_server_key = undef,
$manage_nodejs = true,
$nodejs_repo_url_suffix = '6.x',
$agent_auth_password = undef,
$ar_repeated_offenders = '',
$syslog_output = false,
$syslog_output_level = 2,
$syslog_output_port = 514,
$syslog_output_server = undef,
$syslog_output_format = undef,
$enable_wodle_openscap = false,
$wodle_openscap_content = $::wazuh::params::wodle_openscap_content,
$local_decoder_template = 'wazuh/local_decoder.xml.erb',
$decoder_exclude = [],
$local_rules_template = 'wazuh/local_rules.xml.erb',
$rule_exclude = [],
$shared_agent_template = 'wazuh/ossec_shared_agent.conf.erb',
$api_config_template = 'wazuh/api/config.js.erb',
$wazuh_manager_verify_manager_ssl = false,
$wazuh_manager_server_crt = undef,
$wazuh_manager_server_key = undef,
$ossec_auth_ssl_cert = undef,
$ossec_auth_ssl_key = undef,
$ossec_auth_ssl_ca = undef,
Boolean $manage_firewall = $::wazuh::params::manage_firewall,
Integer $ossec_auth_port = 1515,
Boolean $ossec_auth_use_srcip = false,
Boolean $ossec_auth_use_password = false,
Boolean $ossec_auth_force_insert = false,
Boolean $ossec_auth_purge = false,
) inherits wazuh::params {
validate_bool(
$ossec_active_response, $ossec_rootcheck,
$manage_repos, $manage_epel_repo, $syslog_output,
$install_wazuh_api, $wazuh_manager_verify_manager_ssl
)
validate_array(
$decoder_exclude, $rule_exclude
)
# This allows arrays of integers, sadly
# (commented due to stdlib version requirement)
validate_array($ossec_ignorepaths)
if ( $ossec_emailnotification ) {
if $smtp_server == undef {
fail('$ossec_emailnotification is enabled but $smtp_server was not set')
}
validate_string($smtp_server)
validate_string($ossec_emailfrom)
validate_array($ossec_emailto)
}
if $::osfamily == 'windows' {
fail('The ossec module does not yet support installing the OSSEC HIDS server on Windows')
}
if $manage_repos {
# TODO: Allow filtering of EPEL requirement
class { 'wazuh::repo': redhat_manage_epel => $manage_epel_repo }
if $::osfamily == 'Debian' {
Class['wazuh::repo'] -> Class['apt::update'] -> Package[$wazuh::params::server_package]
} else {
Class['wazuh::repo'] -> Package[$wazuh::params::server_package]
}
}
# install package
package { $wazuh::params::server_package:
ensure => $server_package_version, # lint:ignore:security_package_pinned_version
}
file {
default:
owner => $wazuh::params::config_owner,
group => $wazuh::params::config_group,
mode => $wazuh::params::config_mode,
notify => Service[$wazuh::params::server_service],
require => Package[$wazuh::params::server_package];
$wazuh::params::shared_agent_config_file:
validate_cmd => $wazuh::params::validate_cmd_conf,
content => template($shared_agent_template);
'/var/ossec/etc/rules/local_rules.xml':
content => template($local_rules_template);
'/var/ossec/etc/decoders/local_decoder.xml':
content => template($local_decoder_template);
$wazuh::params::processlist_file:
content => template('wazuh/process_list.erb');
}
service { $wazuh::params::server_service:
ensure => running,
enable => true,
hasstatus => $wazuh::params::service_has_status,
pattern => $wazuh::params::server_service,
provider => $ossec_service_provider,
require => Package[$wazuh::params::server_package],
}
concat { 'ossec.conf':
path => $wazuh::params::config_file,
owner => $wazuh::params::config_owner,
group => $wazuh::params::config_group,
mode => $wazuh::params::config_mode,
require => Package[$wazuh::params::server_package],
notify => Service[$wazuh::params::server_service],
#validate_cmd => $wazuh::params::validate_cmd_conf, # not yet implemented, see https://github.com/wazuh/wazuh/issues/86
}
concat::fragment {
default:
target => 'ossec.conf',
notify => Service[$wazuh::params::server_service];
'ossec.conf_header':
order => 00,
content => "<ossec_config>\n";
'ossec.conf_agent':
order => 10,
content => template('wazuh/wazuh_manager.conf.erb');
'ossec.conf_footer':
order => 99,
content => '</ossec_config>';
}
if ( $manage_client_keys == 'export' ) {
concat { $wazuh::params::keys_file:
owner => $wazuh::params::keys_owner,
group => $wazuh::params::keys_group,
mode => $wazuh::params::keys_mode,
notify => Service[$wazuh::params::server_service],
require => Package[$wazuh::params::server_package],
}
concat::fragment { 'var_ossec_etc_client.keys_end' :
target => $wazuh::params::keys_file,
order => 99,
content => "\n",
notify => Service[$wazuh::params::server_service]
}
# A separate module to avoid storeconfigs warnings when not managing keys
include wazuh::collect_agent_keys
}
if ( $manage_client_keys == 'authd') {
# TODO: ensure the authd service is started if manage_client_keys == authd
# (see https://github.com/wazuh/wazuh/issues/80)
file { $wazuh::params::authd_pass_file:
owner => $wazuh::params::keys_owner,
group => $wazuh::params::keys_group,
mode => $wazuh::params::keys_mode,
content => $agent_auth_password,
require => Package[$wazuh::params::server_package],
}
}
# https://documentation.wazuh.com/current/user-manual/registering/use-registration-service.html#verify-manager-via-ssl
if $wazuh_manager_verify_manager_ssl {
if ($wazuh_manager_server_crt != undef) and ($wazuh_manager_server_key != undef) {
validate_string(
$wazuh_manager_server_crt, $wazuh_manager_server_key
)
file { '/var/ossec/etc/sslmanager.key':
content => $wazuh_manager_server_key,
owner => 'root',
group => 'ossec',
mode => '0640',
require => Package[$wazuh::params::server_package],
notify => Service[$wazuh::params::server_service],
}
file { '/var/ossec/etc/sslmanager.cert':
content => $wazuh_manager_server_crt,
owner => 'root',
group => 'ossec',
mode => '0640',
require => Package[$wazuh::params::server_package],
notify => Service[$wazuh::params::server_service],
}
}
}
### Wazuh API
if $install_wazuh_api {
validate_bool($manage_nodejs)
if $manage_nodejs {
validate_string($nodejs_repo_url_suffix)
class { '::nodejs': repo_url_suffix => $nodejs_repo_url_suffix }
Class['nodejs'] -> Package[$wazuh::params::api_package]
}
package { $wazuh::params::api_package:
ensure => $api_package_version, # lint:ignore:security_package_pinned_version
}
if $wazuh_api_enable_https {
validate_string($wazuh_api_server_crt, $wazuh_api_server_key)
file { '/var/ossec/api/configuration/ssl/server.key':
content => $wazuh_api_server_key,
owner => 'root',
group => 'ossec',
mode => '0600',
require => Package[$wazuh::params::api_package],
notify => Service[$wazuh::params::api_service],
}
file { '/var/ossec/api/configuration/ssl/server.crt':
content => $wazuh_api_server_crt,
owner => 'root',
group => 'ossec',
mode => '0600',
require => Package[$wazuh::params::api_package],
notify => Service[$wazuh::params::api_service],
}
}
# wazuh-api config.js
# this hash is currently only covering the basic config section of config.js
# TODO: allow customization of the entire config.js
# for reference: https://documentation.wazuh.com/current/user-manual/api/configuration.html
file { '/var/ossec/api/configuration/config.js':
content => template($api_config_template),
owner => 'root',
group => 'ossec',
mode => '0750',
require => Package[$wazuh::params::api_package],
notify => Service[$wazuh::params::api_service],
}
service { $wazuh::params::api_service:
ensure => running,
enable => true,
hasstatus => $wazuh::params::service_has_status,
pattern => $wazuh::params::api_service,
provider => $api_service_provider,
require => Package[$wazuh::params::api_package],
}
}
# Manage firewall
if $manage_firewall {
include firewall
firewall { '1514 wazuh-manager':
dport => $ossec_server_port,
proto => $ossec_server_protocol,
action => 'accept',
state => [
'NEW',
'RELATED',
'ESTABLISHED'],
}
}
}

49
modules/utilities/unix/logging/wazuh/manifests/wazuh_api.pp Normal file
View File

@@ -0,0 +1,49 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Wazuh API installation
class wazuh::wazuh_api (
$wazuh_api_package = 'wazuh-api',
$wazuh_api_service = 'wazuh-api',
$wazuh_api_version = '3.10.2-1',
$nodejs_package = 'nodejs'
){
if $::osfamily == 'Debian' {
exec { 'Updating repositories...':
path => '/usr/bin',
command => 'curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -',
}
package { $nodejs_package:
provider => 'apt',
}
package { $wazuh_api_package:
ensure => $wazuh_api_version,
provider => 'apt',
}
}else{
exec { 'Updating repositories...':
path => '/usr/bin',
command => 'curl --silent --location https://rpm.nodesource.com/setup_8.x | bash -',
}
package { $nodejs_package:
provider => 'yum',
}
package { $wazuh_api_package:
ensure => $wazuh_api_version,
provider => 'yum',
}
}
service { 'wazuh-api':
ensure => running,
enable => true,
provider => 'systemd',
}
}

76
modules/utilities/unix/logging/wazuh/metadata.json
View File

@@ -1,13 +1,38 @@
{
"name": "wazuh-wazuh",
"version": "3.9.1",
"version": "3.10.2",
"author": "WAZUH",
"summary": "Install and configure Wazuh-HIDS client and server",
"license": "Apache-2.0",
"source": "https://github.com/wazuh/wazuh-puppet",
"project_page": "https://github.com/wazuh/wazuh-puppet",
"issues_url": "https://github.com/wazuh/wazuh-puppet/issues",
"tags": ["ossec", "hids", "3.9", "wazuh"],
"dependencies": [
{
"name": "puppetlabs/stdlib",
"version_requirement": ">= 1.0.0 < 7.0.0"
},
{
"name": "puppetlabs/concat",
"version_requirement": ">= 1.0.0 < 7.0.0"
},
{
"name": "puppetlabs/apt",
"version_requirement": ">= 2.0.0 < 8.0.0"
},
{
"name": "puppet/selinux",
"version_requirement": ">= 0.8.0 < 4.0.0"
},
{
"name": "puppet/nodejs",
"version_requirement": ">= 3.0.0 < 8.0.0"
},
{
"name": "puppetlabs/firewall",
"version_requirement": ">= 1.7.0 < 3.0.0"
}
],
"operatingsystem_support": [
{
"operatingsystem": "Windows",
@@ -21,7 +46,7 @@
"Windows 10"
]
},
{
{
"operatingsystem": "CentOS",
"operatingsystemrelease": [
"5",
@@ -43,7 +68,7 @@
"22",
"23",
"24",
"25"
"25"
]
},
{
@@ -55,7 +80,7 @@
"Wily",
"Xenial",
"Yakketi",
"Bionic"
"Bionic"
]
},
{
@@ -68,34 +93,19 @@
]
}
],
"dependencies": [
"requirements": [
{
"name": "puppetlabs/stdlib",
"version_range": ">= 1.0.0"
},
{
"name": "puppetlabs/concat",
"version_range": ">= 1.0.0"
},
{
"name": "stahnma/epel",
"version_range": ">= 1.0.0"
},
{
"name": "puppetlabs/apt",
"version_range": ">= 2.0.0"
},
{
"name": "puppet/selinux",
"version_range": ">= 0.8.0"
},
{
"name": "puppet/nodejs",
"version_range": ">= 3.0.0 < 4.0.0"
},
{
"name": "puppetlabs/firewall",
"version_range": ">= 1.7.0"
"name": "puppet",
"version_requirement": ">= 6.0.0 < 7.0.0"
}
]
],
"tags": [
"ossec",
"hids",
"3.10",
"wazuh"
],
"pdk-version": "1.10.0",
"template-url": "file:///opt/puppetlabs/pdk/share/cache/pdk-templates.git#1.10.0",
"template-ref": "1.10.0-0-gbba9ac3"
}

33
modules/utilities/unix/logging/wazuh/spec/classes/client_spec.rb
View File

@@ -1,38 +1,41 @@
require 'spec_helper'
describe 'wazuh::client' do
describe 'wazuh::agent' do
on_supported_os.each do |os, facts|
context "on #{os}" do
let (:facts) do
facts.merge({ :concat_basedir => '/dummy' })
let(:facts) do
facts.merge(concat_basedir: '/dummy')
end
context 'with defaults for all parameters' do
it do
expect { is_expected.to compile.with_all_deps }.to raise_error(/must pass either/)
expect { is_expected.to compile.with_all_deps }.to raise_error(%r{must pass either})
end
end
context 'with ossec_server_ip' do
let (:params) do
context 'with ossec_ip' do
let(:params) do
{
:ossec_server_ip => '127.0.0.1',
ossec_ip: '127.0.0.1',
}
end
it { is_expected.to compile.with_all_deps }
it { is_expected.to contain_class('wazuh::client') }
it { is_expected.not_to contain_Concat__Fragment('ossec.conf_10').with_content(/<server-hostname>local.test<\/server-hostname>/) }
it { is_expected.to contain_Concat__Fragment('ossec.conf_10').with_content(/<server-ip>127.0.0.1<\/server-ip>/) }
it { is_expected.to contain_class('wazuh::agent') }
it { is_expected.not_to contain_Concat__Fragment('ossec.conf_10').with_content(%r{/<server-hostname>local.test<\/server-hostname>/}) }
it { is_expected.to contain_Concat__Fragment('ossec.conf_10').with_content(%r{/<server-ip>127.0.0.1<\/server-ip>/}) }
end
context 'with ossec_server_hostname' do
let (:params) do
let(:params) do
{
:ossec_server_hostname => 'local.test',
ossec_server_hostname: 'local.test',
}
end
it { is_expected.to compile.with_all_deps }
it { is_expected.to contain_class('wazuh::client') }
it { is_expected.not_to contain_Concat__Fragment('ossec.conf_10').with_content(/<server-ip>127.0.0.1<\/server-ip>/) }
it { is_expected.to contain_Concat__Fragment('ossec.conf_10').with_content(/<server-hostname>local.test<\/server-hostname>/) }
it { is_expected.to contain_class('wazuh::wazuh-agent') }
it { is_expected.not_to contain_Concat__Fragment('ossec.conf_10').with_content(%r{/<server-ip>127.0.0.1<\/server-ip>/}) }
it { is_expected.to contain_Concat__Fragment('ossec.conf_10').with_content(%r{/<server-hostname>local.test<\/server-hostname>/}) }
end
end
end

3
modules/utilities/unix/logging/wazuh/spec/classes/init_spec.rb
View File

@@ -2,7 +2,8 @@ require 'spec_helper'
describe 'ossec' do
on_supported_os.each do |os, facts|
context "on #{os}" do
let (:facts) { facts }
let(:facts) { facts }
context 'with defaults for all parameters' do
it { is_expected.to compile.with_all_deps }
it { is_expected.to contain_class('ossec') }

18
modules/utilities/unix/logging/wazuh/spec/classes/server_spec.rb
View File

@@ -1,24 +1,26 @@
require 'spec_helper'
describe 'wazuh::server' do
describe 'wazuh::manager' do
on_supported_os.each do |os, facts|
context "on #{os}" do
let (:facts) do
facts.merge({ :concat_basedir => '/dummy' })
let(:facts) do
facts.merge(concat_basedir: '/dummy')
end
context 'with defaults for all parameters' do
it do
expect { is_expected.to compile.with_all_deps }.to raise_error(/Must pass smtp_server/)
expect { is_expected.to compile.with_all_deps }.to raise_error(%r{Must pass smtp_server})
end
end
context 'with valid paramaters' do
let (:params) do
let(:params) do
{
:smtp_server => '127.0.0.1',
:ossec_emailto => 'root@localhost.localdomain',
smtp_server: '127.0.0.1',
ossec_emailto: 'root@localhost.localdomain',
}
end
it { is_expected.to compile.with_all_deps }
it { is_expected.to contain_class('wazuh::server') }
it { is_expected.to contain_class('wazuh::manager') }
end
end
end

56
modules/utilities/unix/logging/wazuh/spec/spec_helper.rb
View File

@@ -1,23 +1,47 @@
dir = File.expand_path(File.dirname(__FILE__))
$LOAD_PATH.unshift File.join(dir, 'lib')
require 'mocha'
require 'puppet'
require 'rspec'
require 'rspec-puppet-facts'
require 'puppetlabs_spec_helper/module_spec_helper'
require 'rspec-puppet-facts'
require 'spec_helper_local' if File.file?(File.join(File.dirname(__FILE__), 'spec_helper_local.rb'))
include RspecPuppetFacts
#require 'spec/autorun'
default_facts = {
puppetversion: Puppet.version,
facterversion: Facter.version,
}
#Spec::Runner.configure do |config|
RSpec.configure do |config|
config.mock_with :mocha
default_fact_files = [
File.expand_path(File.join(File.dirname(__FILE__), 'default_facts.yml')),
File.expand_path(File.join(File.dirname(__FILE__), 'default_module_facts.yml')),
]
default_fact_files.each do |f|
next unless File.exist?(f) && File.readable?(f) && File.size?(f)
begin
default_facts.merge!(YAML.safe_load(File.read(f), [], [], true))
rescue => e
RSpec.configuration.reporter.message "WARNING: Unable to load #{f}: #{e}"
end
end
# We need this because the RAL uses 'should' as a method. This
# allows us the same behaviour but with a different method name.
#class Object
# alias :must :should
#end
RSpec.configure do |c|
c.default_facts = default_facts
c.before :each do
# set to strictest setting for testing
# by default Puppet runs at warning level
Puppet.settings[:strict] = :warning
end
c.filter_run_excluding(bolt: true) unless ENV['GEM_BOLT']
c.after(:suite) do
end
end
def ensure_module_defined(module_name)
module_name.split('::').reduce(Object) do |last_module, next_module|
last_module.const_set(next_module, Module.new) unless last_module.const_defined?(next_module, false)
last_module.const_get(next_module, false)
end
end
# 'spec_overrides' from sync.yml will appear below this line

63
modules/utilities/unix/logging/wazuh/templates/default_commands.erb Normal file
View File

@@ -0,0 +1,63 @@
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null-2012</name>
<executable>route-null-2012.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh-win-2016</name>
<executable>netsh-win-2016.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>

89
modules/utilities/unix/logging/wazuh/templates/elasticsearch_yml.erb Normal file
View File

@@ -0,0 +1,89 @@
# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
# Before you set out to tweak and tune the configuration, make sure you
# understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: <%= @elasticsearch_cluster_name %>
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
node.name: <%= @elasticsearch_node_name %>
#
# Add custom attributes to the node:
#
node.master: <%= @elasticsearch_node_master %>
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: <%= @elasticsearch_path_data %>
#
# Path to log files:
#
path.logs: <%= @elasticsearch_path_logs %>
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: <%= @elasticsearch_ip %>
#
# Set a custom port for HTTP:
#
http.port: <%= @elasticsearch_port %>
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.seed_hosts: ["host1", "host2"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
<%= @elasticsearch_cluster_initial_master_nodes %>
<%= @elasticsearch_discovery_option %>
#
# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true

58
modules/utilities/unix/logging/wazuh/templates/filebeat_yml.erb Normal file
View File

@@ -0,0 +1,58 @@
# Wazuh - Filebeat configuration file
filebeat.inputs:
- type: log
paths:
- '/var/ossec/logs/alerts/alerts.json'
setup.template.json.enabled: true
setup.template.json.path: "/etc/filebeat/wazuh-template.json"
setup.template.json.name: "wazuh"
setup.template.overwrite: true
processors:
- decode_json_fields:
fields: ['message']
process_array: true
max_depth: 200
target: ''
overwrite_keys: true
- drop_fields:
fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host']
- rename:
fields:
- from: "data.aws.sourceIPAddress"
to: "@src_ip"
ignore_missing: true
fail_on_error: false
when:
regexp:
data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
- rename:
fields:
- from: "data.srcip"
to: "@src_ip"
ignore_missing: true
fail_on_error: false
when:
regexp:
data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
- rename:
fields:
- from: "data.win.eventdata.ipAddress"
to: "@src_ip"
ignore_missing: true
fail_on_error: false
when:
regexp:
data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
# Send events directly to Elasticsearch
output.elasticsearch:
hosts: [<%= @elasticsearch_server_ip %>]
#pipeline: geoip
indices:
- index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}'
# Optional. Send events to Logstash instead of Elasticsearch
#output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"]

40
modules/utilities/unix/logging/wazuh/templates/fragments/_auth.erb
View File

@@ -1,30 +1,18 @@
<!-- Client Authentication Settings -->
<auth>
<%- if @manage_client_keys == 'authd' -%>
<disabled>no</disabled>
<disabled><%= @ossec_auth_disabled %></disabled>
<port><%= @ossec_auth_port %></port>
<%- if @ossec_auth_ssl_ca -%>
<ssl_agent_ca><%= @ossec_auth_ssl_ca%></ssl_agent_ca>
<%- end -%>
<%- if @ossec_auth_ssl_cert -%>
<ssl_manager_cert><%= @ossec_auth_ssl_cert%></ssl_manager_cert>
<%- end -%>
<%- if @ossec_auth_ssl_key -%>
<ssl_manager_key><%= @ossec_auth_ssl_key%></ssl_manager_key>
<%- end -%>
<%- if @ossec_auth_use_srcip -%>
<use_source_ip>yes</use_source_ip>
<%- end -%>
<%- if @ossec_auth_use_password -%>
<use_password>yes</use_password>
<%- end -%>
<%- if @ossec_auth_force_insert -%>
<force_insert>yes</force_insert>
<%- end -%>
<%- if @ossec_auth_purge -%>
<purge>yes</purge>
<%- end -%>
<%- else -%>
<disabled>yes</disabled>
<%- end -%>
<use_source_ip><%= @ossec_auth_use_source_ip %></use_source_ip>
<force_insert><%= @ossec_auth_force_insert %></force_insert>
<force_time><%= @ossec_auth_force_time %></force_time>
<purge><%= @ossec_auth_purgue %></purge>
<use_password><%= @ossec_auth_use_password %></use_password>
<limit_maxagents><%= @ossec_auth_limit_maxagents %></limit_maxagents>
<ciphers><%= @ossec_auth_ciphers %></ciphers>
<ssl_verify_host><%= @ossec_auth_ssl_verify_host %></ssl_verify_host>
<ssl_manager_cert><%= @ossec_auth_ssl_manager_cert %></ssl_manager_cert>
<ssl_manager_key><%= @ossec_auth_ssl_manager_key %></ssl_manager_key>
<ssl_auto_negotiate><%= @ossec_auth_ssl_auto_negotiate %></ssl_auto_negotiate>
</auth>

48
modules/utilities/unix/logging/wazuh/templates/fragments/_cluster.erb
View File

@@ -1,17 +1,35 @@
<cluster>
<name><%= @cl_name %></name>
<node_name><%= @cl_node_name %></node_name>
<node_type><%= @cl_node_type %></node_type>
<% if @cl_key != '' -%>
<key><%= @cl_key %></key>
<% end -%>
<port><%= @cl_port %></port>
<bind_addr><%= @cl_bin_addr %></bind_addr>
<nodes>
<% @cl_node.each do |node| %>
<node><%= node %></node>
<% end %>
</nodes>
<hidden><%= @cl_hidden %></hidden>
<disabled><%= @cl_disabled %></disabled>
<% if @ossec_cluster_name -%>
<name><%=@ossec_cluster_name%></name>
<% end -%>
<% if @ossec_cluster_node_name -%>
<node_name><%=@ossec_cluster_node_name%></node_name>
<% end -%>
<% if @ossec_cluster_node_type -%>
<node_type><%=@ossec_cluster_node_type%></node_type>
<% end -%>
<% if @ossec_cluster_key -%>
<key><%=@ossec_cluster_key%></key>
<% end -%>
<% if @ossec_cluster_port -%>
<port><%=@ossec_cluster_port%></port>
<% end -%>
<% if @ossec_cluster_bind_addr -%>
<bind_addr><%=@ossec_cluster_bind_addr%></bind_addr>
<% end -%>
<% if @ossec_cluster_nodes -%>
<nodes>
<% @ossec_cluster_nodes.each do |node| -%>
<node><%= node %></node>
<% end -%>
</nodes>
<% end -%>
<% if @ossec_cluster_hidden -%>
<hidden><%=@ossec_cluster_hidden %></hidden>
<% end -%>
<% if @ossec_cluster_disabled -%>
<disabled><%=@ossec_cluster_disabled%></disabled>
<% end -%>
</cluster>

1
modules/utilities/unix/logging/wazuh/templates/command.erb → modules/utilities/unix/logging/wazuh/templates/fragments/_command.erb
View File

@@ -4,3 +4,4 @@
<expect><%= @command_expect %></expect>
<timeout_allowed><%= @command_timeout_allowed %></timeout_allowed>
</command>

103
modules/utilities/unix/logging/wazuh/templates/fragments/_common.erb
View File

@@ -1,103 +0,0 @@
<!-- Most of these rules are defined in the shared agent config -->
<syscheck>
<!-- Frequency that syscheck is executed -->
<frequency><%= @ossec_syscheck_frequency %></frequency>
<scan_on_start>yes</scan_on_start>
<alert_new_files>yes</alert_new_files>
<auto_ignore><%= @ossec_auto_ignore %></auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<%- @ossec_scanpaths.each do |scanpath| -%> <directories check_all="yes" report_changes="<%= scanpath["report_changes"] %>" realtime="<%= scanpath['realtime'] %>" whodata="<%= scanpath['whodata'] || 'no' %>"><%= scanpath['path'] %></directories>
<%- end -%>
<!-- Files/directories to ignore (parameterized) -->
<%- @ossec_ignorepaths.each do |path| -%>
<ignore><%= path %></ignore>
<%- end -%>
<% @ossec_ignorepaths_regex.each do |path| -%>
<ignore type="sregex"><%= path %></ignore>
<% end -%>
<%- if @ossec_prefilter == true then %>
<prefilter_cmd>/usr/sbin/prelink -y</prefilter_cmd>
<%- end -%>
</syscheck>
<%- if @ossec_rootcheck == false then -%>
<rootcheck>
<disabled>yes</disabled>
<rootcheck>
<%- if @ossec_rootcheck_frequency then -%>
<frequency><%= @ossec_rootcheck_frequency %></frequency>
<%- end -%>
<%- if @ossec_rootcheck_checkports == false then -%>
<check_ports>no</check_ports>
<%- end -%>
<%- if @ossec_rootcheck_checkfiles == false then -%>
<check_files>no</check_files>
<%- end -%>
</rootcheck>
<%- end -%>
<%- if @ar_repeated_offenders != '' and @ossec_active_response -%>
<active-response>
<repeated_offenders><%= @ar_repeated_offenders %></repeated_offenders>
</active-response>
<%- elsif !@ossec_active_response -%>
<active-response>
<disabled>yes</disabled>
</active-response>
<%- end -%>
<!-- Files to monitor (localfiles) -->
<%- @ossec_local_files.each do |localfile| -%>
<localfile>
<log_format><%= localfile['log_format'] %></log_format>
<%- if localfile.key?('location') -%>
<location><%= localfile['location'] %></location>
<%- end -%>
<%- if localfile.key?('frequency') -%>
<frequency><%= localfile['frequency'] %></frequency>
<%- end -%>
<%- if localfile.key?('query') -%>
<query><%= localfile['query'] %></query>
<%- end -%>
<%- if localfile.key?('command') -%>
<command><%= localfile['command'] %></command>
<%- end -%>
<%- if localfile.key?('alias') -%>
<alias><%= localfile['alias'] %></alias>
<%- end -%>
<%- if localfile.key?('label') -%>
<label <%- if localfile['label'].key?('attributes') and localfile['label']['attributes'].key?('key') -%>key="<%= localfile['label']['attributes']['key'] %>"<%- end -%> ><%= localfile['label']['value']%></label>
<%- end -%>
<%- if localfile.key?('only-future-events') -%>
<only-future-events><%= localfile['only-future-events'] %></only-future-events>
<%- end -%>
<%- if localfile.key?('target') -%>
<target><%= localfile['target'] %></target>
<%- end -%>
<%- if localfile.key?('out_format') -%>
<out_format <%- if localfile['out_format'].key?('attributes') and localfile['out_format']['attributes'].key?('target') -%>target="<%= localfile['out_format']['attributes']['target'] %>"<%- end -%> ><%= localfile['out_format']['value'] %></out_format>
<%- end -%>
</localfile>
<%- end %>
<%- if @kernel == 'Linux' -%>
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<%- end %>

7
modules/utilities/unix/logging/wazuh/templates/fragments/_default_activeresponse.erb Normal file
View File

@@ -0,0 +1,7 @@
<active-response>
<disabled>no</disabled>
<ca_store>/var/ossec/etc/wpk_root.pem</ca_store>
<ca_verification>yes</ca_verification>
</active-response>

0
modules/utilities/unix/logging/wazuh/templates/email_alert.erb → modules/utilities/unix/logging/wazuh/templates/fragments/_email_alert.erb
View File

8
modules/utilities/unix/logging/wazuh/templates/fragments/_integration.erb
View File

@@ -12,7 +12,9 @@
<% if @in_level != '' -%>
<level><%= @in_level %></level>
<% end %>
<group><%= @in_group %></group>
<% if @in_group != '' -%>
<group><%= @in_group %></group>
<% end %>
<% if @in_location != '' -%>
<event_location><%= @in_location %></event_location>
<% end %>
@@ -20,4 +22,6 @@
<% if @in_max_log != '' -%>
<max_log><%= @in_max_log %></max_log>
<% end %>
</integration>
</integration>

58
modules/utilities/unix/logging/wazuh/templates/fragments/_localfile.erb
View File

@@ -1,15 +1,53 @@
<%- @ossec_local_files.each do |localfile| -%>
<localfile>
<log_format><%= @logtype %></log_format>
<%- if @logfile -%>
<location><%= @logfile %></location>
<log_format><%= localfile['log_format'] %></log_format>
<%- if localfile.key?('location') -%>
<location><%= localfile['location'] %></location>
<%- end -%>
<%- if @logcommand -%>
<command><%= @logcommand %> </command>
<%- if localfile.key?('frequency') -%>
<frequency><%= localfile['frequency'] %></frequency>
<%- end -%>
<%- if @commandalias -%>
<alias><%= @commandalias %> </alias>
<%- if localfile.key?('query') -%>
<query><%= localfile['query'] %></query>
<%- end -%>
<%- if @frequency -%>
<frequency><%= @frequency %></frequency>
<%- if localfile.key?('command') -%>
<command><%= localfile['command'] %></command>
<%- end -%>
</localfile>
<%- if localfile.key?('alias') -%>
<alias><%= localfile['alias'] %></alias>
<%- end -%>
<%- if localfile.key?('label') -%>
<label <%- if localfile['label'].key?('attributes') and localfile['label']['attributes'].key?('key') -%>key="<%= localfile['label']['attributes']['key'] %>"<%- end -%> ><%= localfile['label']['value']%></label>
<%- end -%>
<%- if localfile.key?('only-future-events') -%>
<only-future-events><%= localfile['only-future-events'] %></only-future-events>
<%- end -%>
<%- if localfile.key?('target') -%>
<target><%= localfile['target'] %></target>
<%- end -%>
<%- if localfile.key?('out_format') -%>
<out_format <%- if localfile['out_format'].key?('attributes') and localfile['out_format']['attributes'].key?('target') -%>target="<%= localfile['out_format']['attributes']['target'] %>"<%- end -%> ><%= localfile['out_format']['value'] %></out_format>
<%- end -%>
</localfile>
<%- end %>
<%- if @kernel == 'Linux' -%>
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<%- end %>

17
modules/utilities/unix/logging/wazuh/templates/fragments/_localfile_generation.erb Normal file
View File

@@ -0,0 +1,17 @@
<localfile>
<log_format><%= @logtype %></log_format>
<%- if @logfile -%>
<location><%= @logfile %></location>
<%- end -%>
<%- if @logcommand -%>
<command><%= @logcommand %> </command>
<%- end -%>
<%- if @commandalias -%>
<alias><%= @commandalias %> </alias>
<%- end -%>
<%- if @frequency -%>
<frequency><%= @frequency %></frequency>
<%- end -%>
</localfile>

1
modules/utilities/unix/logging/wazuh/templates/fragments/_reports.erb
View File

@@ -26,3 +26,4 @@
<showlogs><%= @r_showlogs %></showlogs>
<%- end -%>
</reports>

47
modules/utilities/unix/logging/wazuh/templates/fragments/_rootcheck.erb Normal file
View File

@@ -0,0 +1,47 @@
<%- if @kernel == 'Linux' -%>
<rootcheck>
<% if @ossec_rootcheck_disabled -%>
<disabled><%= @ossec_rootcheck_disabled %></disabled>
<%- end -%>
<% if @ossec_rootcheck_check_files -%>
<check_files><%= @ossec_rootcheck_check_files %></check_files>
<%- end -%>
<% if @ossec_rootcheck_check_trojans-%>
<check_trojans><%= @ossec_rootcheck_check_trojans %></check_trojans>
<%- end -%>
<% if @ossec_rootcheck_check_dev -%>
<check_dev><%= @ossec_rootcheck_check_dev %></check_dev>
<%- end -%>
<% if @ossec_rootcheck_check_sys -%>
<check_sys><%= @ossec_rootcheck_check_sys %></check_sys>
<%- end -%>
<% if @ossec_rootcheck_check_pids -%>
<check_pids><%= @ossec_rootcheck_check_pids %></check_pids>
<%- end -%>
<% if @ossec_rootcheck_check_ports -%>
<check_ports><%= @ossec_rootcheck_check_ports %></check_ports>
<%- end -%>
<% if @ossec_rootcheck_check_if -%>
<check_if><%= @ossec_rootcheck_check_if %></check_if>
<%- end -%>
<% if @ossec_rootcheck_frequency-%>
<frequency><%= @ossec_rootcheck_frequency %></frequency>
<%- end -%>
<% if @ossec_rootcheck_rootkit_files-%>
<rootkit_files><%= @ossec_rootcheck_rootkit_files %></rootkit_files>
<%- end -%>
<% if @ossec_rootcheck_rootkit_trojans-%>
<rootkit_trojans><%= @ossec_rootcheck_rootkit_trojans %></rootkit_trojans>
<%- end -%>
<% if @ossec_rootcheck_skip_nfs-%>
<skip_nfs><%= @ossec_rootcheck_skip_nfs%></skip_nfs>
<%- end -%>
</rootcheck>
<%- else -%>
<!-- Rootcheck files (static) -->
<rootcheck>
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
<%- end -%>

25
modules/utilities/unix/logging/wazuh/templates/fragments/_rootcheck_linux.erb
View File

@@ -1,25 +0,0 @@
<!-- Rootcheck files (static) -->
<rootcheck>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency><%= @ossec_rootcheck_frequency %></frequency>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
<skip_nfs>yes</skip_nfs>
</rootcheck>

6
modules/utilities/unix/logging/wazuh/templates/fragments/_rootcheck_windows.erb
View File

@@ -1,6 +0,0 @@
<!-- Rootcheck files (static) -->
<rootcheck>
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>

15
modules/utilities/unix/logging/wazuh/templates/fragments/_ruleset.erb Normal file
View File

@@ -0,0 +1,15 @@
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>

70
modules/utilities/unix/logging/wazuh/templates/fragments/_sca.erb Normal file
View File

@@ -0,0 +1,70 @@
<%- if @kernel == 'Linux' -%>
<%- if @apply_template_os == 'centos' -%>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
<policies>
<policy>cis_rhel7_linux_rcl.yml</policy>
<policy>system_audit_rcl.yml</policy>
<policy>system_audit_ssh.yml</policy>
<policy>system_audit_pw.yml</policy>
</policies>
</sca>
<%- elsif @apply_template_os =='amazon' -%>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
<policies>
<policy>system_audit_rcl.yml</policy>
<policy>system_audit_ssh.yml</policy>
<policy>system_audit_pw.yml</policy>
</policies>
</sca>
<%- elsif @apply_template_os =='rhel' -%>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
<policies>
<%- if @rhel_version == '7' -%>
<policy>cis_rhel7_linux_rcl.yml</policy>
<%- elsif @rhel_version =='6' -%>
<policy>cis_rhel6_linux_rcl.yml</policy>
<%- elsif @rhel_version =='5' -%>
<policy>cis_rhel5_linux_rcl.yml</policy>
<%- end -%>
<policy>system_audit_rcl.yml</policy>
<policy>system_audit_ssh.yml</policy>
<policy>system_audit_pw.yml</policy>
</policies>
</sca>
<%- else -%>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
<policies>
<policy>cis_debian_linux_rcl.yml</policy>
<%- if @debian_additional_templates == 'yes' -%>
<policy>cis_debianlinux7-8_L1_rcl.yml</policy>
<policy>cis_debianlinux7-8_L2_rcl.yml</policy>
<%- end -%>
<policy>system_audit_rcl.yml</policy>
<policy>system_audit_ssh.yml</policy>
<policy>system_audit_pw.yml</policy>
</policies>
</sca>
<%- end -%>
<%- end -%>

49
modules/utilities/unix/logging/wazuh/templates/fragments/_syscheck_windows.erb → modules/utilities/unix/logging/wazuh/templates/fragments/_syscheck.erb
View File

@@ -1,5 +1,5 @@
<syscheck>
<!-- Default files to be monitored - system32 only. -->
<%- if @kernel == 'windows' -%>
<syscheck> <!-- Default files to be monitored - system32 only. -->
<directories check_all="yes">%WINDIR%/win.ini</directories>
<directories check_all="yes">%WINDIR%/system.ini</directories>
<directories check_all="yes">C:\autoexec.bat</directories>
@@ -82,4 +82,47 @@
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
</syscheck>
</syscheck>
<%- else -%>
<syscheck>
<%- if @ossec_syscheck_disabled -%>
<disabled><%= @ossec_syscheck_disabled %></disabled>
<%- end -%>
<%- if @ossec_syscheck_frequency -%>
<frequency><%=@ossec_syscheck_frequency%></frequency>
<%- end -%>
<%- if @ossec_syscheck_scan_on_start -%>
<scan_on_start><%=@ossec_syscheck_scan_on_start%></scan_on_start>
<%- end -%>
<%- if @ossec_syscheck_alert_new_files -%>
<alert_new_files><%=@ossec_syscheck_alert_new_files%></alert_new_files>
<%- end -%>
<%- if @ossec_syscheck_auto_ignore -%>
<auto_ignore frequency="10" timeframe="3600"><%=@ossec_syscheck_auto_ignore%></auto_ignore>
<%- end -%>
<%- if @ossec_syscheck_directories_1 -%>
<directories check_all="yes"><%=@ossec_syscheck_directories_1%></directories>
<%- end -%>
<%- if @ossec_syscheck_directories_2 -%>
<directories check_all="yes"><%=@ossec_syscheck_directories_2%></directories>
<%- end -%>
<%- if @ossec_syscheck_ignore_list -%>
<%- @ossec_syscheck_ignore_list.each do |ignore_element| -%>
<ignore><%= ignore_element %></ignore>
<%- end -%>
<%- end -%>
<%- if @ossec_syscheck_ignore_type_1 -%>
<ignore type="sregex"><%=@ossec_syscheck_ignore_type_1%></ignore>
<%- end -%>
<%- if @ossec_syscheck_ignore_type_2 -%>
<ignore type="sregex"><%=@ossec_syscheck_ignore_type_2%></ignore>
<%- end -%>
<%- if @ossec_syscheck_nodiff -%>
<nodiff><%=@ossec_syscheck_nodiff%></nodiff>
<%- end -%>
<%- if @ossec_syscheck_skip_nfs -%>
<skip_nfs><%=@ossec_syscheck_skip_nfs%></skip_nfs>
<%- end -%>
</syscheck>
<%- end -%>

21
modules/utilities/unix/logging/wazuh/templates/fragments/_syscheck_linux.erb
View File

@@ -1,21 +0,0 @@
<syscheck>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/etc/puppetlabs/mcollective/facts.yaml</ignore>
<ignore>/etc/mcollective/facts.yaml</ignore>
</syscheck>

10
modules/utilities/unix/logging/wazuh/templates/fragments/_wodle_cis_cat.erb Normal file
View File

@@ -0,0 +1,10 @@
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>

12
modules/utilities/unix/logging/wazuh/templates/fragments/_wodle_openscap.erb
View File

@@ -1,16 +1,18 @@
<wodle name="open-scap">
<disabled>no</disabled>
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<%- @wodle_openscap_content.each do |path, value| -%>
<content type="<%= value['type'] %>" path="<%= path %>">
<%- if value['profiles'] then -%>
<%- value['profiles'].each do |profile| -%>
<profile><%= profile %></profile>
<%- end -%>
<%- value['profiles'].each do |profile| -%>
<profile><%= profile %></profile>
<%- end -%>
<%- end -%>
</content>
<%- end -%>
</wodle>

9
modules/utilities/unix/logging/wazuh/templates/fragments/_wodle_osquery.erb Normal file
View File

@@ -0,0 +1,9 @@
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>

12
modules/utilities/unix/logging/wazuh/templates/fragments/_wodle_syscollector.erb Normal file
View File

@@ -0,0 +1,12 @@
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>

20
modules/utilities/unix/logging/wazuh/templates/fragments/_wodle_vulnerability_detector.erb Normal file
View File

@@ -0,0 +1,20 @@
<wodle name="vulnerability-detector">
<disabled>yes</disabled>
<interval>5m</interval>
<ignore_time>6h</ignore_time>
<run_on_start>yes</run_on_start>
<feed name="ubuntu-18">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
<feed name="redhat">
<disabled>yes</disabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</feed>
<feed name="debian-9">
<disabled>yes</disabled>
<update_interval>1h</update_interval>
</feed>
</wodle>

120
modules/utilities/unix/logging/wazuh/templates/jvm_options.erb Normal file
View File

@@ -0,0 +1,120 @@
################################################################
## IMPORTANT: JVM heap size
################################################################
##
## You should always set the min and max JVM heap
## size to the same value. For example, to set
## the heap to 4 GB, set:
##
## -Xms4g
## -Xmx4g
##
## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
## for more information
##
################################################################
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
-Xms<%= @jvm_options_memmory %>
-Xmx<%= @jvm_options_memmory %>
################################################################
## Expert settings
################################################################
##
## All settings below this section are considered
## expert settings. Don't tamper with them unless
## you understand what you are doing
##
################################################################
## GC configuration
-XX:+UseConcMarkSweepGC
-XX:CMSInitiatingOccupancyFraction=75
-XX:+UseCMSInitiatingOccupancyOnly
## G1GC Configuration
# NOTE: G1GC is only supported on JDK version 10 or later.
# To use G1GC uncomment the lines below.
# 10-:-XX:-UseConcMarkSweepGC
# 10-:-XX:-UseCMSInitiatingOccupancyOnly
# 10-:-XX:+UseG1GC
# 10-:-XX:InitiatingHeapOccupancyPercent=75
## DNS cache policy
# cache ttl in seconds for positive DNS lookups noting that this overrides the
# JDK security property networkaddress.cache.ttl; set to -1 to cache forever
-Des.networkaddress.cache.ttl=60
# cache ttl in seconds for negative DNS lookups noting that this overrides the
# JDK security property networkaddress.cache.negative ttl; set to -1 to cache
# forever
-Des.networkaddress.cache.negative.ttl=10
## optimizations
# pre-touch memory pages used by the JVM during initialization
-XX:+AlwaysPreTouch
## basic
# explicitly set the stack size
-Xss1m
# set to headless, just in case
-Djava.awt.headless=true
# ensure UTF-8 encoding by default (e.g. filenames)
-Dfile.encoding=UTF-8
# use our provided JNA always versus the system one
-Djna.nosys=true
# turn off a JDK optimization that throws away stack traces for common
# exceptions because stack traces are important for debugging
-XX:-OmitStackTraceInFastThrow
# flags to configure Netty
-Dio.netty.noUnsafe=true
-Dio.netty.noKeySetOptimization=true
-Dio.netty.recycler.maxCapacityPerThread=0
# log4j 2
-Dlog4j.shutdownHookEnabled=false
-Dlog4j2.disable.jmx=true
-Djava.io.tmpdir=${ES_TMPDIR}
## heap dumps
# generate a heap dump when an allocation from the Java heap fails
# heap dumps are created in the working directory of the JVM
-XX:+HeapDumpOnOutOfMemoryError
# specify an alternative path for heap dumps; ensure the directory exists and
# has sufficient space
-XX:HeapDumpPath=/var/lib/elasticsearch
# specify an alternative path for JVM fatal error logs
-XX:ErrorFile=/var/log/elasticsearch/hs_err_pid%p.log
## JDK 8 GC logging
8:-XX:+PrintGCDetails
8:-XX:+PrintGCDateStamps
8:-XX:+PrintTenuringDistribution
8:-XX:+PrintGCApplicationStoppedTime
8:-Xloggc:/var/log/elasticsearch/gc.log
8:-XX:+UseGCLogFileRotation
8:-XX:NumberOfGCLogFiles=32
8:-XX:GCLogFileSize=64m
# JDK 9+ GC logging
9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m
# due to internationalization enhancements in JDK 9 Elasticsearch need to set the provider to COMPAT otherwise
# time/date parsing will break in an incompatible way for some date patterns and locals
9-:-Djava.locale.providers=COMPAT
# temporary workaround for C2 bug with JDK 10 on hardware with AVX-512
10-:-XX:UseAVX=2

116
modules/utilities/unix/logging/wazuh/templates/kibana_yml.erb Normal file
View File

@@ -0,0 +1,116 @@
# The default roles file is empty as the preferred method of defining roles is
# through the API/UI. File based roles are useful in error scenarios when the
# API based roles may not be available.
# Kibana is served by a back end server. This setting specifies the port to use.
server.port: <%= @kibana_server_port %>
# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
server.host: <%= @kibana_server_host %>
# Enables you to specify a path to mount Kibana at if you are running behind a proxy.
# Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath
# from requests it receives, and to prevent a deprecation warning at startup.
# This setting cannot end in a slash.
#server.basePath: ""
# Specifies whether Kibana should rewrite requests that are prefixed with
# `server.basePath` or require that they are rewritten by your reverse proxy.
# This setting was effectively always `false` before Kibana 6.3 and will
# default to `true` starting in Kibana 7.0.
#server.rewriteBasePath: false
# The maximum payload size in bytes for incoming server requests.
#server.maxPayloadBytes: 1048576
# The Kibana server's name. This is used for display purposes.
#server.name: "your-hostname"
# The URLs of the Elasticsearch instances to use for all your queries.
elasticsearch.hosts: ["<%= @kibana_elasticsearch_server_hosts %>"]
# When this setting's value is true Kibana uses the hostname specified in the server.host
# setting. When the value of this setting is false, Kibana uses the hostname of the host
# that connects to this Kibana instance.
#elasticsearch.preserveHost: true
# Kibana uses an index in Elasticsearch to store saved searches, visualizations and
# dashboards. Kibana creates a new index if the index doesn't already exist.
#kibana.index: ".kibana"
# The default application to load.
#kibana.defaultAppId: "home"
# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
# is proxied through the Kibana server.
#elasticsearch.username: "user"
#elasticsearch.password: "pass"
# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the Kibana server to the browser.
#server.ssl.enabled: false
#server.ssl.certificate: /path/to/your/server.crt
#server.ssl.key: /path/to/your/server.key
# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
# These files validate that your Elasticsearch backend uses the same key files.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key
# Optional setting that enables you to specify a path to the PEM file for the certificate
# authority for your Elasticsearch instance.
#elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]
# To disregard the validity of SSL certificates, change this setting's value to 'none'.
#elasticsearch.ssl.verificationMode: full
# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
# the elasticsearch.requestTimeout setting.
#elasticsearch.pingTimeout: 1500
# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
# must be a positive integer.
#elasticsearch.requestTimeout: 30000
# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
# headers, set this value to [] (an empty list).
#elasticsearch.requestHeadersWhitelist: [ authorization ]
# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
#elasticsearch.customHeaders: {}
# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
#elasticsearch.shardTimeout: 30000
# Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying.
#elasticsearch.startupTimeout: 5000
# Logs queries sent to Elasticsearch. Requires logging.verbose set to true.
#elasticsearch.logQueries: false
# Specifies the path where Kibana creates the process ID file.
#pid.file: /var/run/kibana.pid
# Enables you specify a file where Kibana stores log output.
#logging.dest: stdout
# Set the value of this setting to true to suppress all logging output.
#logging.silent: false
# Set the value of this setting to true to suppress all logging output other than error messages.
#logging.quiet: false
# Set the value of this setting to true to log all events, including system usage information
# and all requests.
#logging.verbose: false
# Set the interval in milliseconds to sample system and process performance
# metrics. Minimum is 100ms. Defaults to 5000.
#ops.interval: 5000
# Specifies locale to be used for all localizable strings, dates and number formats.
#i18n.locale: "en"

8
modules/utilities/unix/logging/wazuh/templates/ossec_shared_agent.conf.erb
View File

@@ -13,9 +13,9 @@
</agent_config>
<agent_config os="Linux">
<%= scope.function_template(["wazuh/fragments/_rootcheck_linux.erb"]) %>
<%= scope.function_template(["wazuh/fragments/_rootcheck.erb"]) %>
<%= scope.function_template(["wazuh/fragments/_syscheck_linux.erb"]) %>
<%= scope.function_template(["wazuh/fragments/_syscheck.erb"]) %>
<!-- Log analysis -->
<localfile>
@@ -25,9 +25,9 @@
</agent_config>
<agent_config os="Windows">
<%= scope.function_template(["wazuh/fragments/_rootcheck_windows.erb"]) %>
<%= scope.function_template(["wazuh/fragments/_rootcheck.erb"]) %>
<%= scope.function_template(["wazuh/fragments/_syscheck_windows.erb"]) %>
<%= scope.function_template(["wazuh/fragments/_syscheck.erb"]) %>
<localfile>
<log_format>eventlog</log_format>

40
modules/utilities/unix/logging/wazuh/templates/wazuh_agent.conf.erb
View File

@@ -1,30 +1,33 @@
<client>
<server>
<%- if @ossec_server_ip then -%>
<address><%= @ossec_server_ip %></address>
<%- if @wazuh_reporting_endpoint then -%>
<address><%= @wazuh_reporting_endpoint %></address>
<%- end -%>
<%- if @ossec_server_hostname then -%>
<address><%= @ossec_server_hostname %></address>
<%- if @ossec_protocol then -%>
<protocol><%= @ossec_protocol %></protocol>
<%- end -%>
<%- if @wazuh_manager_address then -%>
<address><%= @wazuh_manager_address %></address>
<%- end -%>
<%- if @ossec_server_protocol then -%>
<protocol><%= @ossec_server_protocol %></protocol>
<%- end -%>
<port><%= @ossec_server_port %></port>
<port><%= @ossec_port %></port>
</server>
<%- if @ossec_config_profiles then -%>
<config-profile><%= @ossec_config_profiles.join(',') %></config-profile>
<%- end -%>
<%- if @ossec_server_notify_time then -%>
<notify_time><%= @ossec_server_notify_time %></notify_time>
<%- if @ossec_notify_time then -%>
<notify_time><%= @ossec_notify_time %></notify_time>
<%- end -%>
<%- if @ossec_server_time_reconnect then -%>
<time-reconnect><%= @ossec_server_time_reconnect %></time-reconnect>
<%- if @ossec_time_reconnect then -%>
<time-reconnect><%= @ossec_time_reconnect %></time-reconnect>
<%- end -%>
<%- if @ossec_crypto_method then -%>
<crypto_method><%= @ossec_crypto_method %></crypto_method>
<%- end -%>
<%- if @ossec_auto_restart then -%>
<auto_restart><%= @ossec_auto_restart %></auto_restart>
<%- end -%>
<auto_restart><%= @agent_auto_restart %></auto_restart>
</client>
<logging>
<log_format>plain</log_format>
</logging>
<client_buffer>
<!-- Agent buffer options -->
@@ -33,8 +36,3 @@
<events_per_second><%= @client_buffer_events_per_second %></events_per_second>
</client_buffer>
<%= scope.function_template(["wazuh/fragments/_common.erb"]) -%>
<%- if @enable_wodle_openscap and @wodle_openscap_content -%>
<%= scope.function_template(["wazuh/fragments/_wodle_openscap.erb"]) -%>
<%- end -%>

77
modules/utilities/unix/logging/wazuh/templates/wazuh_manager.conf.erb
View File

@@ -8,72 +8,33 @@
<%- @ossec_emailto.each do |emailto| -%>
<email_to><%= emailto %></email_to>
<%- end -%>
<smtp_server><%= @smtp_server %></smtp_server>
<smtp_server><%= @ossec_smtp_server %></smtp_server>
<email_from><%= @ossec_emailfrom %></email_from>
<email_maxperhour><%= @ossec_email_maxperhour %></email_maxperhour>
<%- unless @ossec_email_idsname.nil? -%>
<email_idsname><%= @ossec_email_idsname %></email_idsname>
<%- end -%>
<%- else -%>
<email_notification>no</email_notification>
<%- end -%>
<stats><%= @ossec_global_stat_level %></stats>
<host_information><%= @ossec_global_host_information_level %></host_information>
<%- @ossec_white_list.each do |ipaddress| -%><white_list><%= ipaddress %></white_list>
<%- else -%>
<email_notification>no</email_notification>
<%- end -%>
<%- @ossec_white_list.each do |ipaddress| -%>
<white_list><%= ipaddress %></white_list>
<%- end -%>
</global>
<%- if @syslog_output -%>
<syslog_output>
<server><%= @syslog_output_server %></server>
<port><%= @syslog_output_port %></port>
<format><%= @syslog_output_format %></format>
<level><%= @syslog_output_level %></level>
</syslog_output>
<%- end -%>
<%- if @use_mysql -%>
<database_output>
<hostname><%= @mysql_hostname %></hostname>
<username><%= @mysql_username %></username>
<password><%= @mysql_password %></password>
<database><%= @mysql_name %></database>
<type>mysql</type>
</database_output>
<%- end -%>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<%- @rule_exclude.each do |r| -%>
<rule_exclude><%= r %></rule_exclude>
<%- end -%>
<list>etc/lists/audit-keys</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
<%- @decoder_exclude.each do |r| -%>
<decoder_exclude><%= r %></decoder_exclude>
<%- end -%>
</ruleset>
<remote>
<connection>secure</connection>
<port><%= @ossec_server_port %></port>
<protocol><%= @ossec_server_protocol %></protocol>
</remote>
<%= scope.function_template(["wazuh/fragments/_common.erb"]) -%>
<%= scope.function_template(["wazuh/fragments/_auth.erb"]) -%>
<%- if @enable_wodle_openscap and @wodle_openscap_content -%>
<%= scope.function_template(["wazuh/fragments/_wodle_openscap.erb"]) -%>
<%- end -%>
<alerts>
<log_alert_level>3</log_alert_level>
<log_alert_level><%= @ossec_alert_level %></log_alert_level>
<email_alert_level><%= @ossec_email_alert_level %></email_alert_level>
</alerts>
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection><%= @ossec_remote_connection %></connection>
<port><%= @ossec_remote_port %></port>
<protocol><%= @ossec_remote_protocol %></protocol>
<queue_size><%= @ossec_remote_queue_size %></queue_size>
</remote>

12
modules/utilities/unix/logging/wazuh/tests/init.pp
View File

@@ -1,12 +0,0 @@
# The baseline for module testing used by Puppet Labs is that each manifest
# should have a corresponding test manifest that declares that class or defined
# type.
#
# Tests are then run by using puppet apply --noop (to check for compilation
# errors and view a log of events) or by fully applying the test in a virtual
# environment (to compare the resulting system state to the desired state).
#
# Learn more about module testing here:
# http://docs.puppetlabs.com/guides/tests_smoke.html
#
include ossec

9
modules/utilities/unix/logging/wazuh/wazuh.pp
View File

@@ -1,14 +1,15 @@
$secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
$component = $secgen_parameters['component'][0]
if ($component == 'server') {
class { '::wazuh::server':
smtp_server => 'localhost',
class { '::wazuh::manager':
ossec_smtp_server => 'localhost',
ossec_emailto => ['user@mycompany.com'],
agent_auth_password => '6663484170b2c69451e01ba11f319533', #todo: obviously fix this - must be 32char
}
} elsif ($component == 'client') {
class { "::wazuh::client":
ossec_server_ip => "192.168.209.166",
class { "::wazuh::agent":
wazuh_register_endpoint => "192.168.209.166",
wazuh_reporting_endpoint => "192.168.209.166",
agent_name => 'test_name',
}
}

104
scenarios/auto_grading_tracer.xml
View File

@@ -15,17 +15,95 @@
<system_name>ids_server</system_name>
<base distro="Debian 9" type="server"/>
<input into_datastore="IP_address">
<value>192.168.209.166</value>
</input>
<input into_datastore="elasticsearch_port">
<value>9200</value>
</input>
<input into_datastore="logstash_port">
<value>5044</value>
</input>
<input into_datastore="kibana_port">
<value>5601</value>
</input>
<utility module_path=".*elasticsearch.*">
<input into="elasticsearch_ip">
<datastore access="0">IP_address</datastore>
</input>
<input into="elasticsearch_port">
<datastore access="0">elasticsearch_port</datastore>
</input>
</utility>
<utility module_path=".*logstash.*">
<input into="logstash_port">
<datastore access="0">logstash_port</datastore>
</input>
<input into="elasticsearch_ip">
<datastore access="0">IP_address</datastore>
</input>
<input into="elasticsearch_port">
<datastore access="0">elasticsearch_port</datastore>
</input>
</utility>
<utility module_path=".*kibana.*">
<input into="kibana_ip">
<datastore access="0">IP_address</datastore>
</input>
<input into="kibana_port">
<datastore access="0">kibana_port</datastore>
</input>
<input into="elasticsearch_ip">
<datastore access="0">IP_address</datastore>
</input>
<input into="elasticsearch_port">
<datastore access="0">elasticsearch_port</datastore>
</input>
</utility>
<utility module_path=".*filebeat.*">
<input into="logstash_ip">
<datastore access="0">IP_address</datastore>
</input>
<input into="logstash_port">
<datastore access="0">logstash_port</datastore>
</input>
</utility>
<utility module_path=".*auditbeat.*">
<input into="logstash_ip">
<datastore access="0">IP_address</datastore>
</input>
<input into="logstash_port">
<datastore access="0">logstash_port</datastore>
</input>
</utility>
<utility module_path=".*wazuh.*">
<input into="component">
<value>server</value>
</input>
</utility>
<utility type="update"/>
<network type="private_network">
<input into="IP_address">
<value>192.168.209.166</value>
<datastore access="0">IP_address</datastore>
</input>
</network>
<build type="cleanup">
<input into="root_password">
<value>test</value>
</input>
</build>
</system>
<system>
@@ -38,11 +116,33 @@
</input>
</utility>
<!-- Create a file to audit reads of... -->
<utility module_path=".*leak_to_file">
<input into="leaked_filename">
<value>test</value>
</input>
<input into="base64_file">
<encoder module_path=".*base64">
<input into="strings_to_encode">
<value>Read me!</value>
</input>
</encoder>
</input>
<input into="storage_directory">
<value>/root</value>
</input>
</utility>
<network type="private_network">
<input into="IP_address">
<value>192.168.209.165</value>
</input>
</network>
</system>
<build type="cleanup">
<input into="root_password">
<value>test</value>
</input>
</build>
</system>
</scenario>