diff --git a/lib/templates/Puppetfile.erb b/lib/templates/Puppetfile.erb index 9ea234422..7e5855c1a 100644 --- a/lib/templates/Puppetfile.erb +++ b/lib/templates/Puppetfile.erb @@ -9,6 +9,7 @@ forge "https://forgeapi.puppetlabs.com" mod 'puppetlabs-stdlib', '4.25.1' # stdlib enables parsejson() in manifests and other useful functions +mod 'puppetlabs-concat', '5.2.0' mod 'SecGen-secgen_functions', :path => '<%= SECGEN_FUNCTIONS_PUPPET_DIR %>' <% @currently_processing_system.module_selections.each do |selected_module| -%> diff --git a/modules/utilities/unix/logging/wazuh/.gitattributes b/modules/utilities/unix/logging/wazuh/.gitattributes new file mode 100644 index 000000000..9032a014a --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/.gitattributes @@ -0,0 +1,5 @@ +*.rb eol=lf +*.erb eol=lf +*.pp eol=lf +*.sh eol=lf +*.epp eol=lf diff --git a/modules/utilities/unix/logging/wazuh/.gitignore b/modules/utilities/unix/logging/wazuh/.gitignore new file mode 100644 index 000000000..1c34e1e35 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/.gitignore @@ -0,0 +1,41 @@ +.git/ +.*.sw[op] +.metadata +.yardoc +.yardwarns +*.iml +/.bundle/ +/.idea/ +/.vagrant/ +/coverage/ +/bin/ +/doc/ +/Gemfile.local +/Gemfile.lock +/junit/ +/log/ +/pkg/ +/spec/fixtures/manifests/ +/spec/fixtures/modules/ +/tmp/ +/vendor/ +/convert_report.txt +/update_report.txt +.DS_Store +.project +.envrc +/inventory.yaml +./kitchen/modules/.kitchen/logs/ +*.lock +kitchen/.tmp/ +kitchen/.kitchen/ +kitchen/venv +kitchen/*.xml +kitchen/test/Dockerfile +*.log +*.pyc +kitchen/.tmp/ +kitchen/.librarian/ +kitchen/.pytest_cache/ +kitchen/.* +kitchen/modules/ diff --git a/modules/utilities/unix/logging/wazuh/.travis.yml b/modules/utilities/unix/logging/wazuh/.travis.yml new file mode 100644 index 000000000..074a10fec --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/.travis.yml @@ -0,0 +1,54 @@ +--- +dist: trusty +language: ruby +cache: bundler +before_install: + - bundle -v + - rm -f Gemfile.lock + - gem update --system $RUBYGEMS_VERSION + - gem --version + - bundle -v +script: + - 'bundle exec rake $CHECK' +bundler_args: --without system_tests +rvm: + - 2.5.3 +stages: + - static + - spec + - acceptance + - + if: tag =~ ^v\d + name: deploy +matrix: + fast_finish: true + include: + - + env: CHECK="check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop syntax lint metadata_lint" + stage: static + - + env: PUPPET_GEM_VERSION="~> 5.0" CHECK=parallel_spec + rvm: 2.4.5 + stage: spec + - + env: PUPPET_GEM_VERSION="~> 6.0" CHECK=parallel_spec + rvm: 2.5.3 + stage: spec + - + env: DEPLOY_TO_FORGE=yes + stage: deploy +branches: + only: + - master + - /^v\d/ +notifications: + email: false +deploy: + provider: puppetforge + user: puppet + password: + secure: "" + on: + tags: true + all_branches: true + condition: "$DEPLOY_TO_FORGE = yes" diff --git a/modules/utilities/unix/logging/wazuh/CHANGELOG.md b/modules/utilities/unix/logging/wazuh/CHANGELOG.md index 3ad74a9a1..d77f5b910 100644 --- a/modules/utilities/unix/logging/wazuh/CHANGELOG.md +++ b/modules/utilities/unix/logging/wazuh/CHANGELOG.md @@ -1,6 +1,96 @@ # Change Log All notable changes to this project will be documented in this file. +## Wazuh Puppet v3.10.2_7.3.2 + +### Added + +- Update to Wazuh version 3.10.2_7.3.2 + +## Wazuh Puppet v3.10.0_7.3.2 + +### Added + +- Update to Wazuh version 3.10.0_7.3.2 +- Change Wazuh Filebeat Module to production. ([@jm404](https://github.com/jm404)) [#1bc6b792af68ff26fc0dfc9125e5d33f7831b32e](https://github.com/wazuh/wazuh-puppet/commit/1bc6b792af68ff26fc0dfc9125e5d33f7831b32e) + +## Fixed +- Fixes for Ossec email notifications' config ([rshad](https://github.com/rshad)) [PR#150](https://github.com/wazuh/wazuh-puppet/pull/150) + +## Wazuh Puppet v3.9.5_7.2.1 + +### Added + +- Update to Wazuh version 3.9.5_7.2.1 + +## Fixed + +- Fixed linting problems ([@jm404](https://github.com/jm404)) [#ca923c7](https://github.com/wazuh/wazuh-puppet/commit/ca923c71a8f13c75d1f8a0a4807dda6f3ba114a6) + + + +## Wazuh Puppet v3.9.4_7.2.0 + +### Added + +- Update to Wazuh version 3.9.4_7.2.0 + +- Added Filebeat module and adapted Elasticsearch IP ([rshad](https://github.com/rshad)) [PR#144](https://github.com/wazuh/wazuh-puppet/pull/144) + +- Added Kitchen testing for Wazuh deployment with Puppet. ([rshad](https://github.com/rshad)) [PR#139](https://github.com/wazuh/wazuh-puppet/pull/139) + +- Added Ubuntu as a recognized operating system to Puppet manifests. ([rshad](https://github.com/rshad)) [PR#141](https://github.com/wazuh/wazuh-puppet/pull/141) + +- Wazuh Agent is now able to register and report to different IPs. ([@jm404](https://github.com/jm404)) [PR#136](https://github.com/wazuh/wazuh-puppet/pull/136) + +### Fixed + +- Fixed integration when group is not specified. ([TheoPoc](https://github.com/TheoPoc)) [PR#142](https://github.com/wazuh/wazuh-puppet/pull/142) + +### Changed + +- Moved command and email_alert templates to templates/fragments. ([rshad](https://github.com/rshad)) [PR#143](https://github.com/wazuh/wazuh-puppet/pull/143) + + +## Wazuh Puppet v3.9.3_7.2.0 + +### Added + +- Update to Wazuh version 3.9.3_7.2.0 + +## Wazuh Puppet v3.9.2_7.1.1 + +### Added + +- Update to Wazuh version 3.9.2_7.1.1 + +## Wazuh Puppet v3.9.1_7.1.0 + +### Added + +- Created required files for Filebeat installation. ([@jm404](https://github.com/jm404)) [#f36be695](https://github.com/wazuh/wazuh-puppet/commit/f36be69558f012a75717150bd6a48f9b9a45b3c8) + +- Created required files for Elasticsearch installation. ([@jm404](https://github.com/jm404)) [#890fb88](https://github.com/wazuh/wazuh-puppet/commit/890fb88cdb4f18ea67caaf09943792145ac245bd) + +- Created required files for Kibana installation. ([@jm404](https://github.com/jm404)) [#ac31a02](https://github.com/wazuh/wazuh-puppet/commit/ac31a02c5a6771e5e480db378934b23e2dc59b03) + +- Added configuration variables to make `ossec.conf` more flexible. ([@jm404](https://github.com/jm404)) [#5631753](https://github.com/wazuh/wazuh-puppet/commit/5631753cf4c3967d7fc08fc53d2535d78d4e19b7) + +- Now it's possible to install an agent without registering it. ([@jm404](https://github.com/jm404)) [#63e1a13](https://github.com/wazuh/wazuh-puppet/commit/63e1a1390edbaef4387c4397c16636514525eeaa) +- Added support for Amazon-Linux-2. ([@jm404](https://github.com/jm404)) [#823eeec](https://github.com/wazuh/wazuh-puppet/commit/823eeec502c4a100dc6946f25388b9d04833c105) + +### Changed + +- The `server.pp` manifest has been renamed to `manager.pp`. ([@jm404](https://github.com/jm404)) [#f859f87](https://github.com/wazuh/wazuh-puppet/commit/f859f879e5bd6e83b4adf54ebbe44adfc60c0f03) +- The `client.pp` manifest moved to `agent.pp`. ([@jm404](https://github.com/jm404)) [#69fe628](https://github.com/wazuh/wazuh-puppet/commit/69fe628bfbfec171fce3754b22f1d04b67d58d81) + +## Removed + +- Registration method `export` deleted due to security issues. ([@jm404](https://github.com/jm404)) [#f77fe49](https://github.com/wazuh/wazuh-puppet/commit/f77fe496b4e290b0b3a70272c66d26f8ee7d0012) +- Eliminated `inotify-tools `. ([@jm404](https://github.com/jm404)) [#628db1e](https://github.com/wazuh/wazuh-puppet/commit/628db1e4d5236b195ee1c50945fb6ff7553a5b23) +- Deleted `_common.erb` fragment in order to give flexibility to Agent and Manager. ([@jm404](https://github.com/jm404)) [#92114ea](https://github.com/wazuh/wazuh-puppet/commit/92114ea205be4fa6783115b01b1148a2a6dc7c2d) + + ## [v3.9.1] ### Added @@ -76,8 +166,8 @@ All notable changes to this project will be documented in this file. - Fix username (puppet to puppetlabs). ([#74](https://github.com/wazuh/wazuh-puppet/pull/74)) ## Change Log old version. - - + + ## 2017-xx-xx support@wazuh.com - 2.0.23 * Fixed issue #18 with the pull request #17. (thanks @lemrouch) diff --git a/modules/utilities/unix/logging/wazuh/Gemfile b/modules/utilities/unix/logging/wazuh/Gemfile index 2dd6e0cbd..cf2c38748 100644 --- a/modules/utilities/unix/logging/wazuh/Gemfile +++ b/modules/utilities/unix/logging/wazuh/Gemfile @@ -1,24 +1,71 @@ -source 'https://rubygems.org' +source ENV['GEM_SOURCE'] || 'https://rubygems.org' -group :test do - gem 'rake' - gem 'puppet', ENV['PUPPET_GEM_VERSION'] || '~> 3.8.0' - gem 'rspec', '< 3.2.0' - gem 'rspec-puppet', git: 'https://github.com/rodjek/rspec-puppet.git' - gem 'rspec-puppet-facts' - gem 'autorun' +def location_for(place_or_version, fake_version = nil) + git_url_regex = %r{\A(?(https?|git)[:@][^#]*)(#(?.*))?} + file_url_regex = %r{\Afile:\/\/(?.*)} - gem 'puppetlabs_spec_helper' + if place_or_version && (git_url = place_or_version.match(git_url_regex)) + [fake_version, { git: git_url[:url], branch: git_url[:branch], require: false }].compact + elsif place_or_version && (file_url = place_or_version.match(file_url_regex)) + ['>= 0', { path: File.expand_path(file_url[:path]), require: false }] + else + [place_or_version, { require: false }] + end end +ruby_version_segments = Gem::Version.new(RUBY_VERSION.dup).segments +minor_version = ruby_version_segments[0..1].join('.') + group :development do - gem 'puppet-blacksmith' - gem 'guard-rake' - gem 'yard' + gem "fast_gettext", '1.1.0', require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.1.0') + gem "fast_gettext", require: false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.1.0') + gem "json_pure", '<= 2.0.1', require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0') + gem "json", '= 1.8.1', require: false if Gem::Version.new(RUBY_VERSION.dup) == Gem::Version.new('2.1.9') + gem "json", '= 2.0.4', require: false if Gem::Requirement.create('~> 2.4.2').satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) + gem "json", '= 2.1.0', require: false if Gem::Requirement.create(['>= 2.5.0', '< 2.7.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) + gem "puppet-module-posix-default-r#{minor_version}", require: false, platforms: [:ruby] + gem "puppet-module-posix-dev-r#{minor_version}", require: false, platforms: [:ruby] + gem "puppet-module-win-default-r#{minor_version}", require: false, platforms: [:mswin, :mingw, :x64_mingw] + gem "puppet-module-win-dev-r#{minor_version}", require: false, platforms: [:mswin, :mingw, :x64_mingw] end -group :system_tests do - gem 'beaker' - gem 'beaker-rspec' - gem 'beaker-puppet_install_helper' +puppet_version = ENV['PUPPET_GEM_VERSION'] +facter_version = ENV['FACTER_GEM_VERSION'] +hiera_version = ENV['HIERA_GEM_VERSION'] + +gems = {} + +gems['puppet'] = location_for(puppet_version) + +# If facter or hiera versions have been specified via the environment +# variables + +gems['facter'] = location_for(facter_version) if facter_version +gems['hiera'] = location_for(hiera_version) if hiera_version + +if Gem.win_platform? && puppet_version =~ %r{^(file:///|git://)} + # If we're using a Puppet gem on Windows which handles its own win32-xxx gem + # dependencies (>= 3.5.0), set the maximum versions (see PUP-6445). + gems['win32-dir'] = ['<= 0.4.9', require: false] + gems['win32-eventlog'] = ['<= 0.6.5', require: false] + gems['win32-process'] = ['<= 0.7.5', require: false] + gems['win32-security'] = ['<= 0.2.5', require: false] + gems['win32-service'] = ['0.8.8', require: false] end + +gems.each do |gem_name, gem_params| + gem gem_name, *gem_params +end + +# Evaluate Gemfile.local and ~/.gemfile if they exist +extra_gemfiles = [ + "#{__FILE__}.local", + File.join(Dir.home, '.gemfile'), +] + +extra_gemfiles.each do |gemfile| + if File.file?(gemfile) && File.readable?(gemfile) + eval(File.read(gemfile), binding) + end +end +# vim: syntax=ruby diff --git a/modules/utilities/unix/logging/wazuh/README.md b/modules/utilities/unix/logging/wazuh/README.md index 014ca6d18..56c75209b 100644 --- a/modules/utilities/unix/logging/wazuh/README.md +++ b/modules/utilities/unix/logging/wazuh/README.md @@ -15,71 +15,78 @@ This module installs and configure Wazuh agent and manager. ## Directory structure - ├── wazuh-puppet - │ ├── files - │ │ ├── client.keys - │ │ ├── ossec-logrotate.te - │ │ ├── wazuh-winagent-v2.1.1-1.exe - │ - │ ├── manifest - │ │ ├── activeresponse.pp - │ │ ├── addlog.pp - │ │ ├── agentkey.pp - │ │ ├── client.pp - │ │ ├── collect_agent_keys.pp - │ │ ├── command.pp - │ │ ├── email_alert.pp - │ │ ├── export_agent_key.pp - │ │ ├── init.pp - │ │ ├── params.pp - │ │ ├── repo.pp - │ │ ├── reports.pp - │ │ ├── server.pp - │ │ - │ ├── spec - │ │ ├── classes - │ │ │ ├── client_spec.rb - │ │ │ ├── init_spec.rb - │ │ │ ├── server_spec.rb - │ │ - │ │ ├── spec_helper.rb - │ - │ ├── templates - │ │ ├── api - │ │ │ ├── config.js.erb - │ │ - │ │ ├── fragments - │ │ │ ├── _activeresponse.erb - │ │ │ ├── _common.erb - │ │ │ ├── _localfile.erb - │ │ │ ├── _reports.erb - │ │ │ ├── _rootcheck_linux.erb - │ │ │ ├── _rootcheck_windows.erb - │ │ │ ├── _syscheck_linux.erb - │ │ │ ├── _syscheck_windows.erb - │ │ │ ├── _wodle_openscap.erb - │ │ - │ │ ├── command.erb - │ │ ├── email_alert.erb - │ │ ├── local_decoder.xml.erb - │ │ ├── local_rules.xmk.erb - │ │ ├── ossec_shared_agent.conf.erb - │ │ ├── process_list.erb - │ │ ├── wazuh_agent.conf.erb - │ │ ├── wazuh_manager.conf.erb - | - │ ├── tests - │ │ ├── init.pp - | - │ ├── README.md - │ ├── VERSION - │ ├── CHANGELOG.md - │ ├── .travis.yml - │ ├── Gemfile - │ ├── LICENSE.txt - │ ├── Rakefile - │ ├── checksums.json - │ ├── metadata.json + wazuh-puppet/ + ├── CHANGELOG.md + ├── checksums.json + ├── files + │   └── ossec-logrotate.te + ├── Gemfile + ├── LICENSE.txt + ├── manifests + │   ├── activeresponse.pp + │   ├── addlog.pp + │   ├── agent.pp + │   ├── command.pp + │   ├── elasticsearch.pp + │   ├── email_alert.pp + │   ├── filebeat.pp + │   ├── init.pp + │   ├── integration.pp + │   ├── kibana.pp + │   ├── manager.pp + │   ├── params_agent.pp + │   ├── params_elastic.pp + │   ├── params_manager.pp + │   ├── repo_elastic.pp + │   ├── repo.pp + │   ├── reports.pp + │   └── wazuh_api.pp + ├── metadata.json + ├── Rakefile + ├── README.md + ├── spec + │   ├── classes + │   │   ├── client_spec.rb + │   │   ├── init_spec.rb + │   │   └── server_spec.rb + │   └── spec_helper.rb + ├── templates + │   ├── api + │   │   └── config.js.erb + │   ├── default_commands.erb + │   ├── elasticsearch_yml.erb + │   ├── filebeat_yml.erb + │   ├── fragments + │   │   ├── _activeresponse.erb + │   │   ├── _auth.erb + │   │   ├── _cluster.erb + │   │   ├── _command.erb + │   │   ├── _default_activeresponse.erb + │ │ ├── _email_alert.erb + │   │   ├── _integration.erb + │   │   ├── _localfile.erb + │   │   ├── _localfile_generation.erb + │   │   ├── _reports.erb + │   │   ├── _rootcheck.erb + │   │   ├── _ruleset.erb + │   │   ├── _sca.erb + │   │   ├── _syscheck.erb + │   │   ├── _wodle_cis_cat.erb + │   │   ├── _wodle_openscap.erb + │   │   ├── _wodle_osquery.erb + │   │   ├── _wodle_syscollector.erb + │   │   └── _wodle_vulnerability_detector.erb + │   ├── jvm_options.erb + │   ├── kibana_yml.erb + │   ├── local_decoder.xml.erb + │   ├── local_rules.xml.erb + │   ├── ossec_shared_agent.conf.erb + │   ├── process_list.erb + │   ├── wazuh_agent.conf.erb + │   └── wazuh_manager.conf.erb + ├── tests + │   └── init.pp + └── VERSION ## Branches @@ -100,7 +107,7 @@ This Puppet module has been authored by Nicolas Zin, and updated by Jonathan Gaz ## License and copyright WAZUH -Copyright (C) 2016-2018 Wazuh Inc. (License GPLv2) +Copyright (C) 2019 Wazuh Inc. (License GPLv2) Based on OSSEC Copyright (C) 2015 Trend Micro Inc. diff --git a/modules/utilities/unix/logging/wazuh/Rakefile b/modules/utilities/unix/logging/wazuh/Rakefile index d1e11f798..750ef4676 100644 --- a/modules/utilities/unix/logging/wazuh/Rakefile +++ b/modules/utilities/unix/logging/wazuh/Rakefile @@ -1,18 +1,76 @@ -require 'rubygems' require 'puppetlabs_spec_helper/rake_tasks' -require 'puppet-lint/tasks/puppet-lint' -PuppetLint.configuration.send('disable_80chars') -PuppetLint.configuration.ignore_paths = ["spec/**/*.pp", "pkg/**/*.pp"] +require 'puppet-syntax/tasks/puppet-syntax' +require 'puppet_blacksmith/rake_tasks' if Bundler.rubygems.find_name('puppet-blacksmith').any? +require 'github_changelog_generator/task' if Bundler.rubygems.find_name('github_changelog_generator').any? +require 'puppet-strings/tasks' if Bundler.rubygems.find_name('puppet-strings').any? -desc "Validate manifests, templates, and ruby files" -task :validate do - Dir['manifests/**/*.pp'].each do |manifest| - sh "puppet parser validate --noop #{manifest}" +def changelog_user + return unless Rake.application.top_level_tasks.include? "changelog" + returnVal = nil || JSON.load(File.read('metadata.json'))['author'] + raise "unable to find the changelog_user in .sync.yml, or the author in metadata.json" if returnVal.nil? + puts "GitHubChangelogGenerator user:#{returnVal}" + returnVal +end + +def changelog_project + return unless Rake.application.top_level_tasks.include? "changelog" + returnVal = nil || JSON.load(File.read('metadata.json'))['name'] + raise "unable to find the changelog_project in .sync.yml or the name in metadata.json" if returnVal.nil? + puts "GitHubChangelogGenerator project:#{returnVal}" + returnVal +end + +def changelog_future_release + return unless Rake.application.top_level_tasks.include? "changelog" + returnVal = "v%s" % JSON.load(File.read('metadata.json'))['version'] + raise "unable to find the future_release (version) in metadata.json" if returnVal.nil? + puts "GitHubChangelogGenerator future_release:#{returnVal}" + returnVal +end + +PuppetLint.configuration.send('disable_relative') + +if Bundler.rubygems.find_name('github_changelog_generator').any? + GitHubChangelogGenerator::RakeTask.new :changelog do |config| + raise "Set CHANGELOG_GITHUB_TOKEN environment variable eg 'export CHANGELOG_GITHUB_TOKEN=valid_token_here'" if Rake.application.top_level_tasks.include? "changelog" and ENV['CHANGELOG_GITHUB_TOKEN'].nil? + config.user = "#{changelog_user}" + config.project = "#{changelog_project}" + config.future_release = "#{changelog_future_release}" + config.exclude_labels = ['maintenance'] + config.header = "# Change log\n\nAll notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org)." + config.add_pr_wo_labels = true + config.issues = false + config.merge_prefix = "### UNCATEGORIZED PRS; GO LABEL THEM" + config.configure_sections = { + "Changed" => { + "prefix" => "### Changed", + "labels" => ["backwards-incompatible"], + }, + "Added" => { + "prefix" => "### Added", + "labels" => ["feature", "enhancement"], + }, + "Fixed" => { + "prefix" => "### Fixed", + "labels" => ["bugfix"], + }, + } end - Dir['spec/**/*.rb','lib/**/*.rb'].each do |ruby_file| - sh "ruby -c #{ruby_file}" unless ruby_file =~ /spec\/fixtures/ - end - Dir['templates/**/*.erb'].each do |template| - sh "erb -P -x -T '-' #{template} | ruby -c" +else + desc 'Generate a Changelog from GitHub' + task :changelog do + raise <= Gem::Version.new('2.2.2')" +EOM end end + diff --git a/modules/utilities/unix/logging/wazuh/VERSION b/modules/utilities/unix/logging/wazuh/VERSION index 95c17503a..edbc3b87f 100644 --- a/modules/utilities/unix/logging/wazuh/VERSION +++ b/modules/utilities/unix/logging/wazuh/VERSION @@ -1,2 +1,2 @@ -WAZUH-PUPPET_VERSION="v3.9.1" -REVISION="3901" \ No newline at end of file +WAZUH-PUPPET_VERSION="v3.10.2" +REVISION="31020" \ No newline at end of file diff --git a/modules/utilities/unix/logging/wazuh/checksums.json b/modules/utilities/unix/logging/wazuh/checksums.json index 0e9f950ef..536eb7cad 100644 --- a/modules/utilities/unix/logging/wazuh/checksums.json +++ b/modules/utilities/unix/logging/wazuh/checksums.json @@ -25,8 +25,8 @@ "templates/90_ossec.conf.erb": "698695c984a8d6829d3a331b8a4196ec", "templates/99_ossec_agent.conf.erb": "386ab8ad1d31566eed64a06e0a8d4d9a", "templates/activeresponse.erb": "8a3bd90af1c0b8199af57f37bf5314d2", - "templates/command.erb": "e37530e43ad73dbfe1e17c0d9da042f9", - "templates/email_alert.erb": "3aa50ecb0e284ed3a443ee89d21260b0", + "templates/fragments/_command.erb": "e37530e43ad73dbfe1e17c0d9da042f9", + "templates/fragments/_email_alert.erb": "3aa50ecb0e284ed3a443ee89d21260b0", "templates/ossec_shared_agent.conf.erb": "131307a6afdf7e83053cdbc9f6d44368", "tests/init.pp": "2eac4e89d806c23f7d72d6ac924d1921" } diff --git a/modules/utilities/unix/logging/wazuh/files/wazuh-agent-3.8.2-1.msi b/modules/utilities/unix/logging/wazuh/files/wazuh-agent-3.8.2-1.msi deleted file mode 100644 index 08b10fc60..000000000 Binary files a/modules/utilities/unix/logging/wazuh/files/wazuh-agent-3.8.2-1.msi and /dev/null differ diff --git a/modules/utilities/unix/logging/wazuh/files/wazuh-agent-3.9.0-1.msi b/modules/utilities/unix/logging/wazuh/files/wazuh-agent-3.9.0-1.msi deleted file mode 100644 index 6ae9c52e8..000000000 Binary files a/modules/utilities/unix/logging/wazuh/files/wazuh-agent-3.9.0-1.msi and /dev/null differ diff --git a/modules/utilities/unix/logging/wazuh/files/wazuh-agent-3.9.1-1.msi b/modules/utilities/unix/logging/wazuh/files/wazuh-agent-3.9.1-1.msi deleted file mode 100644 index 62da36623..000000000 Binary files a/modules/utilities/unix/logging/wazuh/files/wazuh-agent-3.9.1-1.msi and /dev/null differ diff --git a/modules/utilities/unix/logging/wazuh/kitchen/Gemfile b/modules/utilities/unix/logging/wazuh/kitchen/Gemfile new file mode 100644 index 000000000..05f7a3868 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/kitchen/Gemfile @@ -0,0 +1,10 @@ +# frozen_string_literal: true +source "https://rubygems.org" + +# gem "rails" +gem "test-kitchen" +gem "kitchen-puppet" +gem "kitchen-vagrant" +gem 'kitchen-docker', '~> 2.3' +gem "puppet" +gem "librarian-puppet" diff --git a/modules/utilities/unix/logging/wazuh/kitchen/Puppetfile b/modules/utilities/unix/logging/wazuh/kitchen/Puppetfile new file mode 100644 index 000000000..b9d36bd1d --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/kitchen/Puppetfile @@ -0,0 +1,26 @@ +#!/usr/bin/env ruby +#^syntax detection + +forge "https://forgeapi.puppetlabs.com" + +# use dependencies defined in metadata.json +#metadata + +mod "wazuh/wazuh" +# use dependencies defined in Modulefile +# modulefile + +# A module from the Puppet Forge +# mod 'puppetlabs-stdlib' + +# A module from git +# mod 'puppetlabs-ntp', +# :git => 'git://github.com/puppetlabs/puppetlabs-ntp.git' + +# A module from a git branch/tag +# mod 'puppetlabs-apt', +# :git => 'https://github.com/puppetlabs/puppetlabs-apt.git', +# :ref => '1.4.x' + +# A module from Github pre-packaged tarball +# mod 'puppetlabs-apache', '0.6.0', :github_tarball => 'puppetlabs/puppetlabs-apache' diff --git a/modules/utilities/unix/logging/wazuh/kitchen/README.md b/modules/utilities/unix/logging/wazuh/kitchen/README.md new file mode 100644 index 000000000..0249dddee --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/kitchen/README.md @@ -0,0 +1,227 @@ +**KITCHEN-PUPPET TESTING** + + +**1.Building Kitchen Directory Structure** +``` +├── chefignore +├── Gemfile +├── hieradata +├── kitchen.yml +├── manifests +├── modules `should contain wazuh-puppet module` +├── Puppetfile +├── run.sh +├── test +``` + +Find more details in the [official documentation](https://kitchen.ci/) + +**2. Required Gems** + +Kitchen basically works with `Ruby` gems and so, all required packages are available as gems. In our case, we would need the following gems to be installed. Found in the file `Gemfile` : + +``` +vagrant@master:~/wazuh-puppet/kitchen$ cat Gemfile +# frozen_string_literal: true +source "https://rubygems.org" + +# gem "rails" +gem "test-kitchen" +gem "kitchen-puppet" +gem "kitchen-vagrant" +gem 'kitchen-docker', '~> 2.3' +gem "puppet" +gem "librarian-puppet" +``` + +As we can see, we have gems for docker, vagrant, puppet, and kitchen itself. + +Once we have our list of gems prepared, we install them running the following command: + +``` +bundle install +``` + +**3. Adding Dependencies** + +A step which is already applied here is the creation of `Puppetfile` using `puppet-librerian` by running the command: + +``` +± librarian-puppet init + create Puppetfile +``` + +As you can see the, `Puppetfile` already exist with the following content: + +``` +#!/usr/bin/env ruby +#^syntax detection + +forge "https://forgeapi.puppetlabs.com" + +# use dependencies defined in metadata.json +#metadata + +mod "wazuh/wazuh" +# use dependencies defined in Modulefile +# modulefile + +# A module from the Puppet Forge +# mod 'puppetlabs-stdlib' + +# A module from git +# mod 'puppetlabs-ntp', +# :git => 'git://github.com/puppetlabs/puppetlabs-ntp.git' + +# A module from a git branch/tag +# mod 'puppetlabs-apt', +# :git => 'https://github.com/puppetlabs/puppetlabs-apt.git', +# :ref => '1.4.x' + +# A module from Github pre-packaged tarball +# mod 'puppetlabs-apache', '0.6.0', :github_tarball => 'puppetlabs/puppetlabs-apache' +``` + +Once `Puppetfile` is prepared, then we run need to get the requested module, by running: + + ``` + librarian-puppet install + ``` + + +**4. Kitchen Environment Configuration** + +In the file `kitchen.yml` we have to configure the machines were our tests will be running. This configuration includes information, such as : +* The virtualization tool `vagrant` or `docker`, +* The operating system image, +* Testing suites `testinfra` for example, etc ... + +- An initial example of `kitchen.yml` would be: + +``` +vagrant@master:~/wazuh-puppet/kitchen$ cat kitchen.yml +--- +driver: + name: docker + +provisioner: + name: puppet_apply + manifests_path: manifests + modules_path: modules + hiera_data_path: hieradata + +platforms: + - name: ubuntu-manager_00 + run_options: --ip 10.1.0.19 + driver_config: + image: ubuntu:14.04 + platform: ubuntu + hostname: manager00_ubuntu + + - name: ubuntu-agent + driver_config: + image: ubuntu:14.04 + platform: ubuntu + hostname: agent00_ubuntu + +suites: + - name: default + manifest: site.pp + verifier: + name: shell + command: py.test -v test/base +``` + +**5. Put Kitchen in action** + +Once we have `kitchen.yml` prepared, then we can create the environment by running: + +``` +kitchen create +``` + +This way we will only have our machines created without installing the desired components to be tested. These components are represented by Wazuh stack components such as `wazuh-manager`, `wazuh-agent`, etc ... + +**5. Install the required components to be tested then** + +In `Puppet` case, to specify the `manifests` to be installed, we should configure the file 'manifests/site.pp', which by now it looks like: + +``` +node 'manager00_ubuntu' { + class { "wazuh::manager": + configure_wodle_openscap => false + } +} +node 'agent00_ubuntu' { + class { "wazuh::agent": + ossec_ip => "manager_ip", + configure_wodle_openscap => false + } +} +``` + +As you can see, we only want to install `wazuh-manager` and `wazuh-agent`. + + +**6. Kitchen Converging: Installing the packages to be tested** + +Once `site.pp` is prepared, we run: +``` +kitchen converge +``` + +**7. Testing** + +`Kitchen` offers a large variety of testing types, such as: +* Bats tests. +* Serverspec tests. +* Testinfra tests. +* + +In our case, we think that `testinfra` is the best choice based on old experience. so and in order to implemente `testinfra` tests, we should indicate the testing suite command in `kitchen.yml` as indicated before: +``` +suites: + - name: default + manifest: site.pp + verifier: + name: shell + command: py.test -v test/base +``` + +In the folder test/base, we put our tests. By now we implemented 2 tests, one for `wazuh-manager` and another one for `wazuh-agent`. Please check both here: +* [manager](https://github.com/wazuh/wazuh-puppet/blob/v3.9.5_7.2.1/kitchen/test/base/test_wazuh_manager.py) +* [agent](https://github.com/wazuh/wazuh-puppet/blob/v3.9.5_7.2.1/kitchen/test/base/test_wazuh_agent.py) + +Once we have our suite prepared, then we run: + +``` +kitchen verify +``` + +And in a successful testing attempt we can get something like: + +``` +-----> Starting Kitchen (v2.2.5) +-----> Verifying ... + [Shell] Verify on instance default-ubuntu-manager-00 ... + +============================= test session starts ============================== +platform linux -- Python 3.4.3, pytest-4.6.4, py-1.8.0, pluggy-0.12.0 -- /usr/bin/python3.4 +cachedir: .pytest_cache +rootdir: /home/vagrant/wazuh-puppet/kitchen +plugins: testinfra-3.0.5 +collecting ... collected 8 items + +test/base/test_wazuh_agent.py::test_wazuh_agent_package SKIPPED [ 12%] +test/base/test_wazuh_agent.py::test_wazuh_processes_running[ossec-agentd-ossec] SKIPPED [ 25%] +test/base/test_wazuh_agent.py::test_wazuh_processes_running[ossec-execd-root] SKIPPED [ 37%] +test/base/test_wazuh_agent.py::test_wazuh_processes_running[ossec-syscheckd-root] SKIPPED [ 50%] +test/base/test_wazuh_agent.py::test_wazuh_processes_running[wazuh-modulesd-root] SKIPPED [ 62%] +test/base/test_wazuh_manager.py::test_wazuh_agent_package PASSED [ 75%] +test/base/test_wazuh_manager.py::test_wazuh_packages_are_installed PASSED [ 87%] +test/base/test_wazuh_manager.py::test_wazuh_services_are_running PASSED [100%] + +===================== 3 passed, 5 skipped in 1.18 seconds ====================== + Finished verifying (0m2.16s). +-----> Kitchen is finished. (0m4.51s) +``` diff --git a/modules/utilities/unix/logging/wazuh/kitchen/chefignore b/modules/utilities/unix/logging/wazuh/kitchen/chefignore new file mode 100644 index 000000000..7be3c6dfa --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/kitchen/chefignore @@ -0,0 +1 @@ +.kitchen diff --git a/modules/utilities/unix/logging/wazuh/kitchen/clean.sh b/modules/utilities/unix/logging/wazuh/kitchen/clean.sh new file mode 100644 index 000000000..14bb9311f --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/kitchen/clean.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +echo "Deleting Old logs, old instances files, etc ..." +rm -rf .kitchen/logs/* # removing old logs +rm -rf .kitchen/def* # removing old .yml files associated for old kitchen instances +rm -rf ./manifests/se* # removing all temporal manifests files. + +echo "Kitchen is destroying old instances ..." +kitchen destroy all # destroying all existing kitchen instances + +echo "Docker is stopping and deleting old containers of they do exist" +docker ps --filter name=kitchen -aq | xargs docker stop | xargs docker rm diff --git a/modules/utilities/unix/logging/wazuh/kitchen/hieradata/common.yaml b/modules/utilities/unix/logging/wazuh/kitchen/hieradata/common.yaml new file mode 100644 index 000000000..e69de29bb diff --git a/modules/utilities/unix/logging/wazuh/kitchen/hieradata/roles/default.yaml b/modules/utilities/unix/logging/wazuh/kitchen/hieradata/roles/default.yaml new file mode 100644 index 000000000..e69de29bb diff --git a/modules/utilities/unix/logging/wazuh/kitchen/kitchen.yml b/modules/utilities/unix/logging/wazuh/kitchen/kitchen.yml new file mode 100644 index 000000000..dc5dc8e68 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/kitchen/kitchen.yml @@ -0,0 +1,53 @@ +--- +driver: + name: docker + privileged: true + use_sudo: false + use_internal_docker_network: true + +provisioner: + name: puppet_apply + manifests_path: manifests + modules_path: modules + hiera_data_path: hieradata + +platforms: + - name: ubuntu-manager_00_kitchen + driver_config: + image: ubuntu:14.04 + platform: ubuntu + hostname: manager00_ubuntu + + - name: ubuntu-agent-kitchen + driver_config: + image: ubuntu:14.04 + platform: ubuntu + hostname: agent00_ubuntu + + - name: centos-manager_00_kitchen + driver_config: + image: centos:7 + platform: centos + hostname: manager00_centos + run_command: /usr/sbin/init + dockerfile: test/Dockerfile + build_options: + rm: true + + - name: centos-agent_kitchen + driver_config: + image: centos:7 + platform: centos + hostname: agent00_centos + run_command: /usr/sbin/init + run_command: /usr/lib/systemd/systemd + dockerfile: test/Dockerfile + build_options: + rm: true + +suites: + - name: default + manifest: site.pp + verifier: + name: shell + command: py.test -v test/base diff --git a/modules/utilities/unix/logging/wazuh/kitchen/manifests/site.pp b/modules/utilities/unix/logging/wazuh/kitchen/manifests/site.pp new file mode 100644 index 000000000..99a14aaa7 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/kitchen/manifests/site.pp @@ -0,0 +1,24 @@ +node 'manager00_ubuntu' { + class { 'wazuh::manager': + configure_wodle_openscap => false + } +} +node 'agent00_ubuntu' { + class { 'wazuh::agent': + wazuh_register_endpoint => '10.1.0.9', + wazuh_reporting_endpoint => '10.1.0.9', + configure_wodle_openscap => false + } +} +node 'manager00_centos' { + class { 'wazuh::manager': + configure_wodle_openscap => true + } +} +node 'agent00_centos' { + class { 'wazuh::agent': + wazuh_register_endpoint => '10.1.0.11', + wazuh_reporting_endpoint => '10.1.0.11', + configure_wodle_openscap => true + } +} diff --git a/modules/utilities/unix/logging/wazuh/kitchen/manifests/site.pp.template b/modules/utilities/unix/logging/wazuh/kitchen/manifests/site.pp.template new file mode 100644 index 000000000..4f844ad0e --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/kitchen/manifests/site.pp.template @@ -0,0 +1,24 @@ +node 'manager00_ubuntu' { + class { "wazuh::manager": + configure_wodle_openscap => false + } +} +node 'agent00_ubuntu' { + class { "wazuh::agent": + wazuh_register_endpoint => "ubuntu_manager_ip", + wazuh_reporting_endpoint => "ubuntu_manager_ip", + configure_wodle_openscap => false + } +} +node 'manager00_centos' { + class { "wazuh::manager": + configure_wodle_openscap => true + } +} +node 'agent00_centos' { + class { "wazuh::agent": + wazuh_register_endpoint => "centos_manager_ip", + wazuh_reporting_endpoint => "centos_manager_ip", + configure_wodle_openscap => true + } +} diff --git a/modules/utilities/unix/logging/wazuh/kitchen/run.sh b/modules/utilities/unix/logging/wazuh/kitchen/run.sh new file mode 100644 index 000000000..53e003f7f --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/kitchen/run.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +# Adding Wazuh module from Puppet forge. + + +#LIBRARIAN_OUTPUT="$(librarian-puppet show)" +# +#if [[ $LIBRARIAN_OUTPUT == *"wazuh"* ]]; then +# echo "Librarian-Puppet: Wazuh module already installed .. Continue" +#else +# echo "Installing Wazuh module" +# librarian-puppet install +# +# sed -i "s/'Debian', 'debian'/&, 'Ubuntu', 'ubuntu'/" modules/wazuh/manifests/manager.pp +# sed -i "s/'Debian', 'debian'/&, 'Ubuntu', 'ubuntu'/" modules/wazuh/manifests/agent.pp +#fi + +mkdir -p modules/wazuh + +cp -r ../files ./modules/wazuh/ +cp -r ../templates/ ./modules/wazuh/ +cp -r ../manifests/ ./modules/wazuh/ + +echo "Deleting Old logs, old instances files, etc ..." +rm -rf .kitchen/logs/* # removing old logs +rm -rf .kitchen/def* # removing old .yml files associated for old kitchen instances +rm -rf ./manifests/se* # removing all temporal manifests files. + +echo "Kitchen is destroying old instances ..." +kitchen destroy all # destroying all existing kitchen instances + +echo "Docker is stopping and deleting old containers of they do exist" +docker ps --filter name=kitchen -aq | xargs docker stop | xargs docker rm + +echo "Kitchen is creating the new instances" +kitchen create # creating new kitchen instances + +echo "Getting Wazuh managers IPs to the agents" +ubuntu_manager_ip="$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' `docker ps | awk '{print $NF}' | grep ubuntu | grep manager`)" +centos_manager_ip="$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' `docker ps | awk '{print $NF}' | grep centos | grep manager`)" + +echo "getting a copy of ./manifests/site.pp.template" +cp ./manifests/site.pp.template ./manifests/site.pp + +echo "Assigning Wazuh managers IPs to the corresponding agents." +sed -i 's/ubuntu_manager_ip/'${ubuntu_manager_ip}'/g' ./manifests/site.pp +sed -i 's/centos_manager_ip/'${centos_manager_ip}'/g' ./manifests/site.pp + +echo "Kitchen is converging ..." +kitchen converge + +echo "Kitchen is testing ..." +kitchen verify diff --git a/modules/utilities/unix/logging/wazuh/kitchen/test/Dockerfile.template b/modules/utilities/unix/logging/wazuh/kitchen/test/Dockerfile.template new file mode 100644 index 000000000..48977c873 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/kitchen/test/Dockerfile.template @@ -0,0 +1,20 @@ +FROM centos:7 +ENV container docker +RUN yum clean all +RUN yum install -y sudo openssh-server openssh-clients which curl +RUN [ -f "/etc/ssh/ssh_host_rsa_key" ] || ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' +RUN [ -f "/etc/ssh/ssh_host_dsa_key" ] || ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' +RUN if ! getent passwd kitchen; then useradd -d /home/kitchen -m -s /bin/bash -p '*' kitchen; fi +RUN echo "kitchen ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers +RUN echo "Defaults !requiretty" >> /etc/sudoers +RUN mkdir -p /home/kitchen/.ssh +RUN chown -R kitchen /home/kitchen/.ssh +RUN chmod 0700 /home/kitchen/.ssh +RUN touch /home/kitchen/.ssh/authorized_keys +RUN chown kitchen /home/kitchen/.ssh/authorized_keys +RUN chmod 0600 /home/kitchen/.ssh/authorized_keys +RUN mkdir -p /run/sshd +RUN echo YOUR_PUBLIC_KEY >> /home/kitchen/.ssh/authorized_keys +EXPOSE 1515/tcp +EXPOSE 1515/udp +RUN yum install -y openssl diff --git a/modules/utilities/unix/logging/wazuh/kitchen/test/base/test_wazuh_agent.py b/modules/utilities/unix/logging/wazuh/kitchen/test/base/test_wazuh_agent.py new file mode 100644 index 000000000..6fcecb6f7 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/kitchen/test/base/test_wazuh_agent.py @@ -0,0 +1,28 @@ +import functools +import os +import pytest +import testinfra + +test_host = testinfra.get_host('paramiko://{KITCHEN_USERNAME}@{KITCHEN_HOSTNAME}:{KITCHEN_PORT}'.format(**os.environ), ssh_identity_file=os.environ.get('KITCHEN_SSH_KEY')) + +@pytest.mark.filterwarnings('ignore') +@pytest.mark.skipif('manager' in os.environ.get('KITCHEN_INSTANCE'), reason='Skip on wazuh manager instances') +def test_wazuh_agent_package(host): + name = "wazuh-agent" + version = "3.10.2" + pkg = host.package(name) + assert pkg.is_installed + assert pkg.version.startswith(version) + + +@pytest.mark.filterwarnings('ignore') +@pytest.mark.skipif('manager' in os.environ.get('KITCHEN_INSTANCE'), reason='Skip on wazuh manager instances') +@pytest.mark.parametrize("wazuh_service, wazuh_owner", ( + ("ossec-agentd", "ossec"), + ("ossec-execd", "root"), + ("ossec-syscheckd", "root"), + ("wazuh-modulesd", "root"), +)) +def test_wazuh_processes_running(host, wazuh_service, wazuh_owner): + master = host.process.get(user=wazuh_owner, comm=wazuh_service) + assert master.args == "/var/ossec/bin/" + wazuh_service diff --git a/modules/utilities/unix/logging/wazuh/kitchen/test/base/test_wazuh_manager.py b/modules/utilities/unix/logging/wazuh/kitchen/test/base/test_wazuh_manager.py new file mode 100644 index 000000000..6c2ed4015 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/kitchen/test/base/test_wazuh_manager.py @@ -0,0 +1,59 @@ +import functools +import os +import pytest +import testinfra + +test_host = testinfra.get_host('paramiko://{KITCHEN_USERNAME}@{KITCHEN_HOSTNAME}:{KITCHEN_PORT}'.format(**os.environ), ssh_identity_file=os.environ.get('KITCHEN_SSH_KEY')) + +@pytest.mark.filterwarnings('ignore') +@pytest.mark.skipif('agent' in os.environ.get('KITCHEN_INSTANCE'), reason='Skip on wazuh manager instances') +def test_wazuh_agent_package(host): + name = "wazuh-manager" + version = "3.10.2" + pkg = host.package(name) + assert pkg.is_installed + assert pkg.version.startswith(version) + +@pytest.mark.filterwarnings('ignore') +@pytest.mark.skipif('agent' in os.environ.get('KITCHEN_INSTANCE'), reason='Skip on wazuh manager instances') +def get_wazuh_version(): + """This return the version of Wazuh.""" + return "3.10.2" + +@pytest.mark.filterwarnings('ignore') +@pytest.mark.skipif('agent' in os.environ.get('KITCHEN_INSTANCE'), reason='Skip on wazuh manager instances') +def test_wazuh_packages_are_installed(host): + """Test if the main packages are installed.""" + manager = host.package("wazuh-manager") + #api = host.package("wazuh-api") + + distribution = host.system_info.distribution.lower() + if distribution == 'centos': + if host.system_info.release == "7": + assert manager.is_installed + assert manager.version.startswith(get_wazuh_version()) + #assert api.is_installed + #assert api.version.startswith(get_wazuh_version()) + elif host.system_info.release.startswith("6"): + assert manager.is_installed + assert manager.version.startswith(get_wazuh_version()) + elif distribution == 'ubuntu': + assert manager.is_installed + assert manager.version.startswith(get_wazuh_version()) + + +@pytest.mark.skipif('agent' in os.environ.get('KITCHEN_INSTANCE'), reason='Skip on wazuh manager instances') +def test_wazuh_services_are_running(host): + """Test if the services are enabled and running. + When assert commands are commented, this means that the service command has + a wrong exit code: https://github.com/wazuh/wazuh-ansible/issues/107 + """ + manager = host.service("wazuh-manager") + + distribution = host.system_info.distribution.lower() + if distribution == 'centos': + # assert manager.is_running + assert manager.is_enabled + elif distribution == 'ubuntu': + # assert manager.is_running + assert manager.is_enabled diff --git a/modules/utilities/unix/logging/wazuh/kitchen/test/bin/python b/modules/utilities/unix/logging/wazuh/kitchen/test/bin/python new file mode 100644 index 000000000..b8a0adbbb --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/kitchen/test/bin/python @@ -0,0 +1 @@ +python3 \ No newline at end of file diff --git a/modules/utilities/unix/logging/wazuh/kitchen/test/bin/python3 b/modules/utilities/unix/logging/wazuh/kitchen/test/bin/python3 new file mode 100644 index 000000000..ae65fdaa1 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/kitchen/test/bin/python3 @@ -0,0 +1 @@ +/usr/bin/python3 \ No newline at end of file diff --git a/modules/utilities/unix/logging/wazuh/kitchen/test/conftest.py b/modules/utilities/unix/logging/wazuh/kitchen/test/conftest.py new file mode 100644 index 000000000..036a50d51 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/kitchen/test/conftest.py @@ -0,0 +1,10 @@ +import functools +import os +import pytest +import testinfra + +test_host = testinfra.get_host('paramiko://{KITCHEN_USERNAME}@{KITCHEN_HOSTNAME}:{KITCHEN_PORT}'.format(**os.environ), ssh_identity_file=os.environ.get('KITCHEN_SSH_KEY')) + +@pytest.fixture +def host(): + return test_host diff --git a/modules/utilities/unix/logging/wazuh/kitchen/test/conftest.py.old b/modules/utilities/unix/logging/wazuh/kitchen/test/conftest.py.old new file mode 100644 index 000000000..036a50d51 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/kitchen/test/conftest.py.old @@ -0,0 +1,10 @@ +import functools +import os +import pytest +import testinfra + +test_host = testinfra.get_host('paramiko://{KITCHEN_USERNAME}@{KITCHEN_HOSTNAME}:{KITCHEN_PORT}'.format(**os.environ), ssh_identity_file=os.environ.get('KITCHEN_SSH_KEY')) + +@pytest.fixture +def host(): + return test_host diff --git a/modules/utilities/unix/logging/wazuh/kitchen/test/integration/default/bats/verify_installed.bats b/modules/utilities/unix/logging/wazuh/kitchen/test/integration/default/bats/verify_installed.bats new file mode 100644 index 000000000..3316de582 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/kitchen/test/integration/default/bats/verify_installed.bats @@ -0,0 +1,3 @@ +@test 'wazuh is up and running' { + pgrep wazuh +} diff --git a/modules/utilities/unix/logging/wazuh/kitchen/test/integration/default/serverspec/wazuh_spec.rb b/modules/utilities/unix/logging/wazuh/kitchen/test/integration/default/serverspec/wazuh_spec.rb new file mode 100644 index 000000000..e69de29bb diff --git a/modules/utilities/unix/logging/wazuh/kitchen/test/integration/test_wazuh.py b/modules/utilities/unix/logging/wazuh/kitchen/test/integration/test_wazuh.py new file mode 100644 index 000000000..cc512d6a3 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/kitchen/test/integration/test_wazuh.py @@ -0,0 +1,4 @@ +def test_wazuh_manager_service_running(host): + service = host.service('wazuh-manager') + assert service.is_running + assert service.is_enabled diff --git a/modules/utilities/unix/logging/wazuh/kitchen/test/lib64 b/modules/utilities/unix/logging/wazuh/kitchen/test/lib64 new file mode 100644 index 000000000..7951405f8 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/kitchen/test/lib64 @@ -0,0 +1 @@ +lib \ No newline at end of file diff --git a/modules/utilities/unix/logging/wazuh/kitchen/test/pyvenv.cfg b/modules/utilities/unix/logging/wazuh/kitchen/test/pyvenv.cfg new file mode 100644 index 000000000..842bbc1c5 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/kitchen/test/pyvenv.cfg @@ -0,0 +1,3 @@ +home = /usr/bin +include-system-site-packages = false +version = 3.4.3 diff --git a/modules/utilities/unix/logging/wazuh/manifests/activeresponse.pp b/modules/utilities/unix/logging/wazuh/manifests/activeresponse.pp index 3e56ca0c7..212cc9da2 100644 --- a/modules/utilities/unix/logging/wazuh/manifests/activeresponse.pp +++ b/modules/utilities/unix/logging/wazuh/manifests/activeresponse.pp @@ -1,4 +1,4 @@ -# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) #Define for a specific ossec active-response define wazuh::activeresponse( $command_name, @@ -10,7 +10,7 @@ define wazuh::activeresponse( $ar_repeated_offenders = '', ) { - require wazuh::params + require wazuh::params_manager concat::fragment { $name: target => 'ossec.conf', diff --git a/modules/utilities/unix/logging/wazuh/manifests/addlog.pp b/modules/utilities/unix/logging/wazuh/manifests/addlog.pp index c242c8355..b7f51e1ec 100644 --- a/modules/utilities/unix/logging/wazuh/manifests/addlog.pp +++ b/modules/utilities/unix/logging/wazuh/manifests/addlog.pp @@ -1,18 +1,18 @@ -# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) #Define a log-file to add to ossec define wazuh::addlog( $logfile = undef, $logtype = 'syslog', - $logcommand = undef, + $logcommand = undef, $commandalias = undef, $frequency = undef, ) { - require wazuh::params + require wazuh::params_manager concat::fragment { "ossec.conf_localfile-${logfile}": target => 'ossec.conf', - content => template('wazuh/fragments/_localfile.erb'), - order => 20, + content => template('wazuh/fragments/_localfile_generation.erb'), + order => 21, } -} \ No newline at end of file +} diff --git a/modules/utilities/unix/logging/wazuh/manifests/agent.pp b/modules/utilities/unix/logging/wazuh/manifests/agent.pp new file mode 100644 index 000000000..adfae58d6 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/manifests/agent.pp @@ -0,0 +1,481 @@ +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Setup for ossec client +class wazuh::agent( + + # Versioning and package names + + $agent_package_version = $wazuh::params_agent::agent_package_version, + $agent_package_name = $wazuh::params_agent::agent_package_name, + $agent_service_name = $wazuh::params_agent::agent_service_name, + + # Manage repository + + $manage_repo = $wazuh::params_agent::manage_repo, + + # Authd registration options + $manage_client_keys = $wazuh::params_agent::manage_client_keys, + $agent_name = $wazuh::params_agent::agent_name, + $agent_group = $wazuh::params_agent::agent_group, + $wazuh_agent_cert = $wazuh::params_agent::wazuh_agent_cert, + $wazuh_agent_key = $wazuh::params_agent::wazuh_agent_key, + $wazuh_agent_cert_path = $wazuh::params_agent::wazuh_agent_cert_path, + $wazuh_agent_key_path = $wazuh::params_agent::wazuh_agent_key_path, + $agent_auth_password = $wazuh::params_agent::agent_auth_password, + $wazuh_manager_root_ca_pem = $wazuh::params_agent::wazuh_manager_root_ca_pem, + $wazuh_manager_root_ca_pem_path = $wazuh::params_agent::wazuh_manager_root_ca_pem_path, + + ## ossec.conf generation parameters + # Generation variables + $configure_rootcheck = $wazuh::params_agent::configure_rootcheck, + $configure_wodle_openscap = $wazuh::params_agent::configure_wodle_openscap, + $configure_wodle_cis_cat = $wazuh::params_agent::configure_wodle_cis_cat, + $configure_wodle_osquery = $wazuh::params_agent::configure_wodle_osquery, + $configure_wodle_syscollector = $wazuh::params_agent::configure_wodle_syscollector, + $configure_sca = $wazuh::params_agent::configure_sca, + $configure_syscheck = $wazuh::params_agent::configure_syscheck, + $configure_localfile = $wazuh::params_agent::configure_localfile, + $configure_active_response = $wazuh::params_agent::configure_active_response, + + # Templates paths + $ossec_conf_template = $wazuh::params_agent::ossec_conf_template, + $ossec_rootcheck_template = $wazuh::params_agent::ossec_rootcheck_template, + $ossec_wodle_openscap_template = $wazuh::params_agent::ossec_wodle_openscap_template, + $ossec_wodle_cis_cat_template = $wazuh::params_agent::ossec_wodle_cis_cat_template, + $ossec_wodle_osquery_template = $wazuh::params_agent::ossec_wodle_osquery_template, + $ossec_wodle_syscollector_template = $wazuh::params_agent::ossec_wodle_syscollector_template, + $ossec_sca_template = $wazuh::params_agent::ossec_sca_template, + $ossec_syscheck_template = $wazuh::params_agent::ossec_syscheck_template, + $ossec_localfile_template = $wazuh::params_agent::ossec_localfile_template, + $ossec_ruleset = $wazuh::params_agent::ossec_ruleset, + $ossec_auth = $wazuh::params_agent::ossec_auth, + $ossec_cluster = $wazuh::params_agent::ossec_cluster, + $ossec_active_response_template = $wazuh::params_agent::ossec_active_response_template, + + # Server configuration + + $wazuh_register_endpoint = $wazuh::params_agent::wazuh_register_endpoint, + $wazuh_reporting_endpoint = $wazuh::params_agent::wazuh_reporting_endpoint, + $ossec_port = $wazuh::params_agent::ossec_port, + $ossec_protocol = $wazuh::params_agent::ossec_protocol, + $ossec_notify_time = $wazuh::params_agent::ossec_notify_time, + $ossec_time_reconnect = $wazuh::params_agent::ossec_time_reconnect, + $ossec_auto_restart = $wazuh::params_agent::ossec_auto_restart, + $ossec_crypto_method = $wazuh::params_agent::ossec_crypto_method, + $client_buffer_queue_size = $wazuh::params_agent::client_buffer_queue_size, + $client_buffer_events_per_second = $wazuh::params_agent::client_buffer_events_per_second, + + # Rootcheck + $ossec_rootcheck_disabled = $wazuh::params_agent::ossec_rootcheck_disabled, + $ossec_rootcheck_check_files = $wazuh::params_agent::ossec_rootcheck_check_files, + $ossec_rootcheck_check_trojans = $wazuh::params_agent::ossec_rootcheck_check_trojans, + $ossec_rootcheck_check_dev = $wazuh::params_agent::ossec_rootcheck_check_dev, + $ossec_rootcheck_check_sys = $wazuh::params_agent::ossec_rootcheck_check_sys, + $ossec_rootcheck_check_pids = $wazuh::params_agent::ossec_rootcheck_check_pids, + $ossec_rootcheck_check_ports = $wazuh::params_agent::ossec_rootcheck_check_ports, + $ossec_rootcheck_check_if = $wazuh::params_agent::ossec_rootcheck_check_if, + $ossec_rootcheck_frequency = $wazuh::params_agent::ossec_rootcheck_frequency, + $ossec_rootcheck_rootkit_files = $wazuh::params_agent::ossec_rootcheck_rootkit_files, + $ossec_rootcheck_rootkit_trojans = $wazuh::params_agent::ossec_rootcheck_rootkit_trojans, + $ossec_rootcheck_skip_nfs = $wazuh::params_agent::ossec_rootcheck_skip_nfs, + + ## Wodles + + # Openscap + $wodle_openscap_disabled = $wazuh::params_agent::wodle_openscap_disabled, + $wodle_openscap_timeout = $wazuh::params_agent::wodle_openscap_timeout, + $wodle_openscap_interval = $wazuh::params_agent::wodle_openscap_interval, + $wodle_openscap_scan_on_start = $wazuh::params_agent::wodle_openscap_scan_on_start, + + # Ciscat + $wodle_ciscat_disabled = $wazuh::params_agent::wodle_ciscat_disabled, + $wodle_ciscat_timeout = $wazuh::params_agent::wodle_ciscat_timeout, + $wodle_ciscat_interval = $wazuh::params_agent::wodle_ciscat_interval, + $wodle_ciscat_scan_on_start = $wazuh::params_agent::wodle_ciscat_scan_on_start, + $wodle_ciscat_java_path = $wazuh::params_agent::wodle_ciscat_java_path, + $wodle_ciscat_ciscat_path = $wazuh::params_agent::wodle_ciscat_ciscat_path, + + #Osquery + + $wodle_osquery_disabled = $wazuh::params_agent::wodle_osquery_disabled, + $wodle_osquery_run_daemon = $wazuh::params_agent::wodle_osquery_run_daemon, + $wodle_osquery_log_path = $wazuh::params_agent::wodle_osquery_log_path, + $wodle_osquery_config_path = $wazuh::params_agent::wodle_osquery_config_path, + $wodle_osquery_add_labels = $wazuh::params_agent::wodle_osquery_add_labels, + + # Syscollector + + $wodle_syscollector_disabled = $wazuh::params_agent::wodle_syscollector_disabled, + $wodle_syscollector_interval = $wazuh::params_agent::wodle_syscollector_interval, + $wodle_syscollector_scan_on_start = $wazuh::params_agent::wodle_syscollector_scan_on_start, + $wodle_syscollector_hardware = $wazuh::params_agent::wodle_syscollector_hardware, + $wodle_syscollector_os = $wazuh::params_agent::wodle_syscollector_os, + $wodle_syscollector_network = $wazuh::params_agent::wodle_syscollector_network, + $wodle_syscollector_packages = $wazuh::params_agent::wodle_syscollector_packages, + $wodle_syscollector_ports = $wazuh::params_agent::wodle_syscollector_ports, + $wodle_syscollector_processes = $wazuh::params_agent::wodle_syscollector_processes, + + # Localfile + $ossec_local_files = $wazuh::params_agent::default_local_files, + + # Syscheck + $ossec_syscheck_disabled = $wazuh::params_agent::ossec_syscheck_disabled, + $ossec_syscheck_frequency = $wazuh::params_agent::ossec_syscheck_frequency, + $ossec_syscheck_scan_on_start = $wazuh::params_agent::ossec_syscheck_scan_on_start, + $ossec_syscheck_alert_new_files = $wazuh::params_agent::ossec_syscheck_alert_new_files, + $ossec_syscheck_auto_ignore = $wazuh::params_agent::ossec_syscheck_auto_ignore, + $ossec_syscheck_directories_1 = $wazuh::params_agent::ossec_syscheck_directories_1, + $ossec_syscheck_directories_2 = $wazuh::params_agent::ossec_syscheck_directories_2, + $ossec_syscheck_ignore_list = $wazuh::params_agent::ossec_syscheck_ignore_list, + $ossec_syscheck_ignore_type_1 = $wazuh::params_agent::ossec_syscheck_ignore_type_1, + $ossec_syscheck_ignore_type_2 = $wazuh::params_agent::ossec_syscheck_ignore_type_2, + $ossec_syscheck_nodiff = $wazuh::params_agent::ossec_syscheck_nodiff, + $ossec_syscheck_skip_nfs = $wazuh::params_agent::ossec_syscheck_skip_nfs, + + ## Selinux + + $selinux = $wazuh::params_agent::selinux, + $manage_firewall = $wazuh::params_agent::manage_firewall, + + ## Windows + + $download_path = $wazuh::params_agent::download_path, + + +) inherits wazuh::params_agent { + # validate_bool( + # $ossec_active_response, $ossec_rootcheck, + # $selinux, $manage_repo, + # ) + # This allows arrays of integers, sadly + # (commented due to stdlib version requirement) + validate_string($agent_package_name) + validate_string($agent_service_name) + + if (($manage_client_keys == 'yes')){ + if ( ( $wazuh_register_endpoint == undef ) ) { + fail('The $wazuh_register_endpoint parameter is needed in order to register the Agent.') + } + } + + case $::kernel { + 'Linux' : { + if $manage_repo { + class { 'wazuh::repo':} + if $::osfamily == 'Debian' { + Class['wazuh::repo'] -> Class['apt::update'] -> Package[$agent_package_name] + } else { + Class['wazuh::repo'] -> Package[$agent_package_name] + } + } + package { $agent_package_name: + ensure => $agent_package_version, # lint:ignore:security_package_pinned_version + } + } + 'windows' : { + + file { 'wazuh-agent': + path => "${download_path}wazuh-agent-${agent_package_version}.msi", + owner => 'Administrator', + group => 'Administrators', + mode => '0774', + source => "http://packages.wazuh.com/3.x/windows/wazuh-agent-${agent_package_version}.msi", + source_permissions => ignore + } + + if ( $manage_client_keys == 'yes' ) { + package { $agent_package_name: + ensure => $agent_package_version, # lint:ignore:security_package_pinned_version + provider => 'windows', + source => "${download_path}/wazuh-agent-${agent_package_version}.msi", + install_options => [ '/q', "ADDRESS=${wazuh_register_endpoint}", "AUTHD_SERVER=${wazuh_register_endpoint}" ], + require => File["${download_path}wazuh-agent-${agent_package_version}.msi"], + } + } + else { + package { $agent_package_name: + ensure => $agent_package_version, # lint:ignore:security_package_pinned_version + provider => 'windows', + source => "${download_path}wazuh-agent-${agent_package_version}.msi", + install_options => [ '/q' ], # silent installation + require => File["${download_path}wazuh-agent-${agent_package_version}.msi"], + } + } + } + default: { fail('OS not supported') } + } + + ## ossec.conf generation concats + + case $::operatingsystem{ + 'Redhat', 'redhat':{ + $apply_template_os = 'rhel' + if ( $::operatingsystemrelease =~ /^7.*/ ){ + $rhel_version = '7' + }elsif ( $::operatingsystemrelease =~ /^6.*/ ){ + $rhel_version = '6' + }elsif ( $::operatingsystemrelease =~ /^5.*/ ){ + $rhel_version = '5' + }else{ + fail('This ossec module has not been tested on your distribution') + } + }'Debian', 'debian', 'Ubuntu', 'ubuntu':{ + $apply_template_os = 'debian' + if ( $::lsbdistcodename == 'wheezy') or ($::lsbdistcodename == 'jessie'){ + $debian_additional_templates = 'yes' + } + }'Amazon':{ + $apply_template_os = 'amazon' + }'CentOS','Centos','centos':{ + $apply_template_os = 'centos' + } + default: { fail('This ossec module has not been tested on your distribution') } + } + + concat { 'ossec.conf': + path => $wazuh::params_agent::config_file, + owner => $wazuh::params_agent::config_owner, + group => $wazuh::params_agent::config_group, + mode => $wazuh::params_agent::config_mode, + require => Package[$agent_package_name], + } + + concat::fragment { + default: + target => 'ossec.conf'; + 'ossec.conf_header': + order => 00, + before => Service[$agent_service_name], + content => "\n"; + 'ossec.conf_agent': + order => 10, + before => Service[$agent_service_name], + content => template($ossec_conf_template); + } + if ($configure_rootcheck == true){ + concat::fragment { + 'ossec.conf_rootcheck': + target => 'ossec.conf', + order => 15, + before => Service[$agent_service_name], + content => template($ossec_rootcheck_template); + } + } + if ($configure_wodle_openscap == true){ + concat::fragment { + 'ossec.conf_openscap': + target => 'ossec.conf', + order => 16, + before => Service[$agent_service_name], + content => template($ossec_wodle_openscap_template); + } + } + if ($configure_wodle_cis_cat == true){ + concat::fragment { + 'ossec.conf_cis_cat': + target => 'ossec.conf', + order => 17, + before => Service[$agent_service_name], + content => template($ossec_wodle_cis_cat_template); + } + } + if ($configure_wodle_osquery == true){ + concat::fragment { + 'ossec.conf_osquery': + target => 'ossec.conf', + order => 18, + before => Service[$agent_service_name], + content => template($ossec_wodle_osquery_template); + } + } + if ($configure_wodle_syscollector == true){ + concat::fragment { + 'ossec.conf_syscollector': + target => 'ossec.conf', + order => 19, + before => Service[$agent_service_name], + content => template($ossec_wodle_syscollector_template); + } + } + if ($configure_sca == true){ + concat::fragment { + 'ossec.conf_sca': + target => 'ossec.conf', + order => 25, + before => Service[$agent_service_name], + content => template($ossec_sca_template); + } + } + if ($configure_syscheck == true){ + concat::fragment { + 'ossec.conf_syscheck': + target => 'ossec.conf', + order => 30, + before => Service[$agent_service_name], + content => template($ossec_syscheck_template); + } + } + if ($configure_localfile == true){ + concat::fragment { + 'ossec.conf_localfile': + target => 'ossec.conf', + order => 35, + before => Service[$agent_service_name], + content => template($ossec_localfile_template); + } + } + if ($configure_active_response == true){ + concat::fragment { + 'ossec.conf_active_response': + target => 'ossec.conf', + order => 40, + before => Service[$agent_service_name], + content => template($ossec_active_response_template); + } + } + concat::fragment { + 'ossec.conf_footer': + target => 'ossec.conf', + order => 99, + before => Service[$agent_service_name], + content => ''; + } + + if ($manage_client_keys == 'yes'){ + + if ($::kernel == 'Linux') { + # Is this really Linux only? + + file { $::wazuh::params_agent::keys_file: + owner => $wazuh::params_agent::keys_owner, + group => $wazuh::params_agent::keys_group, + mode => $wazuh::params_agent::keys_mode, + } + + # https://documentation.wazuh.com/current/user-manual/registering/use-registration-service.html#verify-manager-via-ssl + + $agent_auth_base_command = "/var/ossec/bin/agent-auth -m ${wazuh_register_endpoint}" + + if $wazuh_manager_root_ca_pem != undef { + validate_string($wazuh_manager_root_ca_pem) + file { '/var/ossec/etc/rootCA.pem': + owner => $wazuh::params::keys_owner, + group => $wazuh::params::keys_group, + mode => $wazuh::params::keys_mode, + content => $wazuh_manager_root_ca_pem, + require => Package[$agent_package_name], + } + $agent_auth_option_manager = '-v /var/ossec/etc/rootCA.pem' + }elsif $wazuh_manager_root_ca_pem_path != undef { + validate_string($wazuh_manager_root_ca_pem) + $agent_auth_option_manager = "-v ${wazuh_manager_root_ca_pem_path}" + } else { + $agent_auth_option_manager = '' # Avoid errors when compounding final command + } + + if $agent_name != undef { + validate_string($agent_name) + $agent_auth_option_name = "-A \"${agent_name}\"" + }else{ + $agent_auth_option_name = '' + } + + if $agent_group != undef { + validate_string($agent_group) + $agent_auth_option_group = "-G \"${agent_group}\"" + }else{ + $agent_auth_option_group = '' + } + + # https://documentation.wazuh.com/current/user-manual/registering/use-registration-service.html#verify-agents-via-ssl + if ($wazuh_agent_cert != undef) and ($wazuh_agent_key != undef) { + validate_string($wazuh_agent_cert) + validate_string($wazuh_agent_key) + file { '/var/ossec/etc/sslagent.cert': + owner => $wazuh::params_agent::keys_owner, + group => $wazuh::params_agent::keys_group, + mode => $wazuh::params_agent::keys_mode, + content => $wazuh_agent_cert, + require => Package[$agent_package_name], + } + file { '/var/ossec/etc/sslagent.key': + owner => $wazuh::params_agent::keys_owner, + group => $wazuh::params_agent::keys_group, + mode => $wazuh::params_agent::keys_mode, + content => $wazuh_agent_key, + require => Package[$agent_package_name], + } + + $agent_auth_option_agent = '-x /var/ossec/etc/sslagent.cert -k /var/ossec/etc/sslagent.key' + } + + if ($wazuh_agent_cert_path != undef) and ($wazuh_agent_key_path != undef) { + validate_string($wazuh_agent_cert_path) + validate_string($wazuh_agent_key_path) + $agent_auth_option_agent = "-x ${wazuh_agent_cert_path} -k ${wazuh_agent_key_path}" + } + + $agent_auth_command = "${agent_auth_base_command} ${agent_auth_option_manager} ${agent_auth_option_name}\ + ${agent_auth_option_group} ${agent_auth_option_agent}" + + if $agent_auth_password { + exec { 'agent-auth-with-pwd': + command => "${agent_auth_command} -P '${agent_auth_password}'", + unless => "/bin/egrep -q '.' ${::wazuh::params_agent::keys_file}", + require => Concat['ossec.conf'], + before => Service[$agent_service_name], + } + } else { + exec { 'agent-auth-without-pwd': + command => $agent_auth_command, + unless => "/bin/egrep -q '.' ${::wazuh::params_agent::keys_file}", + require => Concat['ossec.conf'], + before => Service[$agent_service_name], + } + } + if $wazuh_reporting_endpoint != undef { + service { $agent_service_name: + ensure => running, + enable => true, + hasstatus => $wazuh::params_agent::service_has_status, + pattern => $wazuh::params_agent::agent_service_name, + provider => $wazuh::params_agent::ossec_service_provider, + require => Package[$agent_package_name], + } + } + } + } + + if ( ( $manage_client_keys != 'yes') or ( $wazuh_reporting_endpoint == undef ) ){ + service { $agent_service_name: + ensure => stopped, + enable => false, + hasstatus => $wazuh::params_agent::service_has_status, + pattern => $agent_service_name, + provider => $wazuh::params_agent::ossec_service_provider, + require => Package[$agent_package_name], + } + } + + # SELinux + # Requires selinux module specified in metadata.json + if ($::osfamily == 'RedHat' and $selinux == true) { + selinux::module { 'ossec-logrotate': + ensure => 'present', + source_te => 'puppet:///modules/wazuh/ossec-logrotate.te', + } + } + # Manage firewall + if $manage_firewall { + include firewall + firewall { '1514 wazuh-agent': + dport => $ossec_port, + proto => $ossec_protocol, + action => 'accept', + state => [ + 'NEW', + 'RELATED', + 'ESTABLISHED'], + } + } +} + diff --git a/modules/utilities/unix/logging/wazuh/manifests/agentkey.pp b/modules/utilities/unix/logging/wazuh/manifests/agentkey.pp deleted file mode 100644 index 7c72ccca6..000000000 --- a/modules/utilities/unix/logging/wazuh/manifests/agentkey.pp +++ /dev/null @@ -1,23 +0,0 @@ -# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) -# utility function to fill up /var/ossec/etc/client.keys -define wazuh::agentkey( - $agent_id, - $agent_name, - $agent_ip_address, - $agent_seed = 'xaeS7ahf', -) { - require wazuh::params - - if ! $agent_id { fail('wazuh::agentkey: $agent_id is missing')} - if ! $agent_seed { fail('wazuh::agentkey: $agent_seed is missing')} - - $agentkey1 = md5("${agent_id} ${agent_seed}") - $agentkey2 = md5("${agent_name} ${agent_ip_address} ${agent_seed}") - - concat::fragment { "var_ossec_etc_client.keys_${agent_name}_part": - target => $wazuh::params::keys_file, - order => $agent_id, - content => "${agent_id} ${agent_name} ${agent_ip_address} ${agentkey1}${agentkey2}\n", - } - -} diff --git a/modules/utilities/unix/logging/wazuh/manifests/client.pp b/modules/utilities/unix/logging/wazuh/manifests/client.pp deleted file mode 100644 index d34e8260a..000000000 --- a/modules/utilities/unix/logging/wazuh/manifests/client.pp +++ /dev/null @@ -1,265 +0,0 @@ -# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) -# Setup for ossec client -class wazuh::client( - $ossec_active_response = true, - $ossec_rootcheck = true, - $ossec_rootcheck_frequency = 36000, - $ossec_rootcheck_checkports = true, - $ossec_rootcheck_checkfiles = true, - $ossec_server_ip = undef, - $ossec_server_hostname = undef, - $wazuh_manager_address = undef, - $ossec_server_port = '1514', - $ossec_server_protocol = 'udp', - $ossec_server_notify_time = undef, - $ossec_server_time_reconnect = undef, - $ossec_scanpaths = [], - $ossec_ignorepaths = [], - $ossec_ignorepaths_regex = [], - $ossec_local_files = $::wazuh::params::default_local_files, - $ossec_syscheck_frequency = 43200, - $ossec_prefilter = false, - $ossec_service_provider = $::wazuh::params::ossec_service_provider, - $ossec_config_profiles = [], - $selinux = false, - $agent_name = $::hostname, - $agent_ip_address = $::ipaddress, - $agent_group = 'default', - $manage_repo = true, - $manage_epel_repo = true, - $agent_package_name = $::wazuh::params::agent_package, - $agent_package_version = 'installed', - $agent_service_name = $::wazuh::params::agent_service, - $agent_auto_restart = 'yes', - # client_buffer configuration - $client_buffer_queue_size = 5000, - $client_buffer_events_per_second = 500, - $manage_client_keys = 'authd', - $agent_auth_password = undef, - $wazuh_manager_root_ca_pem = undef, - $wazuh_manager_root_ca_pem_path = undef, - $wazuh_agent_cert = undef, - $wazuh_agent_key = undef, - $wazuh_agent_cert_path = undef, - $wazuh_agent_key_path = undef, - $agent_seed = undef, - $max_clients = 3000, - $ar_repeated_offenders = '', - $enable_wodle_openscap = false, - $wodle_openscap_content = $::wazuh::params::wodle_openscap_content, - $service_has_status = $::wazuh::params::service_has_status, - $ossec_conf_template = 'wazuh/wazuh_agent.conf.erb', - Boolean $manage_firewall = $::wazuh::params::manage_firewall, -) inherits wazuh::params { - validate_bool( - $ossec_active_response, $ossec_rootcheck, - $selinux, $manage_repo, $manage_epel_repo - ) - # This allows arrays of integers, sadly - # (commented due to stdlib version requirement) - validate_array($ossec_ignorepaths) - validate_string($agent_package_name) - validate_string($agent_service_name) - - if ( ( $ossec_server_ip == undef ) and ( $ossec_server_hostname == undef ) and ( $wazuh_manager_address == undef ) ) { - fail('must pass either $ossec_server_ip or $ossec_server_hostname or $wazuh_manager_address to Class[\'wazuh::client\'].') - } - - case $::kernel { - 'Linux' : { - if $manage_repo { - class { 'wazuh::repo': redhat_manage_epel => $manage_epel_repo } - if $::osfamily == 'Debian' { - Class['wazuh::repo'] -> Class['apt::update'] -> Package[$agent_package_name] - } else { - Class['wazuh::repo'] -> Package[$agent_package_name] - } - } - package { $agent_package_name: - ensure => $agent_package_version, # lint:ignore:security_package_pinned_version - } - } - 'windows' : { - - file { - - 'C:/wazuh-agent-3.9.1-1.msi': - owner => 'Administrators', - group => 'Administrators', - mode => '0774', - source => 'puppet:///modules/wazuh/wazuh-agent-3.9.1-1.msi', - source_permissions => ignore - } - if ( $manage_client_keys == 'authd' ) { - package { $agent_package_name: - ensure => $agent_package_version, # lint:ignore:security_package_pinned_version - provider => 'windows', - source => 'C:/wazuh-agent-3.9.1-1.msi', - install_options => [ '/q', "ADDRESS=${ossec_server_ip}", "AUTHD_SERVER=${ossec_server_ip}" ], # silent installation - require => File['C:/wazuh-agent-3.9.1-1.msi'], - } - } - else { - package { $agent_package_name: - ensure => $agent_package_version, # lint:ignore:security_package_pinned_version - provider => 'windows', - source => 'C:/wazuh-agent-3.9.1-1.msi', - install_options => [ '/q' ], # silent installation - require => File['C:/wazuh-agent-3.9.1-1.msi'], - } - } - } - default: { fail('OS not supported') } - } - - service { $agent_service_name: - ensure => running, - enable => true, - hasstatus => $service_has_status, - pattern => $agent_service_name, - provider => $ossec_service_provider, - require => Package[$agent_package_name], - } - - concat { 'ossec.conf': - path => $wazuh::params::config_file, - owner => $wazuh::params::config_owner, - group => $wazuh::params::config_group, - mode => $wazuh::params::config_mode, - require => Package[$agent_package_name], - notify => Service[$agent_service_name], - } - - concat::fragment { - default: - target => 'ossec.conf', - notify => Service[$agent_service_name]; - 'ossec.conf_header': - order => 00, - content => "\n"; - 'ossec.conf_agent': - order => 10, - content => template($ossec_conf_template); - 'ossec.conf_footer': - order => 99, - content => ''; - } - - if ( $manage_client_keys == 'export' ) { - concat { $wazuh::params::keys_file: - owner => $wazuh::params::keys_owner, - group => $wazuh::params::keys_group, - mode => $wazuh::params::keys_mode, - notify => Service[$agent_service_name], - require => Package[$agent_package_name] - } - # A separate module to avoid storeconfigs warnings when not managing keys - class { 'wazuh::export_agent_key': - max_clients => $max_clients, - agent_name => $agent_name, - agent_ip_address => $agent_ip_address, - agent_seed => $agent_seed, - } - } elsif ($manage_client_keys == 'authd') { - if ($::kernel == 'Linux') { - # Is this really Linux only? - $ossec_server_address = pick($ossec_server_ip, $ossec_server_hostname) - - file { $::wazuh::params::keys_file: - owner => $wazuh::params::keys_owner, - group => $wazuh::params::keys_group, - mode => $wazuh::params::keys_mode, - } - - # https://documentation.wazuh.com/current/user-manual/registering/use-registration-service.html#verify-manager-via-ssl - - $agent_auth_base_command = "/var/ossec/bin/agent-auth -m ${ossec_server_address} -A ${agent_name} -G ${agent_group} -D /var/ossec/" - if $wazuh_manager_root_ca_pem != undef { - validate_string($wazuh_manager_root_ca_pem) - file { '/var/ossec/etc/rootCA.pem': - owner => $wazuh::params::keys_owner, - group => $wazuh::params::keys_group, - mode => $wazuh::params::keys_mode, - content => $wazuh_manager_root_ca_pem, - require => Package[$agent_package_name], - } - $agent_auth_option_manager = '-v /var/ossec/etc/rootCA.pem' - } - if $wazuh_manager_root_ca_pem_path != undef { - validate_string($wazuh_manager_root_ca_pem) - $agent_auth_option_manager = "-v ${wazuh_manager_root_ca_pem_path}" - } - - # https://documentation.wazuh.com/current/user-manual/registering/use-registration-service.html#verify-agents-via-ssl - if ($wazuh_agent_cert != undef) and ($wazuh_agent_key != undef) { - validate_string($wazuh_agent_cert) - validate_string($wazuh_agent_key) - file { '/var/ossec/etc/sslagent.cert': - owner => $wazuh::params::keys_owner, - group => $wazuh::params::keys_group, - mode => $wazuh::params::keys_mode, - content => $wazuh_agent_cert, - require => Package[$agent_package_name], - } - file { '/var/ossec/etc/sslagent.key': - owner => $wazuh::params::keys_owner, - group => $wazuh::params::keys_group, - mode => $wazuh::params::keys_mode, - content => $wazuh_agent_key, - require => Package[$agent_package_name], - } - - $agent_auth_option_agent = '-x /var/ossec/etc/sslagent.cert -k /var/ossec/etc/sslagent.key' - } - - if ($wazuh_agent_cert_path != undef) and ($wazuh_agent_key_path != undef) { - validate_string($wazuh_agent_cert_path) - validate_string($wazuh_agent_key_path) - $agent_auth_option_agent = "-x ${wazuh_agent_cert_path} -k ${wazuh_agent_key_path}" - } - - $agent_auth_command = "${agent_auth_base_command} ${agent_auth_option_manager} ${agent_auth_option_agent}" - - - if $agent_auth_password { - exec { 'agent-auth-with-pwd': - command => "${agent_auth_command} -P '${agent_auth_password}'", - unless => "/bin/egrep -q '.' ${::wazuh::params::keys_file}", - require => Package[$agent_package_name], - notify => Service[$agent_service_name], - before => File[$wazuh::params::keys_file] - } - } else { - exec { 'agent-auth-without-pwd': - command => $agent_auth_command, - unless => "/bin/egrep -q '.' ${::wazuh::params::keys_file}", - require => Package[$agent_package_name], - notify => Service[$agent_service_name], - before => File[$wazuh::params::keys_file], - } - } - } - } - - # SELinux - # Requires selinux module specified in metadata.json - if ($::osfamily == 'RedHat' and $selinux == true) { - selinux::module { 'ossec-logrotate': - ensure => 'present', - source_te => 'puppet:///modules/wazuh/ossec-logrotate.te', - } - } - # Manage firewall - if $manage_firewall { - include firewall - firewall { '1514 wazuh-agent': - dport => $ossec_server_port, - proto => $ossec_server_protocol, - action => 'accept', - state => [ - 'NEW', - 'RELATED', - 'ESTABLISHED'], - } - } -} diff --git a/modules/utilities/unix/logging/wazuh/manifests/cluster.pp b/modules/utilities/unix/logging/wazuh/manifests/cluster.pp deleted file mode 100644 index 952333669..000000000 --- a/modules/utilities/unix/logging/wazuh/manifests/cluster.pp +++ /dev/null @@ -1,21 +0,0 @@ -#Define for a specific ossec cluster -define wazuh::cluster( - $cl_name, - $cl_node_name = 'node01', - $cl_node_type = 'master', - $cl_key = '', - $cl_port = '1516', - $cl_bin_addr = '0.0.0.0', - $cl_node = ['NODE_IP','NODE_IP2'], - $cl_hidden = 'no', - $cl_disabled = 'yes', -) { - - require wazuh::params - - concat::fragment { $name: - target => 'ossec.conf', - order => 95, - content => template('wazuh/fragments/_cluster.erb') - } -} diff --git a/modules/utilities/unix/logging/wazuh/manifests/collect_agent_keys.pp b/modules/utilities/unix/logging/wazuh/manifests/collect_agent_keys.pp deleted file mode 100644 index 6d2c50afe..000000000 --- a/modules/utilities/unix/logging/wazuh/manifests/collect_agent_keys.pp +++ /dev/null @@ -1,5 +0,0 @@ -# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) -# Class to collect the agent keys -class wazuh::collect_agent_keys { - Wazuh::Agentkey<<| |>> -} diff --git a/modules/utilities/unix/logging/wazuh/manifests/command.pp b/modules/utilities/unix/logging/wazuh/manifests/command.pp index e499643cb..2057d4ce2 100644 --- a/modules/utilities/unix/logging/wazuh/manifests/command.pp +++ b/modules/utilities/unix/logging/wazuh/manifests/command.pp @@ -1,4 +1,4 @@ -# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) # Define an ossec command define wazuh::command( $command_name, @@ -6,12 +6,12 @@ define wazuh::command( $command_expect = 'srcip', $timeout_allowed = true, ) { - require wazuh::params + require wazuh::params_manager if ($timeout_allowed) { $command_timeout_allowed='yes' } else { $command_timeout_allowed='no' } concat::fragment { $name: target => 'ossec.conf', - order => 45, - content => template('wazuh/command.erb'), + order => 46, + content => template('wazuh/fragments/_command.erb'), } } diff --git a/modules/utilities/unix/logging/wazuh/manifests/elasticsearch.pp b/modules/utilities/unix/logging/wazuh/manifests/elasticsearch.pp new file mode 100644 index 000000000..0ae20b8c1 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/manifests/elasticsearch.pp @@ -0,0 +1,74 @@ +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Setup for elasticsearch +class wazuh::elasticsearch ( + # Elasticsearch.yml configuration + + $elasticsearch_cluster_name = 'es-wazuh', + $elasticsearch_node_name = 'es-node-01', + $elasticsearch_node_master = true, + $elasticsearch_node_data = true, + $elasticsearch_node_ingest = true, + $elasticsearch_node_max_local_storage_nodes = '1', + $elasticsearch_service = 'elasticsearch', + $elasticsearch_package = 'elasticsearch', + $elasticsearch_version = '7.3.2', + + $elasticsearch_path_data = '/var/lib/elasticsearch', + $elasticsearch_path_logs = '/var/log/elasticsearch', + + + $elasticsearch_ip = '', + $elasticsearch_port = '9200', + $elasticsearch_discovery_option = 'discovery.type: single-node', + $elasticsearch_cluster_initial_master_nodes = "#cluster.initial_master_nodes: ['es-node-01']", + +# JVM options + $jvm_options_memmory = '1g', + +){ + + # install package + package { 'Installing elasticsearch...': + ensure => $elasticsearch_version, + name => $elasticsearch_package, + } + + file { 'Configure elasticsearch.yml': + owner => 'elasticsearch', + path => '/etc/elasticsearch/elasticsearch.yml', + group => 'elasticsearch', + mode => '0644', + notify => Service[$elasticsearch_service], ## Restarts the service + content => template('wazuh/elasticsearch_yml.erb') + } + + file { 'Configure jvm.options': + owner => 'elasticsearch', + path => '/etc/elasticsearch/jvm.options', + group => 'elasticsearch', + mode => '0660', + notify => Service[$elasticsearch_service], ## Restarts the service + content => template('wazuh/jvm_options.erb') + } + + service { 'elasticsearch': + ensure => running, + enable => true, + } + + exec { 'Insert line limits': + path => '/usr/bin:/bin/', + command => "echo 'elasticsearch - nofile 65535\nelasticsearch - memlock unlimited' >> /etc/security/limits.conf", + + } + + exec { 'Verify Elasticsearch folders owner': + path => '/usr/bin:/bin', + command => "chown elasticsearch:elasticsearch -R /etc/elasticsearch\ + && chown elasticsearch:elasticsearch -R /usr/share/elasticsearch\ + && chown elasticsearch:elasticsearch -R /var/lib/elasticsearch", + + } + + +} diff --git a/modules/utilities/unix/logging/wazuh/manifests/email_alert.pp b/modules/utilities/unix/logging/wazuh/manifests/email_alert.pp index bec7f25a0..dea226a11 100644 --- a/modules/utilities/unix/logging/wazuh/manifests/email_alert.pp +++ b/modules/utilities/unix/logging/wazuh/manifests/email_alert.pp @@ -1,14 +1,14 @@ -# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) # Define an email alert define wazuh::email_alert( $alert_email, $alert_group = false ) { - require wazuh::params + require wazuh::params_manager concat::fragment { $name: target => 'ossec.conf', - order => 65, - content => template('wazuh/email_alert.erb'), + order => 66, + content => template('wazuh/fragments/_email_alert.erb'), } } diff --git a/modules/utilities/unix/logging/wazuh/manifests/export_agent_key.pp b/modules/utilities/unix/logging/wazuh/manifests/export_agent_key.pp deleted file mode 100644 index 765484979..000000000 --- a/modules/utilities/unix/logging/wazuh/manifests/export_agent_key.pp +++ /dev/null @@ -1,22 +0,0 @@ -# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) -#Export agent key -class wazuh::export_agent_key( - $max_clients, - $agent_name, - $agent_ip_address, - $agent_seed, - ) { - wazuh::agentkey{ "ossec_agent_${agent_name}_client": - agent_id => fqdn_rand($max_clients), - agent_name => $agent_name, - agent_ip_address => $agent_ip_address, - agent_seed => $agent_seed, - } - - @@wazuh::agentkey{ "ossec_agent_${agent_name}_server": - agent_id => fqdn_rand($max_clients), - agent_name => $agent_name, - agent_ip_address => $agent_ip_address, - agent_seed => $agent_seed, - } -} diff --git a/modules/utilities/unix/logging/wazuh/manifests/filebeat.pp b/modules/utilities/unix/logging/wazuh/manifests/filebeat.pp new file mode 100644 index 000000000..8c603593f --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/manifests/filebeat.pp @@ -0,0 +1,57 @@ +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Setup for Filebeat +class wazuh::filebeat ( + $filebeat_elasticsearch_ip = '', + $filebeat_elasticsearch_port = '9200', + $elasticsearch_server_ip = "\"${filebeat_elasticsearch_ip}:${filebeat_elasticsearch_port}\"", + + $filebeat_package = 'filebeat', + $filebeat_service = 'filebeat', + $filebeat_version = '7.3.2', + $wazuh_app_version = '3.10.2_7.3.2', + $wazuh_extensions_version = 'v3.10.2', + $wazuh_filebeat_module = 'wazuh-filebeat-0.1.tar.gz', +){ + + class {'wazuh::repo_elastic':} + + package { 'Installing Filebeat...': + ensure => $filebeat_version, + name => $filebeat_package, + } + + file { 'Configure filebeat.yml': + owner => 'root', + path => '/etc/filebeat/filebeat.yml', + group => 'root', + mode => '0644', + notify => Service[$filebeat_service], ## Restarts the service + content => template('wazuh/filebeat_yml.erb'), + } + + exec { 'Installing wazuh-template.json...': + path => '/usr/bin', + command => "curl -so /etc/filebeat/wazuh-template.json 'https://raw.githubusercontent.com/wazuh/wazuh/${wazuh_extensions_version}/extensions/elasticsearch/7.x/wazuh-template.json'", + notify => Service['filebeat'] + } + + exec { 'Installing filebeat module ... Downloading package': + path => '/usr/bin', + command => "curl -o /root/${$wazuh_filebeat_module} https://packages.wazuh.com/3.x/filebeat/${$wazuh_filebeat_module}", + } + + exec { 'Unpackaging ...': + command => '/bin/tar -xzvf /root/wazuh-filebeat-0.1.tar.gz -C /usr/share/filebeat/module', + notify => Service['filebeat'] + } + + file { '/usr/share/filebeat/module/wazuh': + ensure => 'directory', + mode => '0755', + } + + service { 'filebeat': + ensure => running, + enable => true, + } +} diff --git a/modules/utilities/unix/logging/wazuh/manifests/init.pp b/modules/utilities/unix/logging/wazuh/manifests/init.pp index 5205d1f38..7f43143f2 100644 --- a/modules/utilities/unix/logging/wazuh/manifests/init.pp +++ b/modules/utilities/unix/logging/wazuh/manifests/init.pp @@ -1,3 +1,3 @@ -# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) # Blank container class class wazuh { } diff --git a/modules/utilities/unix/logging/wazuh/manifests/integration.pp b/modules/utilities/unix/logging/wazuh/manifests/integration.pp index fa47588a1..d00d11cd1 100644 --- a/modules/utilities/unix/logging/wazuh/manifests/integration.pp +++ b/modules/utilities/unix/logging/wazuh/manifests/integration.pp @@ -1,4 +1,4 @@ -# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) #Define for a specific ossec integration define wazuh::integration( $hook_url = '', @@ -11,11 +11,11 @@ define wazuh::integration( $in_max_log = '', ) { - require wazuh::params + require wazuh::params_manager concat::fragment { $name: target => 'ossec.conf', order => 60, content => template('wazuh/fragments/_integration.erb') } -} \ No newline at end of file +} diff --git a/modules/utilities/unix/logging/wazuh/manifests/kibana.pp b/modules/utilities/unix/logging/wazuh/manifests/kibana.pp new file mode 100644 index 000000000..ae626bb67 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/manifests/kibana.pp @@ -0,0 +1,65 @@ +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Setup for Kibana +class wazuh::kibana ( + $kibana_package = 'kibana', + $kibana_service = 'kibana', + $kibana_version = '7.3.2', + $kibana_app_version = '3.10.2_7.3.2', + + $kibana_elasticsearch_ip = '', + $kibana_elasticsearch_port = '9200', + + $kibana_server_port = '5601', + $kibana_server_host = '0.0.0.0', + $kibana_elasticsearch_server_hosts ="http://${kibana_elasticsearch_ip}:${kibana_elasticsearch_port}", + +){ + + # install package + package { 'Installing Kibana...': + ensure => $kibana_version, + name => $kibana_package, + } + + file { 'Configure kibana.yml': + owner => 'kibana', + path => '/etc/kibana/kibana.yml', + group => 'kibana', + mode => '0644', + notify => Service[$kibana_service], + content => template('wazuh/kibana_yml.erb'), + } + + service { 'kibana': + ensure => running, + enable => true, + } + + exec {'Waiting for elasticsearch...': + path => '/usr/bin', + command => "curl -s -XGET http://${kibana_elasticsearch_ip}:${kibana_elasticsearch_port}", + tries => 100, + try_sleep => 3, + } + + exec {'Installing Wazuh App...': + path => '/usr/bin', + command => "sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-${kibana_app_version}.zip", + creates => '/usr/share/kibana/plugins/wazuh/package.json', + notify => Service[$kibana_service], + + } + exec {'Enabling and restarting kibana...': + path => '/usr/bin:/bin', + command => 'systemctl daemon-reload && systemctl enable kibana && systemctl restart kibana', + + } + + exec { 'Verify Kibana folders owner': + path => '/usr/bin:/bin', + command => "chown -R kibana:kibana /usr/share/kibana/optimize\ + && chown -R kibana:kibana /usr/share/kibana/plugins", + + } + +} diff --git a/modules/utilities/unix/logging/wazuh/manifests/manager.pp b/modules/utilities/unix/logging/wazuh/manifests/manager.pp new file mode 100644 index 000000000..9c74f5169 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/manifests/manager.pp @@ -0,0 +1,516 @@ +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Main ossec server config +class wazuh::manager ( + + # Installation + + $server_package_version = $wazuh::params_manager::server_package_version, + $manage_repos = $::wazuh::params_manager::manage_repos, + $manage_firewall = $wazuh::params_manager::manage_firewall, + + + ### Ossec.conf blocks + + ## Global + + $ossec_emailnotification = $wazuh::params_manager::ossec_emailnotification, + $ossec_emailto = $wazuh::params_manager::ossec_emailto, + $ossec_smtp_server = $wazuh::params_manager::ossec_smtp_server, + $ossec_emailfrom = $wazuh::params_manager::ossec_emailfrom, + $ossec_email_maxperhour = $wazuh::params_manager::ossec_email_maxperhour, + $ossec_email_idsname = $wazuh::params_manager::ossec_email_idsname, + $ossec_white_list = $wazuh::params_manager::ossec_white_list, + $ossec_alert_level = $wazuh::params_manager::ossec_alert_level, + $ossec_email_alert_level = $wazuh::params_manager::ossec_email_alert_level, + $ossec_remote_connection = $wazuh::params_manager::ossec_remote_connection, + $ossec_remote_port = $wazuh::params_manager::ossec_remote_port, + $ossec_remote_protocol = $wazuh::params_manager::ossec_remote_protocol, + $ossec_remote_queue_size = $wazuh::params_manager::ossec_remote_queue_size, + + # ossec.conf generation parameters + + $configure_rootcheck = $wazuh::params_manager::configure_rootcheck, + $configure_wodle_openscap = $wazuh::params_manager::configure_wodle_openscap, + $configure_wodle_cis_cat = $wazuh::params_manager::configure_wodle_cis_cat, + $configure_wodle_osquery = $wazuh::params_manager::configure_wodle_osquery, + $configure_wodle_syscollector = $wazuh::params_manager::configure_wodle_syscollector, + $configure_vulnerability_detector = $wazuh::params_manager::configure_vulnerability_detector, + $configure_sca = $wazuh::params_manager::configure_sca, + $configure_syscheck = $wazuh::params_manager::configure_syscheck, + $configure_command = $wazuh::params_manager::configure_command, + $configure_localfile = $wazuh::params_manager::configure_localfile, + $configure_ruleset = $wazuh::params_manager::configure_ruleset, + $configure_auth = $wazuh::params_manager::configure_auth, + $configure_cluster = $wazuh::params_manager::configure_cluster, + $configure_active_response = $wazuh::params_manager::configure_active_response, + + # ossec.conf templates paths + $ossec_manager_template = $wazuh::params_manager::ossec_manager_template, + $ossec_rootcheck_template = $wazuh::params_manager::ossec_rootcheck_template, + $ossec_wodle_openscap_template = $wazuh::params_manager::ossec_wodle_openscap_template, + $ossec_wodle_cis_cat_template = $wazuh::params_manager::ossec_wodle_cis_cat_template, + $ossec_wodle_osquery_template = $wazuh::params_manager::ossec_wodle_osquery_template, + $ossec_wodle_syscollector_template = $wazuh::params_manager::ossec_wodle_syscollector_template, + $ossec_wodle_vulnerability_detector_template = $wazuh::params_manager::ossec_wodle_vulnerability_detector_template, + $ossec_sca_template = $wazuh::params_manager::ossec_sca_template, + $ossec_syscheck_template = $wazuh::params_manager::ossec_syscheck_template, + $ossec_default_commands_template = $wazuh::params_manager::ossec_default_commands_template, + $ossec_localfile_template = $wazuh::params_manager::ossec_localfile_template, + $ossec_ruleset_template = $wazuh::params_manager::ossec_ruleset_template, + $ossec_auth_template = $wazuh::params_manager::ossec_auth_template, + $ossec_cluster_template = $wazuh::params_manager::ossec_cluster_template, + $ossec_active_response_template = $wazuh::params_manager::ossec_active_response_template, + + ## Rootcheck + + $ossec_rootcheck_disabled = $wazuh::params_manager::ossec_rootcheck_disabled, + $ossec_rootcheck_check_files = $wazuh::params_manager::ossec_rootcheck_check_files, + $ossec_rootcheck_check_trojans = $wazuh::params_manager::ossec_rootcheck_check_trojans, + $ossec_rootcheck_check_dev = $wazuh::params_manager::ossec_rootcheck_check_dev, + $ossec_rootcheck_check_sys = $wazuh::params_manager::ossec_rootcheck_check_sys, + $ossec_rootcheck_check_pids = $wazuh::params_manager::ossec_rootcheck_check_pids, + $ossec_rootcheck_check_ports = $wazuh::params_manager::ossec_rootcheck_check_ports, + $ossec_rootcheck_check_if = $wazuh::params_manager::ossec_rootcheck_check_if, + $ossec_rootcheck_frequency = $wazuh::params_manager::ossec_rootcheck_frequency, + $ossec_rootcheck_rootkit_files = $wazuh::params_manager::ossec_rootcheck_rootkit_files, + $ossec_rootcheck_rootkit_trojans = $wazuh::params_manager::ossec_rootcheck_rootkit_trojans, + $ossec_rootcheck_skip_nfs = $wazuh::params_manager::ossec_rootcheck_skip_nfs, + + ## Wodles + + #openscap + $wodle_openscap_disabled = $wazuh::params_manager::wodle_openscap_disabled, + $wodle_openscap_timeout = $wazuh::params_manager::wodle_openscap_timeout, + $wodle_openscap_interval = $wazuh::params_manager::wodle_openscap_interval, + $wodle_openscap_scan_on_start = $wazuh::params_manager::wodle_openscap_scan_on_start, + + #cis-cat + $wodle_ciscat_disabled = $wazuh::params_manager::wodle_ciscat_disabled, + $wodle_ciscat_timeout = $wazuh::params_manager::wodle_ciscat_timeout, + $wodle_ciscat_interval = $wazuh::params_manager::wodle_ciscat_interval, + $wodle_ciscat_scan_on_start = $wazuh::params_manager::wodle_ciscat_scan_on_start, + $wodle_ciscat_java_path = $wazuh::params_manager::wodle_ciscat_java_path, + $wodle_ciscat_ciscat_path = $wazuh::params_manager::wodle_ciscat_ciscat_path, + + #osquery + $wodle_osquery_disabled = $wazuh::params_manager::wodle_osquery_disabled, + $wodle_osquery_run_daemon = $wazuh::params_manager::wodle_osquery_run_daemon, + $wodle_osquery_log_path = $wazuh::params_manager::wodle_osquery_log_path, + $wodle_osquery_config_path = $wazuh::params_manager::wodle_osquery_config_path, + $wodle_osquery_add_labels = $wazuh::params_manager::wodle_osquery_add_labels, + + #syscollector + $wodle_syscollector_disabled = $wazuh::params_manager::wodle_syscollector_disabled, + $wodle_syscollector_interval = $wazuh::params_manager::wodle_syscollector_interval, + $wodle_syscollector_scan_on_start = $wazuh::params_manager::wodle_syscollector_scan_on_start, + $wodle_syscollector_hardware = $wazuh::params_manager::wodle_syscollector_hardware, + $wodle_syscollector_os = $wazuh::params_manager::wodle_syscollector_os, + $wodle_syscollector_network = $wazuh::params_manager::wodle_syscollector_network, + $wodle_syscollector_packages = $wazuh::params_manager::wodle_syscollector_packages, + $wodle_syscollector_ports = $wazuh::params_manager::wodle_syscollector_ports, + $wodle_syscollector_processes = $wazuh::params_manager::wodle_syscollector_processes, + + #vulnerability-detector + $wodle_vulnerability_detector_disabled = $wazuh::params_manager::wodle_vulnerability_detector_disabled, + $wodle_vulnerability_detector_interval = $wazuh::params_manager::wodle_vulnerability_detector_interval, + $wodle_vulnerability_detector_ignore_time = $wazuh::params_manager::wodle_vulnerability_detector_ignore_time, + $wodle_vulnerability_detector_run_on_start = $wazuh::params_manager::wodle_vulnerability_detector_run_on_start, + $wodle_vulnerability_detector_ubuntu_disabled = $wazuh::params_manager::wodle_vulnerability_detector_ubuntu_disabled, + $wodle_vulnerability_detector_ubuntu_update = $wazuh::params_manager::wodle_vulnerability_detector_ubuntu_update, + $wodle_vulnerability_detector_redhat_disable = $wazuh::params_manager::wodle_vulnerability_detector_redhat_disable, + $wodle_vulnerability_detector_redhat_update_from = $wazuh::params_manager::wodle_vulnerability_detector_redhat_update_from, + $wodle_vulnerability_detector_redhat_update = $wazuh::params_manager::wodle_vulnerability_detector_redhat_update, + $wodle_vulnerability_detector_debian_9_disable = $wazuh::params_manager::wodle_vulnerability_detector_debian_9_disable, + $wodle_vulnerability_detector_debian_9_update = $wazuh::params_manager::wodle_vulnerability_detector_debian_9_update, + + # syslog + $syslog_output = $::wazuh::params_manager::syslog_output, + $syslog_output_level = $wazuh::params_manager::syslog_output_level, + $syslog_output_port = $wazuh::params_manager::syslog_output_port, + $syslog_output_server = $wazuh::params_manager::syslog_output_server, + $syslog_output_format = $wazuh::params_manager::syslog_output_format, + + # Authd configuration + + $ossec_auth_disabled = $wazuh::params_manager::ossec_auth_disabled, + $ossec_auth_port = $wazuh::params_manager::ossec_auth_port, + $ossec_auth_use_source_ip = $wazuh::params_manager::ossec_auth_use_source_ip, + $ossec_auth_force_insert = $wazuh::params_manager::ossec_auth_force_insert, + $ossec_auth_force_time = $wazuh::params_manager::ossec_auth_force_time, + $ossec_auth_purgue = $wazuh::params_manager::ossec_auth_purgue, + $ossec_auth_use_password = $wazuh::params_manager::ossec_auth_use_password, + $ossec_auth_limit_maxagents = $wazuh::params_manager::ossec_auth_limit_maxagents, + $ossec_auth_ciphers = $wazuh::params_manager::ossec_auth_ciphers, + $ossec_auth_ssl_verify_host = $wazuh::params_manager::ossec_auth_ssl_verify_host, + $ossec_auth_ssl_manager_cert = $wazuh::params_manager::ossec_auth_ssl_manager_cert, + $ossec_auth_ssl_manager_key = $wazuh::params_manager::ossec_auth_ssl_manager_key, + $ossec_auth_ssl_auto_negotiate = $wazuh::params_manager::ossec_auth_ssl_auto_negotiate, + + + # syscheck + + $ossec_syscheck_disabled = $wazuh::params_manager::ossec_syscheck_disabled, + $ossec_syscheck_frequency = $wazuh::params_manager::ossec_syscheck_frequency, + $ossec_syscheck_scan_on_start = $wazuh::params_manager::ossec_syscheck_scan_on_start, + $ossec_syscheck_alert_new_files = $wazuh::params_manager::ossec_syscheck_alert_new_files, + $ossec_syscheck_auto_ignore = $wazuh::params_manager::ossec_syscheck_auto_ignore, + $ossec_syscheck_directories_1 = $wazuh::params_manager::ossec_syscheck_directories_1, + $ossec_syscheck_directories_2 = $wazuh::params_manager::ossec_syscheck_directories_2, + $ossec_syscheck_ignore_list = $wazuh::params_manager::ossec_syscheck_ignore_list, + + $ossec_syscheck_ignore_type_1 = $wazuh::params_manager::ossec_syscheck_ignore_type_1, + $ossec_syscheck_ignore_type_2 = $wazuh::params_manager::ossec_syscheck_ignore_type_2, + + $ossec_syscheck_nodiff = $wazuh::params_manager::ossec_syscheck_nodiff, + $ossec_syscheck_skip_nfs = $wazuh::params_manager::ossec_syscheck_skip_nfs, + + # Cluster + + $ossec_cluster_name = $wazuh::params_manager::ossec_cluster_name, + $ossec_cluster_node_name = $wazuh::params_manager::ossec_cluster_node_name, + $ossec_cluster_node_type = $wazuh::params_manager::ossec_cluster_node_type, + $ossec_cluster_key = $wazuh::params_manager::ossec_cluster_key, + $ossec_cluster_port = $wazuh::params_manager::ossec_cluster_port, + $ossec_cluster_bind_addr = $wazuh::params_manager::ossec_cluster_bind_addr, + $ossec_cluster_nodes = $wazuh::params_manager::ossec_cluster_nodes, + $ossec_cluster_hidden = $wazuh::params_manager::ossec_cluster_hidden, + $ossec_cluster_disabled = $wazuh::params_manager::ossec_cluster_disabled, + + #----- End of ossec.conf parameters ------- + + $ossec_cluster_enable_firewall = $wazuh::params_manager::ossec_cluster_enable_firewall, + + $ossec_prefilter = $wazuh::params_manager::ossec_prefilter, + $ossec_integratord_enabled = $wazuh::params_manager::ossec_integratord_enabled, + + $manage_client_keys = $wazuh::params_manager::manage_client_keys, + $agent_auth_password = $wazuh::params_manager::agent_auth_password, + $ar_repeated_offenders = $wazuh::params_manager::ar_repeated_offenders, + + $local_decoder_template = $wazuh::params_manager::local_decoder_template, + $decoder_exclude = $wazuh::params_manager::decoder_exclude, + $local_rules_template = $wazuh::params_manager::local_rules_template, + $rule_exclude = $wazuh::params_manager::rule_exclude, + $shared_agent_template = $wazuh::params_manager::shared_agent_template, + + $wazuh_manager_verify_manager_ssl = $wazuh::params_manager::wazuh_manager_verify_manager_ssl, + $wazuh_manager_server_crt = $wazuh::params_manager::wazuh_manager_server_crt, + $wazuh_manager_server_key = $wazuh::params_manager::wazuh_manager_server_key, + + $ossec_local_files = $::wazuh::params_manager::default_local_files, +) inherits wazuh::params_manager { + validate_bool( + $manage_repos, $syslog_output,$wazuh_manager_verify_manager_ssl + ) + validate_array( + $decoder_exclude, $rule_exclude + ) + + ## Determine which kernel and family puppet is running on. Will be used on _localfile, _rootcheck, _syscheck & _sca + + if ($::kernel == 'windows') { + $kernel = 'Linux' + + }else{ + $kernel = 'Linux' + if ($::osfamily == 'Debian'){ + $os_family = 'debian' + }else{ + $os_family = 'centos' + } + } + + # This allows arrays of integers, sadly + # (commented due to stdlib version requirement) + if ($ossec_emailnotification == true) { + if $ossec_smtp_server == undef { + fail('$ossec_emailnotification is enabled but $smtp_server was not set') + } + validate_string($ossec_smtp_server) + validate_string($ossec_emailfrom) + validate_array($ossec_emailto) + } + + if $::osfamily == 'windows' { + fail('The ossec module does not yet support installing the OSSEC HIDS server on Windows') + } + + # Install wazuh-repository + + if $manage_repos { + # TODO: Allow filtering of EPEL requirement + class { 'wazuh::repo':} + if $::osfamily == 'Debian' { + Class['wazuh::repo'] -> Class['apt::update'] -> Package[$wazuh::params_manager::server_package] + } else { + Class['wazuh::repo'] -> Package[$wazuh::params_manager::server_package] + } + } + + # Install and configure Wazuh-manager package + + package { $wazuh::params_manager::server_package: + ensure => $server_package_version, # lint:ignore:security_package_pinned_version + } + + file { + default: + owner => $wazuh::params_manager::config_owner, + group => $wazuh::params_manager::config_group, + mode => $wazuh::params_manager::config_mode, + notify => Service[$wazuh::params_manager::server_service], + require => Package[$wazuh::params_manager::server_package]; + $wazuh::params_manager::shared_agent_config_file: + validate_cmd => $wazuh::params_manager::validate_cmd_conf, + content => template($shared_agent_template); + '/var/ossec/etc/rules/local_rules.xml': + content => template($local_rules_template); + '/var/ossec/etc/decoders/local_decoder.xml': + content => template($local_decoder_template); + $wazuh::params_manager::processlist_file: + content => template('wazuh/process_list.erb'); + } + + service { $wazuh::params_manager::server_service: + ensure => running, + enable => true, + hasstatus => $wazuh::params_manager::service_has_status, + pattern => $wazuh::params_manager::server_service, + provider => $wazuh::params_manager::ossec_service_provider, + require => Package[$wazuh::params_manager::server_package], + } + + ## Declaring variables for localfile and wodles generation + + case $::operatingsystem{ + 'Redhat', 'redhat':{ + $apply_template_os = 'rhel' + if ( $::operatingsystemrelease =~ /^7.*/ ){ + $rhel_version = '7' + }elsif ( $::operatingsystemrelease =~ /^6.*/ ){ + $rhel_version = '6' + }elsif ( $::operatingsystemrelease =~ /^5.*/ ){ + $rhel_version = '5' + }else{ + fail('This ossec module has not been tested on your distribution') + } + }'Debian', 'debian', 'Ubuntu', 'ubuntu':{ + $apply_template_os = 'debian' + if ( $::lsbdistcodename == 'wheezy') or ($::lsbdistcodename == 'jessie'){ + $debian_additional_templates = 'yes' + } + }'Amazon':{ + $apply_template_os = 'amazon' + }'CentOS','Centos','centos':{ + $apply_template_os = 'centos' + } + default: { fail('This ossec module has not been tested on your distribution') } + } + + + + concat { 'ossec.conf': + path => $wazuh::params_manager::config_file, + owner => $wazuh::params_manager::config_owner, + group => $wazuh::params_manager::config_group, + mode => $wazuh::params_manager::config_mode, + require => Package[$wazuh::params_manager::server_package], + notify => Service[$wazuh::params_manager::server_service], + } + concat::fragment { + 'ossec.conf_header': + target => 'ossec.conf', + order => 00, + content => "\n"; + 'ossec.conf_main': + target => 'ossec.conf', + order => 01, + content => template($ossec_manager_template); + } + if($configure_rootcheck == true){ + concat::fragment { + 'ossec.conf_rootcheck': + order => 10, + target => 'ossec.conf', + content => template($ossec_rootcheck_template); + } + } + + if ($configure_wodle_openscap == true){ + concat::fragment { + 'ossec.conf_wodle_openscap': + order => 15, + target => 'ossec.conf', + content => template($ossec_wodle_openscap_template); + } + } + if ($configure_wodle_cis_cat == true){ + concat::fragment { + 'ossec.conf_wodle_ciscat': + order => 20, + target => 'ossec.conf', + content => template($ossec_wodle_cis_cat_template); + } + } + if ($configure_wodle_osquery== true){ + concat::fragment { + 'ossec.conf_wodle_osquery': + order => 25, + target => 'ossec.conf', + content => template($ossec_wodle_osquery_template); + } + } + if ($configure_wodle_syscollector == true){ + concat::fragment { + 'ossec.conf_wodle_syscollector': + order => 30, + target => 'ossec.conf', + content => template($ossec_wodle_syscollector_template); + } + } + if ($configure_sca == true){ + concat::fragment { + 'ossec.conf_sca': + order => 40, + target => 'ossec.conf', + content => template($ossec_sca_template); + } + } + if($configure_vulnerability_detector == true){ + concat::fragment { + 'ossec.conf_wodle_vulnerability_detector': + order => 45, + target => 'ossec.conf', + content => template($ossec_wodle_vulnerability_detector_template); + } + } + if($configure_syscheck == true){ + concat::fragment { + 'ossec.conf_syscheck': + order => 55, + target => 'ossec.conf', + content => template($ossec_syscheck_template); + } + } + if ($configure_command == true){ + concat::fragment { + 'ossec.conf_command': + order => 60, + target => 'ossec.conf', + content => template($ossec_default_commands_template); + } + } + if ($configure_localfile == true){ + concat::fragment { + 'ossec.conf_localfile': + order => 65, + target => 'ossec.conf', + content => template($ossec_localfile_template); + } + } + if($configure_ruleset == true){ + concat::fragment { + 'ossec.conf_ruleset': + order => 75, + target => 'ossec.conf', + content => template($ossec_ruleset_template); + } + } + if ($configure_auth == true){ + concat::fragment { + 'ossec.conf_auth': + order => 80, + target => 'ossec.conf', + content => template($ossec_auth_template); + } + } + if ($configure_cluster == true){ + concat::fragment { + 'ossec.conf_cluster': + order => 85, + target => 'ossec.conf', + content => template($ossec_cluster_template); + } + } + if ($configure_active_response == true){ + concat::fragment { + 'ossec.conf_active_response': + order => 90, + target => 'ossec.conf', + content => template($ossec_active_response_template); + } + } + concat::fragment { + 'ossec.conf_footer': + target => 'ossec.conf', + order => 99, + content => "\n"; + } + + if ( $manage_client_keys == 'yes') { + # TODO: ensure the authd service is started if manage_client_keys == authd + # (see https://github.com/wazuh/wazuh/issues/80) + + file { $wazuh::params_manager::authd_pass_file: + owner => $wazuh::params_manager::keys_owner, + group => $wazuh::params_manager::keys_group, + mode => $wazuh::params_manager::keys_mode, + content => $agent_auth_password, + require => Package[$wazuh::params_manager::server_package], + } + } + + # https://documentation.wazuh.com/current/user-manual/registering/use-registration-service.html#verify-manager-via-ssl + if $wazuh_manager_verify_manager_ssl { + + if ($wazuh_manager_server_crt != undef) and ($wazuh_manager_server_key != undef) { + validate_string( + $wazuh_manager_server_crt, $wazuh_manager_server_key + ) + + file { '/var/ossec/etc/sslmanager.key': + content => $wazuh_manager_server_key, + owner => 'root', + group => 'ossec', + mode => '0640', + require => Package[$wazuh::params_manager::server_package], + notify => Service[$wazuh::params_manager::server_service], + } + + file { '/var/ossec/etc/sslmanager.cert': + content => $wazuh_manager_server_crt, + owner => 'root', + group => 'ossec', + mode => '0640', + require => Package[$wazuh::params_manager::server_package], + notify => Service[$wazuh::params_manager::server_service], + } + } + } + + # Manage firewall + if $manage_firewall == true { + include firewall + firewall { '1514 wazuh-manager': + dport => $ossec_remote_port, + proto => $ossec_remote_protocol, + action => 'accept', + state => [ + 'NEW', + 'RELATED', + 'ESTABLISHED'], + } + } + if $ossec_cluster_enable_firewall == 'yes'{ + include firewall + firewall { '1516 wazuh-manager': + dport => $ossec_cluster_port, + proto => $ossec_remote_protocol, + action => 'accept', + state => [ + 'NEW', + 'RELATED', + 'ESTABLISHED'], + } + } +} diff --git a/modules/utilities/unix/logging/wazuh/manifests/params.pp b/modules/utilities/unix/logging/wazuh/manifests/params.pp deleted file mode 100644 index 703e7082c..000000000 --- a/modules/utilities/unix/logging/wazuh/manifests/params.pp +++ /dev/null @@ -1,226 +0,0 @@ -# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) -# Paramas file -class wazuh::params { - case $::kernel { - 'Linux': { - - $config_file = '/var/ossec/etc/ossec.conf' - $shared_agent_config_file = '/var/ossec/etc/shared/agent.conf' - - $config_mode = '0640' - $config_owner = 'root' - $config_group = 'ossec' - - $keys_file = '/var/ossec/etc/client.keys' - $keys_mode = '0640' - $keys_owner = 'root' - $keys_group = 'ossec' - - $manage_firewall = false - - $authd_pass_file = '/var/ossec/etc/authd.pass' - - $validate_cmd_conf = '/var/ossec/bin/verify-agent-conf -f %' - - $processlist_file = '/var/ossec/bin/.process_list' - $processlist_mode = '0640' - $processlist_owner = 'root' - $processlist_group = 'ossec' - - # this hash is currently only covering the basic config section of config.js - # TODO: allow customization of the entire config.js - # for reference: https://documentation.wazuh.com/current/user-manual/api/configuration.html - $api_config_params = [ - {'name' => 'ossec_path', 'value' => '/var/ossec'}, - {'name' => 'host', 'value' => '0.0.0.0'}, - {'name' => 'port', 'value' => '55000'}, - {'name' => 'https', 'value' => 'no'}, - {'name' => 'basic_auth', 'value' => 'yes'}, - {'name' => 'BehindProxyServer', 'value' => 'no'}, - ] - - case $::osfamily { - 'Debian': { - - $agent_service = 'wazuh-agent' - $agent_package = 'wazuh-agent' - $service_has_status = false - $ossec_service_provider = undef - $api_service_provider = undef - $default_local_files = [ - { 'location' => '/var/log/syslog' , 'log_format' => 'syslog'}, - { 'location' => '/var/log/kern.log' , 'log_format' => 'syslog'}, - { 'location' => '/var/log/auth.log' , 'log_format' => 'syslog'}, - { 'location' => '/var/log/mail.log' , 'log_format' => 'syslog'}, - { 'location' => '/var/log/dpkg.log', 'log_format' => 'syslog'}, - { 'location' => '/var/ossec/logs/active-responses.log', 'log_format' => 'syslog'}, - ] - case $::lsbdistcodename { - 'xenial': { - $server_service = 'wazuh-manager' - $server_package = 'wazuh-manager' - $api_service = 'wazuh-api' - $api_package = 'wazuh-api' - $wodle_openscap_content = { - 'ssg-ubuntu-1604-ds.xml' => { - 'type' => 'xccdf', - profiles => ['xccdf_org.ssgproject.content_profile_common'], - }, - } - } - 'jessie': { - $server_service = 'wazuh-manager' - $server_package = 'wazuh-manager' - $api_service = 'wazuh-api' - $api_package = 'wazuh-api' - $wodle_openscap_content = { - 'ssg-debian-8-ds.xml' => { - 'type' => 'xccdf', - profiles => ['xccdf_org.ssgproject.content_profile_common'], - }, - 'cve-debian-oval.xml' => { - 'type' => 'oval', - } - } - } - /^(wheezy|stretch|sid|precise|trusty|vivid|wily|xenial|bionic)$/: { - $server_service = 'wazuh-manager' - $server_package = 'wazuh-manager' - $api_service = 'wazuh-api' - $api_package = 'wazuh-api' - $wodle_openscap_content = undef - } - default: { - fail("Module ${module_name} is not supported on ${::operatingsystem}") - } - } - - } - 'Linux', 'RedHat': { - - $agent_service = 'wazuh-agent' - $agent_package = 'wazuh-agent' - $server_service = 'wazuh-manager' - $server_package = 'wazuh-manager' - $api_service = 'wazuh-api' - $api_package = 'wazuh-api' - $service_has_status = true - - $default_local_files =[ - { 'location' => '/var/log/messages' , 'log_format' => 'syslog'}, - { 'location' => '/var/log/secure' , 'log_format' => 'syslog'}, - { 'location' => '/var/log/maillog', 'log_format' => 'syslog'}, - { 'location' => '/var/log/yum.log' , 'log_format' => 'syslog'}, - { 'location' => '/var/log/httpd/access_log' , 'log_format' => 'apache'}, - { 'location' => '/var/log/httpd/error_log' , 'log_format' => 'apache'}, - ] - case $::operatingsystem { - 'Amazon': { - # Amazon is based on Centos-6 with some improvements - # taken from RHEL-7 but uses SysV-Init, not Systemd. - # Probably best to leave this undef until we can - # write/find a release-specific file. - $wodle_openscap_content = undef - } - 'CentOS': { - if ( $::operatingsystemrelease =~ /^6.*/ ) { - $ossec_service_provider = 'redhat' - $api_service_provider = 'redhat' - $wodle_openscap_content = { - 'ssg-centos-6-ds.xml' => { - 'type' => 'xccdf', - profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_server',] - } - } - } - if ( $::operatingsystemrelease =~ /^7.*/ ) { - $ossec_service_provider = 'systemd' - $api_service_provider = 'systemd' - $wodle_openscap_content = { - 'ssg-centos-7-ds.xml' => { - 'type' => 'xccdf', - profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_common',] - } - } - } - } - /^(RedHat|OracleLinux)$/: { - if ( $::operatingsystemrelease =~ /^6.*/ ) { - $ossec_service_provider = 'redhat' - $api_service_provider = 'redhat' - $wodle_openscap_content = { - 'ssg-rhel-6-ds.xml' => { - 'type' => 'xccdf', - profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_server',] - }, - 'cve-redhat-6-ds.xml' => { - 'type' => 'xccdf', - } - } - } - if ( $::operatingsystemrelease =~ /^7.*/ ) { - $ossec_service_provider = 'systemd' - $api_service_provider = 'systemd' - $wodle_openscap_content = { - 'ssg-rhel-7-ds.xml' => { - 'type' => 'xccdf', - profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_common',] - }, - 'cve-redhat-7-ds.xml' => { - 'type' => 'xccdf', - } - } - } - } - 'Fedora': { - if ( $::operatingsystemrelease =~ /^(23|24|25).*/ ) { - $ossec_service_provider = 'redhat' - $api_service_provider = 'redhat' - $wodle_openscap_content = { - 'ssg-fedora-ds.xml' => { - 'type' => 'xccdf', - profiles => ['xccdf_org.ssgproject.content_profile_standard', 'xccdf_org.ssgproject.content_profile_common',] - }, - } - } - } - default: { fail('This ossec module has not been tested on your distribution') } - } - } - default: { fail('This ossec module has not been tested on your distribution') } - } - } - 'windows': { - $config_file = regsubst(sprintf('c:/Program Files (x86)/ossec-agent/ossec.conf'), '\\\\', '/') - $shared_agent_config_file = regsubst(sprintf('c:/Program Files (x86)/ossec-agent/shared/agent.conf'), '\\\\', '/') - $config_owner = 'Administrator' - $config_group = 'Administrators' - - $manage_firewall = false - - $keys_file = regsubst(sprintf('c:/Program Files (x86)/ossec-agent/client.keys'), '\\\\', '/') - $keys_mode = '0440' - $keys_owner = 'Administrator' - $keys_group = 'Administrators' - - $agent_service = 'OssecSvc' - $agent_package = 'Wazuh Agent 3.9.1' - $server_service = '' - $server_package = '' - $api_service = '' - $api_package = '' - $service_has_status = true - - # TODO - $validate_cmd_conf = undef - # Pushed by shared agent config now - $default_local_files = [ - {'location' => 'Security' , 'log_format' => 'eventchannel', 'query' => 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]'}, - {'location' => 'System' , 'log_format' => 'eventlog' }, - {'location' => 'active-response\active-responses.log' , 'log_format' => 'syslog' }, - ] - - } - default: { fail('This ossec module has not been tested on your distribution') } - } -} diff --git a/modules/utilities/unix/logging/wazuh/manifests/params_agent.pp b/modules/utilities/unix/logging/wazuh/manifests/params_agent.pp new file mode 100644 index 000000000..c7eec1ea6 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/manifests/params_agent.pp @@ -0,0 +1,376 @@ +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh-Agent configuration parameters +class wazuh::params_agent { + case $::kernel { + 'Linux': { + +# Versions + + $agent_package_version = '3.10.2-1' + $agent_package_name = 'wazuh-agent' + $agent_service_name = 'wazuh-agent' + + # Authd Registration options + + $manage_client_keys = 'yes' # Enable/Disable agent registration + $agent_name = undef + $agent_group = undef + $wazuh_agent_cert = undef + $wazuh_agent_key = undef + $wazuh_agent_cert_path = undef + $wazuh_agent_key_path = undef + $agent_auth_password = undef + $wazuh_manager_root_ca_pem = undef + + $wazuh_manager_root_ca_pem_path = undef + + ## Wazuh config folders and modes + + $config_file = '/var/ossec/etc/ossec.conf' + $shared_agent_config_file = '/var/ossec/etc/shared/agent.conf' + + $config_mode = '0640' + $config_owner = 'root' + $config_group = 'ossec' + + $keys_file = '/var/ossec/etc/client.keys' + $keys_mode = '0640' + $keys_owner = 'root' + $keys_group = 'ossec' + + $manage_firewall = false + $authd_pass_file = '/var/ossec/etc/authd.pass' + + $validate_cmd_conf = '/var/ossec/bin/verify-agent-conf -f %' + + $processlist_file = '/var/ossec/bin/.process_list' + $processlist_mode = '0640' + $processlist_owner = 'root' + $processlist_group = 'ossec' + + # ossec.conf generation parameters + + ## Ossec.conf generation variables + + $configure_rootcheck = true + $configure_wodle_openscap = false # TODO WAS: true + $configure_wodle_cis_cat = false # TODO WAS: true + $configure_wodle_osquery = false # TODO WAS: true + $configure_wodle_syscollector = false # TODO WAS: true + $configure_sca = true + $configure_syscheck = true + $configure_localfile = true + $configure_active_response = true + + + # ossec.conf templates paths + $ossec_conf_template = 'wazuh/wazuh_agent.conf.erb' + $ossec_rootcheck_template = 'wazuh/fragments/_rootcheck.erb' + $ossec_wodle_openscap_template = 'wazuh/fragments/_wodle_openscap.erb' + $ossec_wodle_cis_cat_template = 'wazuh/fragments/_wodle_cis_cat.erb' + $ossec_wodle_osquery_template = 'wazuh/fragments/_wodle_osquery.erb' + $ossec_wodle_syscollector_template = 'wazuh/fragments/_wodle_syscollector.erb' + $ossec_sca_template = 'wazuh/fragments/_sca.erb' + $ossec_syscheck_template = 'wazuh/fragments/_syscheck.erb' + $ossec_localfile_template = 'wazuh/fragments/_localfile.erb' + $ossec_ruleset = 'wazuh/fragments/_ruleset.erb' + $ossec_auth = 'wazuh/fragments/_auth.erb' + $ossec_cluster = 'wazuh/fragments/_cluster.erb' + $ossec_active_response_template = 'wazuh/fragments/_default_activeresponse.erb' + + ### Ossec.conf blocks + + ## Server block configuration + + $wazuh_register_endpoint = undef + $wazuh_reporting_endpoint = undef + $ossec_port = '1514' + $ossec_protocol = 'udp' + $ossec_notify_time = 10 + $ossec_time_reconnect = 60 + $ossec_auto_restart = 'yes' + $ossec_crypto_method = 'aes' + + $client_buffer_queue_size = 5000 + $client_buffer_events_per_second = 500 + + # Rootcheck + + $ossec_rootcheck_disabled = 'no' + $ossec_rootcheck_check_files = 'yes' + $ossec_rootcheck_check_trojans = 'yes' + $ossec_rootcheck_check_dev = 'yes' + $ossec_rootcheck_check_sys = 'yes' + $ossec_rootcheck_check_pids = 'yes' + $ossec_rootcheck_check_ports = 'yes' + $ossec_rootcheck_check_if = 'yes' + $ossec_rootcheck_frequency = 43200 + $ossec_rootcheck_rootkit_files = '/var/ossec/etc/shared/rootkit_files.txt' + $ossec_rootcheck_rootkit_trojans = '/var/ossec/etc/shared/rootkit_trojans.txt' + $ossec_rootcheck_skip_nfs = 'yes' + + ## Wodles + + #openscap + $wodle_openscap_disabled = 'no' + $wodle_openscap_timeout = '1800' + $wodle_openscap_interval = '1d' + $wodle_openscap_scan_on_start = 'yes' + + #cis-cat + $wodle_ciscat_disabled = 'yes' + $wodle_ciscat_timeout = '1800' + $wodle_ciscat_interval = '1d' + $wodle_ciscat_scan_on_start = 'yes' + $wodle_ciscat_java_path = 'wodles/java' + $wodle_ciscat_ciscat_path = 'wodles/ciscat' + + #osquery + + $wodle_osquery_disabled = 'yes' + $wodle_osquery_run_daemon = 'yes' + $wodle_osquery_log_path = '/var/log/osquery/osqueryd.results.log' + $wodle_osquery_config_path = '/etc/osquery/osquery.conf' + $wodle_osquery_add_labels = 'yes' + + #syscollector + $wodle_syscollector_disabled = true + $wodle_syscollector_interval = '1d' + $wodle_syscollector_scan_on_start = 'yes' + $wodle_syscollector_hardware = 'yes' + $wodle_syscollector_os = 'yes' + $wodle_syscollector_network = 'yes' + $wodle_syscollector_packages = 'yes' + $wodle_syscollector_ports = 'yes' + $wodle_syscollector_processes = 'yes' + + # localfile + $ossec_local_files = $::wazuh::params_agent::default_local_files + + #syscheck + $ossec_syscheck_disabled = 'no' + $ossec_syscheck_frequency = '43200' + $ossec_syscheck_scan_on_start = 'yes' + $ossec_syscheck_alert_new_files = undef + $ossec_syscheck_auto_ignore = undef + $ossec_syscheck_directories_1 = '/etc,/usr/bin,/usr/sbin' + $ossec_syscheck_directories_2 = '/bin,/sbin,/boot' + $ossec_syscheck_ignore_list = ['/etc/mtab', + '/etc/hosts.deny', + '/etc/mail/statistics', + '/etc/random-seed', + '/etc/random.seed', + '/etc/adjtime', + '/etc/httpd/logs', + '/etc/utmpx', + '/etc/wtmpx', + '/etc/cups/certs', + '/etc/dumpdates', + '/etc/svc/volatile', + '/sys/kernel/security', + '/sys/kernel/debug', + '/dev/core', + ] + $ossec_syscheck_ignore_type_1 = '^/proc' + $ossec_syscheck_ignore_type_2 = ".log$|.swp$" + + + $ossec_syscheck_nodiff = '/etc/ssl/private.key' + $ossec_syscheck_skip_nfs = 'yes' + + + # others + + $selinux = false + + $manage_repo = true + + case $::osfamily { + 'Debian': { + + $agent_service = 'wazuh-agent' + $agent_package = 'wazuh-agent' + $service_has_status = false + $ossec_service_provider = undef + $api_service_provider = undef + $default_local_files = [ + { 'location' => '/var/log/syslog' , 'log_format' => 'syslog'}, + { 'location' => '/var/log/kern.log' , 'log_format' => 'syslog'}, + { 'location' => '/var/log/auth.log' , 'log_format' => 'syslog'}, + { 'location' => '/var/log/dpkg.log', 'log_format' => 'syslog'}, + { 'location' => '/var/ossec/logs/active-responses.log', 'log_format' => 'syslog'}, + { 'location' => '/var/log/messages' , 'log_format' => 'syslog'}, + ] + case $::lsbdistcodename { + 'xenial': { + $server_service = 'wazuh-manager' + $server_package = 'wazuh-manager' + $api_service = 'wazuh-api' + $api_package = 'wazuh-api' + $wodle_openscap_content = { + 'ssg-ubuntu-1604-ds.xml' => { + 'type' => 'xccdf', + profiles => ['xccdf_org.ssgproject.content_profile_common'], + },'cve-ubuntu-xenial-oval.xml' => { + 'type' => 'oval' + } + } + } + 'jessie': { + $server_service = 'wazuh-manager' + $server_package = 'wazuh-manager' + $api_service = 'wazuh-api' + $api_package = 'wazuh-api' + $wodle_openscap_content = { + 'ssg-debian-8-ds.xml' => { + 'type' => 'xccdf', + profiles => ['xccdf_org.ssgproject.content_profile_common'], + }, + 'cve-debian-8-oval.xml' => { + 'type' => 'oval', + } + } + } + /^(wheezy|stretch|sid|precise|trusty|vivid|wily|xenial|bionic)$/: { + $server_service = 'wazuh-manager' + $server_package = 'wazuh-manager' + $api_service = 'wazuh-api' + $api_package = 'wazuh-api' + $wodle_openscap_content = undef + } + default: { + fail("Module ${module_name} is not supported on ${::operatingsystem}") + } + } + + } + 'RedHat': { + + $agent_service = 'wazuh-agent' + $agent_package = 'wazuh-agent' + $server_service = 'wazuh-manager' + $server_package = 'wazuh-manager' + $api_service = 'wazuh-api' + $api_package = 'wazuh-api' + $service_has_status = true + + $default_local_files =[ + { 'location' => '/var/log/audit/audit.log' , 'log_format' => 'audit'}, + { 'location' => '/var/ossec/logs/active-responses.log' , 'log_format' => 'syslog'}, + { 'location' => '/var/log/messages', 'log_format' => 'syslog'}, + { 'location' => '/var/log/secure' , 'log_format' => 'syslog'}, + { 'location' => '/var/log/maillog' , 'log_format' => 'syslog'}, + ] + case $::operatingsystem { + 'Amazon': { + # Amazon is based on Centos-6 with some improvements + # taken from RHEL-7 but uses SysV-Init, not Systemd. + # Probably best to leave this undef until we can + # write/find a release-specific file. + $wodle_openscap_content = undef + } + 'CentOS': { + + if ( $::operatingsystemrelease =~ /^6.*/ ) { + $ossec_service_provider = 'redhat' + $api_service_provider = 'redhat' + $wodle_openscap_content = { + 'ssg-centos-6-ds.xml' => { + 'type' => 'xccdf', + profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_server',] + } + } + } + if ( $::operatingsystemrelease =~ /^7.*/ ) { + $ossec_service_provider = 'systemd' + $api_service_provider = 'systemd' + $wodle_openscap_content = { + 'ssg-centos-7-ds.xml' => { + 'type' => 'xccdf', + profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_common',] + } + } + } + } + /^(RedHat|OracleLinux)$/: { + if ( $::operatingsystemrelease =~ /^6.*/ ) { + $ossec_service_provider = 'redhat' + $api_service_provider = 'redhat' + $wodle_openscap_content = { + 'ssg-rhel-6-ds.xml' => { + 'type' => 'xccdf', + profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_server',] + }, + 'cve-redhat-6-ds.xml' => { + 'type' => 'xccdf', + } + } + } + if ( $::operatingsystemrelease =~ /^7.*/ ) { + $ossec_service_provider = 'systemd' + $api_service_provider = 'systemd' + $wodle_openscap_content = { + 'ssg-rhel-7-ds.xml' => { + 'type' => 'xccdf', + profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_common',] + }, + 'cve-redhat-7-ds.xml' => { + 'type' => 'xccdf', + } + } + } + } + 'Fedora': { + if ( $::operatingsystemrelease =~ /^(23|24|25).*/ ) { + $ossec_service_provider = 'redhat' + $api_service_provider = 'redhat' + $wodle_openscap_content = { + 'ssg-fedora-ds.xml' => { + 'type' => 'xccdf', + profiles => ['xccdf_org.ssgproject.content_profile_standard', 'xccdf_org.ssgproject.content_profile_common',] + }, + } + } + } + default: { fail('This ossec module has not been tested on your distribution') } + } + } + default: { fail('This ossec module has not been tested on your distribution') } + } + } + 'windows': { + $config_file = regsubst(sprintf('c:/Program Files (x86)/ossec-agent/ossec.conf'), '\\\\', '/') + $shared_agent_config_file = regsubst(sprintf('c:/Program Files (x86)/ossec-agent/shared/agent.conf'), '\\\\', '/') + $config_owner = 'Administrator' + $config_group = 'Administrators' + $download_path = 'C:/' + $manage_firewall = false + + $keys_file = regsubst(sprintf('c:/Program Files (x86)/ossec-agent/client.keys'), '\\\\', '/') + $keys_mode = '0440' + $keys_owner = 'Administrator' + $keys_group = 'Administrators' + + $agent_service = 'OssecSvc' + $agent_package = 'Wazuh Agent 3.10.2' + $server_service = '' + $server_package = '' + $api_service = '' + $api_package = '' + $service_has_status = true + + # TODO + $validate_cmd_conf = undef + # Pushed by shared agent config now + $default_local_files = [ + {'location' => 'Security' , 'log_format' => 'eventchannel', + 'query' => 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658\ + and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID!= 4703 and EventID != 4907]'}, + {'location' => 'System' , 'log_format' => 'eventlog' }, + {'location' => 'active-response\active-responses.log' , 'log_format' => 'syslog' }, + ] + + } + default: { fail('This ossec module has not been tested on your distribution') } + } +} diff --git a/modules/utilities/unix/logging/wazuh/manifests/params_elastic.pp b/modules/utilities/unix/logging/wazuh/manifests/params_elastic.pp new file mode 100644 index 000000000..2bcf11f22 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/manifests/params_elastic.pp @@ -0,0 +1,26 @@ +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Elastic configuration parameters +class wazuh::params_elastic { + $elasticsearch_service = 'elasticsearch' + $elasticsearch_package = 'elasticsearch' + $config_owner = 'elasticsearch' + $config_group = 'elasticsearch' + $config_mode = '0640' + + $elasticsearch_cluster_name = 'es-wazuh' + $elasticsearch_node_name = 'es-node-01' + $elasticsearch_node_master = true + $elasticsearch_node_data = true + $elasticsearch_node_ingest = true + $elasticsearch_node_max_local_storage_nodes = '1' + + $elasticsearch_path_data = '/var/lib/elasticsearch' + $elasticsearch_path_logs = '/var/log/elasticsearch' + + + $elasticsearch_ip = 'localhost' + $elastcisearch_port = 9200 + $elasticsearch_discovery_option = 'discovery.type: single-node' + $elasticsearch_cluster_initial_master_nodes = "#cluster.initial_master_nodes: ['es-node-01']" + +} diff --git a/modules/utilities/unix/logging/wazuh/manifests/params_manager.pp b/modules/utilities/unix/logging/wazuh/manifests/params_manager.pp new file mode 100644 index 000000000..e766cdcac --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/manifests/params_manager.pp @@ -0,0 +1,435 @@ +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Paramas file +class wazuh::params_manager { + case $::kernel { + 'Linux': { + + # Installation + $server_package_version = '3.10.2-1' + $manage_repos = true + $manage_firewall = false + + ### Ossec.conf blocks + + ## Global + $ossec_emailnotification = false + $ossec_emailto = [] + $ossec_smtp_server = 'smtp.example.wazuh.com' + $ossec_emailfrom = 'ossecm@example.wazuh.com' + $ossec_email_maxperhour = 12 + $ossec_email_idsname = undef + $ossec_white_list = ['127.0.0.1','^localhost.localdomain$','10.0.0.2'] + $ossec_alert_level = 3 + $ossec_email_alert_level = 12 + $ossec_remote_connection = 'secure' + $ossec_remote_port = 1514 + $ossec_remote_protocol = 'udp' + $ossec_remote_queue_size = 131072 + + # ossec.conf generation parameters + + $configure_rootcheck = true # TODO: WAS true + $configure_wodle_openscap = false # TODO: WAS true + $configure_wodle_cis_cat = false # TODO: WAS true + $configure_wodle_osquery = false # TODO: WAS true + $configure_wodle_syscollector = false # TODO: WAS true + $configure_vulnerability_detector = true + $configure_sca = true + $configure_syscheck = true + $configure_command = true + $configure_localfile = true + $configure_ruleset = true + $configure_auth = true + $configure_cluster = true + $configure_active_response = false + + + # ossec.conf templates paths + $ossec_manager_template = 'wazuh/wazuh_manager.conf.erb' + $ossec_rootcheck_template = 'wazuh/fragments/_rootcheck.erb' + $ossec_wodle_openscap_template = 'wazuh/fragments/_wodle_openscap.erb' + $ossec_wodle_cis_cat_template = 'wazuh/fragments/_wodle_cis_cat.erb' + $ossec_wodle_osquery_template = 'wazuh/fragments/_wodle_osquery.erb' + $ossec_wodle_syscollector_template = 'wazuh/fragments/_wodle_syscollector.erb' + $ossec_wodle_vulnerability_detector_template = 'wazuh/fragments/_wodle_vulnerability_detector.erb' + $ossec_sca_template = 'wazuh/fragments/_sca.erb' + $ossec_syscheck_template = 'wazuh/fragments/_syscheck.erb' + $ossec_default_commands_template = 'wazuh/default_commands.erb' + $ossec_localfile_template = 'wazuh/fragments/_localfile.erb' + $ossec_ruleset_template = 'wazuh/fragments/_ruleset.erb' + $ossec_auth_template = 'wazuh/fragments/_auth.erb' + $ossec_cluster_template = 'wazuh/fragments/_cluster.erb' + $ossec_active_response_template = 'wazuh/fragments/_default_activeresponse.erb' + + ## Rootcheck + + $ossec_rootcheck_disabled = 'no' + $ossec_rootcheck_check_files = 'yes' + $ossec_rootcheck_check_trojans = 'yes' + $ossec_rootcheck_check_dev = 'yes' + $ossec_rootcheck_check_sys = 'yes' + $ossec_rootcheck_check_pids = 'yes' + $ossec_rootcheck_check_ports = 'yes' + $ossec_rootcheck_check_if = 'yes' + $ossec_rootcheck_frequency = 43200 + $ossec_rootcheck_rootkit_files = '/var/ossec/etc/rootcheck/rootkit_files.txt' + $ossec_rootcheck_rootkit_trojans = '/var/ossec/etc/rootcheck/rootkit_trojans.txt' + $ossec_rootcheck_skip_nfs = 'yes' + + ## Wodles + + #openscap + $wodle_openscap_disabled = true + $wodle_openscap_timeout = '1800' + $wodle_openscap_interval = '1d' + $wodle_openscap_scan_on_start = 'yes' + + #cis-cat + $wodle_ciscat_disabled = true + $wodle_ciscat_timeout = '1800' + $wodle_ciscat_interval = '1d' + $wodle_ciscat_scan_on_start = 'yes' + $wodle_ciscat_java_path = 'wodles/java' + $wodle_ciscat_ciscat_path = 'wodles/ciscat' + + #osquery + + $wodle_osquery_disabled = true + $wodle_osquery_run_daemon = 'yes' + $wodle_osquery_log_path = '/var/log/osquery/osqueryd.results.log' + $wodle_osquery_config_path = '/etc/osquery/osquery.conf' + $wodle_osquery_add_labels = 'yes' + + #syscollector + $wodle_syscollector_disabled = true + $wodle_syscollector_interval = '1h' + $wodle_syscollector_scan_on_start = 'yes' + $wodle_syscollector_hardware = 'yes' + $wodle_syscollector_os = 'yes' + $wodle_syscollector_network = 'yes' + $wodle_syscollector_packages = 'yes' + $wodle_syscollector_ports = 'yes' + $wodle_syscollector_processes = 'yes' + + #vulnerability-detector + + $wodle_vulnerability_detector_disabled = true + $wodle_vulnerability_detector_interval = '5m' + $wodle_vulnerability_detector_ignore_time = '6h' + $wodle_vulnerability_detector_run_on_start = 'yes' + $wodle_vulnerability_detector_ubuntu_disabled = 'yes' + $wodle_vulnerability_detector_ubuntu_update = '1h' + $wodle_vulnerability_detector_redhat_disable = 'yes' + $wodle_vulnerability_detector_redhat_update_from = '2010' + $wodle_vulnerability_detector_redhat_update = '1h' + $wodle_vulnerability_detector_debian_9_disable = 'yes' + $wodle_vulnerability_detector_debian_9_update = '1h' + + # syslog + + $syslog_output = false + $syslog_output_level = 2 + $syslog_output_port = 514 + $syslog_output_server = undef + $syslog_output_format = undef + + # Authd configuration + + $ossec_auth_disabled = 'no' + $ossec_auth_port = 1515 + $ossec_auth_use_source_ip = 'yes' + $ossec_auth_force_insert = 'yes' + $ossec_auth_force_time = 0 + $ossec_auth_purgue = 'yes' + $ossec_auth_use_password = 'no' + $ossec_auth_limit_maxagents = 'yes' + $ossec_auth_ciphers = 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH' + $ossec_auth_ssl_verify_host = 'no' + $ossec_auth_ssl_manager_cert = '/var/ossec/etc/sslmanager.cert' + $ossec_auth_ssl_manager_key = '/var/ossec/etc/sslmanager.key' + $ossec_auth_ssl_auto_negotiate = 'no' + + + # syscheck + + $ossec_syscheck_disabled = 'no' + $ossec_syscheck_frequency = '43200' + $ossec_syscheck_scan_on_start = 'yes' + $ossec_syscheck_alert_new_files = 'yes' + $ossec_syscheck_auto_ignore = 'no' + $ossec_syscheck_directories_1 = '/etc,/usr/bin,/usr/sbin' + $ossec_syscheck_directories_2 = '/bin,/sbin,/boot' + $ossec_syscheck_ignore_list = ['/etc/mtab', + '/etc/hosts.deny', + '/etc/mail/statistics', + '/etc/random-seed', + '/etc/random.seed', + '/etc/adjtime', + '/etc/httpd/logs', + '/etc/utmpx', + '/etc/wtmpx', + '/etc/cups/certs', + '/etc/dumpdates', + '/etc/svc/volatile', + '/sys/kernel/security', + '/sys/kernel/debug', + '/dev/core', + ] + $ossec_syscheck_ignore_type_1 = '^/proc' + $ossec_syscheck_ignore_type_2 = ".log$|.swp$" + + + $ossec_syscheck_nodiff = '/etc/ssl/private.key' + $ossec_syscheck_skip_nfs = 'yes' + + # Cluster + + $ossec_cluster_name = 'wazuh' + $ossec_cluster_node_name = 'node01' + $ossec_cluster_node_type = 'master' + $ossec_cluster_key = 'KEY' + $ossec_cluster_port = '1516' + $ossec_cluster_bind_addr = '0.0.0.0' + $ossec_cluster_nodes = ['NODE_IP'] + $ossec_cluster_hidden = 'no' + $ossec_cluster_disabled = 'yes' + + $ossec_cluster_enable_firewall = 'no' + + + #----- End of ossec.conf parameters ------- + + $ossec_prefilter = false + $ossec_integratord_enabled = false + + + $manage_client_keys = 'yes' + $agent_auth_password = undef + $ar_repeated_offenders = '' + + $local_decoder_template = 'wazuh/local_decoder.xml.erb' + $decoder_exclude = [] + $local_rules_template = 'wazuh/local_rules.xml.erb' + $rule_exclude = [] + $shared_agent_template = 'wazuh/ossec_shared_agent.conf.erb' + + $wazuh_manager_verify_manager_ssl = false + $wazuh_manager_server_crt = undef + $wazuh_manager_server_key = undef + + + ## Wazuh config folders and modes + + $config_file = '/var/ossec/etc/ossec.conf' + $shared_agent_config_file = '/var/ossec/etc/shared/agent.conf' + + $config_mode = '0640' + $config_owner = 'root' + $config_group = 'ossec' + + $keys_file = '/var/ossec/etc/client.keys' + $keys_mode = '0640' + $keys_owner = 'root' + $keys_group = 'ossec' + + + $authd_pass_file = '/var/ossec/etc/authd.pass' + + $validate_cmd_conf = '/var/ossec/bin/verify-agent-conf -f %' + + $processlist_file = '/var/ossec/bin/.process_list' + $processlist_mode = '0640' + $processlist_owner = 'root' + $processlist_group = 'ossec' + + + case $::osfamily { + 'Debian': { + + $agent_service = 'wazuh-agent' + $agent_package = 'wazuh-agent' + $service_has_status = false + $ossec_service_provider = undef + $api_service_provider = undef + $default_local_files = [ + { 'location' => '/var/log/syslog' , 'log_format' => 'syslog'}, + { 'location' => '/var/log/kern.log' , 'log_format' => 'syslog'}, + { 'location' => '/var/log/auth.log' , 'log_format' => 'syslog'}, + { 'location' => '/var/log/dpkg.log', 'log_format' => 'syslog'}, + { 'location' => '/var/ossec/logs/active-responses.log', 'log_format' => 'syslog'}, + { 'location' => '/var/log/messages' , 'log_format' => 'syslog'}, + ] + case $::lsbdistcodename { + 'xenial': { + $server_service = 'wazuh-manager' + $server_package = 'wazuh-manager' + $api_service = 'wazuh-api' + $api_package = 'wazuh-api' + $wodle_openscap_content = { + 'ssg-ubuntu-1604-ds.xml' => { + 'type' => 'xccdf', + profiles => ['xccdf_org.ssgproject.content_profile_common'], + },'cve-ubuntu-xenial-oval.xml' => { + 'type' => 'oval' + } + } + } + 'jessie': { + $server_service = 'wazuh-manager' + $server_package = 'wazuh-manager' + $api_service = 'wazuh-api' + $api_package = 'wazuh-api' + $wodle_openscap_content = { + 'ssg-debian-8-ds.xml' => { + 'type' => 'xccdf', + profiles => ['xccdf_org.ssgproject.content_profile_common'], + }, + 'cve-debian-8-oval.xml' => { + 'type' => 'oval', + } + } + } + /^(wheezy|stretch|sid|precise|trusty|vivid|wily|xenial|bionic)$/: { + $server_service = 'wazuh-manager' + $server_package = 'wazuh-manager' + $api_service = 'wazuh-api' + $api_package = 'wazuh-api' + $wodle_openscap_content = undef + } + default: { + fail("Module ${module_name} is not supported on ${::operatingsystem}") + } + } + + } + 'RedHat': { + + $agent_service = 'wazuh-agent' + $agent_package = 'wazuh-agent' + $server_service = 'wazuh-manager' + $server_package = 'wazuh-manager' + $api_service = 'wazuh-api' + $api_package = 'wazuh-api' + $service_has_status = true + + $default_local_files =[ + { 'location' => '/var/log/audit/audit.log' , 'log_format' => 'audit'}, + { 'location' => '/var/ossec/logs/active-responses.log' , 'log_format' => 'syslog'}, + { 'location' => '/var/log/messages', 'log_format' => 'syslog'}, + { 'location' => '/var/log/secure' , 'log_format' => 'syslog'}, + { 'location' => '/var/log/maillog' , 'log_format' => 'apache'}, + ] + case $::operatingsystem { + 'Amazon': { + $ossec_service_provider = 'systemd' + $api_service_provider = 'systemd' + # Amazon is based on Centos-6 with some improvements + # taken from RHEL-7 but uses SysV-Init, not Systemd. + # Probably best to leave this undef until we can + # write/find a release-specific file. + $wodle_openscap_content = undef + } + 'CentOS': { + if ( $::operatingsystemrelease =~ /^6.*/ ) { + $ossec_service_provider = 'redhat' + $api_service_provider = 'redhat' + $wodle_openscap_content = { + 'ssg-centos-6-ds.xml' => { + 'type' => 'xccdf', + profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_server',] + } + } + } + if ( $::operatingsystemrelease =~ /^7.*/ ) { + $ossec_service_provider = 'systemd' + $api_service_provider = 'systemd' + $wodle_openscap_content = { + 'ssg-centos-7-ds.xml' => { + 'type' => 'xccdf', + profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_common',] + } + } + } + } + /^(RedHat|OracleLinux)$/: { + if ( $::operatingsystemrelease =~ /^6.*/ ) { + $ossec_service_provider = 'redhat' + $api_service_provider = 'redhat' + $wodle_openscap_content = { + 'ssg-rhel-6-ds.xml' => { + 'type' => 'xccdf', + profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_server',] + }, + 'cve-redhat-6-ds.xml' => { + 'type' => 'xccdf', + } + } + } + if ( $::operatingsystemrelease =~ /^7.*/ ) { + $ossec_service_provider = 'systemd' + $api_service_provider = 'systemd' + $wodle_openscap_content = { + 'ssg-rhel-7-ds.xml' => { + 'type' => 'xccdf', + profiles => ['xccdf_org.ssgproject.content_profile_pci-dss', 'xccdf_org.ssgproject.content_profile_common',] + }, + 'cve-redhat-7-ds.xml' => { + 'type' => 'xccdf', + } + } + } + } + 'Fedora': { + if ( $::operatingsystemrelease =~ /^(23|24|25).*/ ) { + $ossec_service_provider = 'redhat' + $api_service_provider = 'redhat' + $wodle_openscap_content = { + 'ssg-fedora-ds.xml' => { + 'type' => 'xccdf', + profiles => ['xccdf_org.ssgproject.content_profile_standard', 'xccdf_org.ssgproject.content_profile_common',] + }, + } + } + } + default: { fail('This ossec module has not been tested on your distribution') } + } + } + default: { fail('This ossec module has not been tested on your distribution') } + } + } + 'windows': { + $config_file = regsubst(sprintf('c:/Program Files (x86)/ossec-agent/ossec.conf'), '\\\\', '/') + $shared_agent_config_file = regsubst(sprintf('c:/Program Files (x86)/ossec-agent/shared/agent.conf'), '\\\\', '/') + $config_owner = 'Administrator' + $config_group = 'Administrators' + + $manage_firewall = false + + $keys_file = regsubst(sprintf('c:/Program Files (x86)/ossec-agent/client.keys'), '\\\\', '/') + $keys_mode = '0440' + $keys_owner = 'Administrator' + $keys_group = 'Administrators' + + $agent_service = 'OssecSvc' + $agent_package = 'Wazuh Agent 3.10.2' + $server_service = '' + $server_package = '' + $api_service = '' + $api_package = '' + $service_has_status = true + + # TODO + $validate_cmd_conf = undef + # Pushed by shared agent config now + $default_local_files = [ + {'location' => 'Security' , 'log_format' => 'eventchannel', + 'query' => 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658\ + and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID!= 4703 and EventID != 4907]'}, + {'location' => 'System' , 'log_format' => 'eventlog' }, + {'location' => 'active-response\active-responses.log' , 'log_format' => 'syslog' }, + ] + + } + default: { fail('This ossec module has not been tested on your distribution') } + } +} diff --git a/modules/utilities/unix/logging/wazuh/manifests/repo.pp b/modules/utilities/unix/logging/wazuh/manifests/repo.pp index dde283548..130098a75 100644 --- a/modules/utilities/unix/logging/wazuh/manifests/repo.pp +++ b/modules/utilities/unix/logging/wazuh/manifests/repo.pp @@ -1,7 +1,6 @@ -# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) -# Repo installation +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh repository installation class wazuh::repo ( - $redhat_manage_epel = true, ) { case $::osfamily { @@ -55,16 +54,6 @@ class wazuh::repo ( baseurl => $baseurl } - if $redhat_manage_epel { - # Set up EPEL repo - # NOTE: This relies on the 'epel' module referenced in metadata.json - package { 'inotify-tools': - ensure => present - } - include epel - - Class['epel'] -> Package['inotify-tools'] - } } default: { fail('This ossec module has not been tested on your distribution') } } diff --git a/modules/utilities/unix/logging/wazuh/manifests/repo_elastic.pp b/modules/utilities/unix/logging/wazuh/manifests/repo_elastic.pp new file mode 100644 index 000000000..2ce515ba6 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/manifests/repo_elastic.pp @@ -0,0 +1,69 @@ +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Installation of Elastic repository +class wazuh::repo_elastic ( + +) { + case $::osfamily { + 'Debian' : { + if ! defined(Package['apt-transport-https']) { + ensure_packages(['apt-transport-https'], {'ensure' => 'present'}) + } + # apt-key added by issue #34 + apt::key { 'elastic': + id => '46095ACC8548582C1A2699A9D27D666CD88E42B4', + source => 'https://artifacts.elastic.co/GPG-KEY-elasticsearch', + } + case $::lsbdistcodename { + /(jessie|wheezy|stretch|sid|precise|trusty|vivid|wily|xenial|yakketi|bionic)/: { + + apt::source { 'wazuh_elastic': + ensure => present, + comment => 'This is the Elastic repository', + location => 'https://artifacts.elastic.co/packages/7.x/apt', + release => 'stable', + repos => 'main', + include => { + 'src' => false, + 'deb' => true, + }, + } + } + default: { fail('This ossec module has not been tested on your distribution (or lsb package not installed)') } + } + } + 'Redhat' : { + case $::os[name] { + /^(CentOS|RedHat|OracleLinux|Fedora|Amazon)$/: { + if ( $::operatingsystemrelease =~ /^5.*/ ) { + $baseurl = 'https://artifacts.elastic.co/packages/7.x/yum' + $gpgkey = 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' + } else { + $baseurl = 'https://artifacts.elastic.co/packages/7.x/yum' + $gpgkey = 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' + } + } + default: { fail('This ossec module has not been tested on your distribution.') } + } + ## Set up Elasticsearch repo + + # Import GPG key + + exec { 'Install Elasticsearch GPG key': + path => '/usr/bin', + command => 'rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch', + } + + # Adding repo by Puppet yumrepo resource + + yumrepo { 'elasticsearch': + ensure => 'present', + enabled => 1, + gpgcheck => 1, + gpgkey => $gpgkey, + baseurl => $baseurl, + name => 'elasticsearch', + } + } + default: { fail('This ossec module has not been tested on your distribution') } + } + } diff --git a/modules/utilities/unix/logging/wazuh/manifests/reports.pp b/modules/utilities/unix/logging/wazuh/manifests/reports.pp index abc0090bf..bca48d333 100644 --- a/modules/utilities/unix/logging/wazuh/manifests/reports.pp +++ b/modules/utilities/unix/logging/wazuh/manifests/reports.pp @@ -1,4 +1,4 @@ -# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) #Define for a Reports section define wazuh::reports( Optional[String] $r_group = undef, @@ -13,7 +13,7 @@ define wazuh::reports( Optional[Enum['yes', 'no']] $r_showlogs = undef, ) { - require wazuh::params + require wazuh::params_manager concat::fragment { $name: target => 'ossec.conf', diff --git a/modules/utilities/unix/logging/wazuh/manifests/server.pp b/modules/utilities/unix/logging/wazuh/manifests/server.pp deleted file mode 100644 index c815e5d36..000000000 --- a/modules/utilities/unix/logging/wazuh/manifests/server.pp +++ /dev/null @@ -1,293 +0,0 @@ -# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) -# Main ossec server config -class wazuh::server ( - $smtp_server = undef, - $ossec_emailto = [], - $ossec_emailfrom = "wazuh@${::domain}", - $ossec_active_response = true, - $ossec_rootcheck = true, - $ossec_rootcheck_frequency = 36000, - $ossec_rootcheck_checkports = true, - $ossec_rootcheck_checkfiles = true, - $ossec_global_host_information_level = 8, - $ossec_global_stat_level = 8, - $ossec_email_alert_level = 7, - $ossec_ignorepaths = [], - $ossec_ignorepaths_regex = [], - $ossec_scanpaths = [ {'path' => '/etc,/usr/bin,/usr/sbin', 'report_changes' => 'no', 'realtime' => 'no'}, {'path' => '/bin,/sbin', 'report_changes' => 'yes', 'realtime' => 'yes'} ], - $ossec_white_list = [], - $ossec_extra_rules_config = [], - $ossec_local_files = $::wazuh::params::default_local_files, - $ossec_emailnotification = true, - $ossec_email_maxperhour = '12', - $ossec_email_idsname = undef, - $ossec_syscheck_frequency = 79200, - $ossec_auto_ignore = 'yes', - $ossec_prefilter = false, - $ossec_service_provider = $::wazuh::params::ossec_service_provider, - $api_service_provider = $::wazuh::params::api_service_provider, - $ossec_server_port = '1514', - $ossec_server_protocol = 'udp', - $ossec_integratord_enabled = false, - $server_package_version = 'installed', - $api_package_version = 'installed', - $api_config_params = $::wazuh::params::api_config_params, - $manage_repos = true, - $manage_epel_repo = true, - $manage_client_keys = 'authd', - $install_wazuh_api = false, - $wazuh_api_enable_https = false, - $wazuh_api_server_crt = undef, - $wazuh_api_server_key = undef, - $manage_nodejs = true, - $nodejs_repo_url_suffix = '6.x', - $agent_auth_password = undef, - $ar_repeated_offenders = '', - $syslog_output = false, - $syslog_output_level = 2, - $syslog_output_port = 514, - $syslog_output_server = undef, - $syslog_output_format = undef, - $enable_wodle_openscap = false, - $wodle_openscap_content = $::wazuh::params::wodle_openscap_content, - $local_decoder_template = 'wazuh/local_decoder.xml.erb', - $decoder_exclude = [], - $local_rules_template = 'wazuh/local_rules.xml.erb', - $rule_exclude = [], - $shared_agent_template = 'wazuh/ossec_shared_agent.conf.erb', - $api_config_template = 'wazuh/api/config.js.erb', - $wazuh_manager_verify_manager_ssl = false, - $wazuh_manager_server_crt = undef, - $wazuh_manager_server_key = undef, - $ossec_auth_ssl_cert = undef, - $ossec_auth_ssl_key = undef, - $ossec_auth_ssl_ca = undef, - Boolean $manage_firewall = $::wazuh::params::manage_firewall, - Integer $ossec_auth_port = 1515, - Boolean $ossec_auth_use_srcip = false, - Boolean $ossec_auth_use_password = false, - Boolean $ossec_auth_force_insert = false, - Boolean $ossec_auth_purge = false, -) inherits wazuh::params { - validate_bool( - $ossec_active_response, $ossec_rootcheck, - $manage_repos, $manage_epel_repo, $syslog_output, - $install_wazuh_api, $wazuh_manager_verify_manager_ssl - ) - validate_array( - $decoder_exclude, $rule_exclude - ) - - # This allows arrays of integers, sadly - # (commented due to stdlib version requirement) - validate_array($ossec_ignorepaths) - if ( $ossec_emailnotification ) { - if $smtp_server == undef { - fail('$ossec_emailnotification is enabled but $smtp_server was not set') - } - validate_string($smtp_server) - validate_string($ossec_emailfrom) - validate_array($ossec_emailto) - } - - if $::osfamily == 'windows' { - fail('The ossec module does not yet support installing the OSSEC HIDS server on Windows') - } - - if $manage_repos { - # TODO: Allow filtering of EPEL requirement - class { 'wazuh::repo': redhat_manage_epel => $manage_epel_repo } - if $::osfamily == 'Debian' { - Class['wazuh::repo'] -> Class['apt::update'] -> Package[$wazuh::params::server_package] - } else { - Class['wazuh::repo'] -> Package[$wazuh::params::server_package] - } - } - # install package - package { $wazuh::params::server_package: - ensure => $server_package_version, # lint:ignore:security_package_pinned_version - } - - file { - default: - owner => $wazuh::params::config_owner, - group => $wazuh::params::config_group, - mode => $wazuh::params::config_mode, - notify => Service[$wazuh::params::server_service], - require => Package[$wazuh::params::server_package]; - $wazuh::params::shared_agent_config_file: - validate_cmd => $wazuh::params::validate_cmd_conf, - content => template($shared_agent_template); - '/var/ossec/etc/rules/local_rules.xml': - content => template($local_rules_template); - '/var/ossec/etc/decoders/local_decoder.xml': - content => template($local_decoder_template); - $wazuh::params::processlist_file: - content => template('wazuh/process_list.erb'); - } - - service { $wazuh::params::server_service: - ensure => running, - enable => true, - hasstatus => $wazuh::params::service_has_status, - pattern => $wazuh::params::server_service, - provider => $ossec_service_provider, - require => Package[$wazuh::params::server_package], - } - - concat { 'ossec.conf': - path => $wazuh::params::config_file, - owner => $wazuh::params::config_owner, - group => $wazuh::params::config_group, - mode => $wazuh::params::config_mode, - require => Package[$wazuh::params::server_package], - notify => Service[$wazuh::params::server_service], - #validate_cmd => $wazuh::params::validate_cmd_conf, # not yet implemented, see https://github.com/wazuh/wazuh/issues/86 - } - - concat::fragment { - default: - target => 'ossec.conf', - notify => Service[$wazuh::params::server_service]; - 'ossec.conf_header': - order => 00, - content => "\n"; - 'ossec.conf_agent': - order => 10, - content => template('wazuh/wazuh_manager.conf.erb'); - 'ossec.conf_footer': - order => 99, - content => ''; - } - - if ( $manage_client_keys == 'export' ) { - concat { $wazuh::params::keys_file: - owner => $wazuh::params::keys_owner, - group => $wazuh::params::keys_group, - mode => $wazuh::params::keys_mode, - notify => Service[$wazuh::params::server_service], - require => Package[$wazuh::params::server_package], - } - concat::fragment { 'var_ossec_etc_client.keys_end' : - target => $wazuh::params::keys_file, - order => 99, - content => "\n", - notify => Service[$wazuh::params::server_service] - } - # A separate module to avoid storeconfigs warnings when not managing keys - include wazuh::collect_agent_keys - } - - - - if ( $manage_client_keys == 'authd') { - # TODO: ensure the authd service is started if manage_client_keys == authd - # (see https://github.com/wazuh/wazuh/issues/80) - - file { $wazuh::params::authd_pass_file: - owner => $wazuh::params::keys_owner, - group => $wazuh::params::keys_group, - mode => $wazuh::params::keys_mode, - content => $agent_auth_password, - require => Package[$wazuh::params::server_package], - } - } - - # https://documentation.wazuh.com/current/user-manual/registering/use-registration-service.html#verify-manager-via-ssl - if $wazuh_manager_verify_manager_ssl { - - if ($wazuh_manager_server_crt != undef) and ($wazuh_manager_server_key != undef) { - validate_string( - $wazuh_manager_server_crt, $wazuh_manager_server_key - ) - - file { '/var/ossec/etc/sslmanager.key': - content => $wazuh_manager_server_key, - owner => 'root', - group => 'ossec', - mode => '0640', - require => Package[$wazuh::params::server_package], - notify => Service[$wazuh::params::server_service], - } - - file { '/var/ossec/etc/sslmanager.cert': - content => $wazuh_manager_server_crt, - owner => 'root', - group => 'ossec', - mode => '0640', - require => Package[$wazuh::params::server_package], - notify => Service[$wazuh::params::server_service], - } - } - } - - ### Wazuh API - if $install_wazuh_api { - validate_bool($manage_nodejs) - if $manage_nodejs { - validate_string($nodejs_repo_url_suffix) - class { '::nodejs': repo_url_suffix => $nodejs_repo_url_suffix } - Class['nodejs'] -> Package[$wazuh::params::api_package] - } - - package { $wazuh::params::api_package: - ensure => $api_package_version, # lint:ignore:security_package_pinned_version - } - - if $wazuh_api_enable_https { - validate_string($wazuh_api_server_crt, $wazuh_api_server_key) - file { '/var/ossec/api/configuration/ssl/server.key': - content => $wazuh_api_server_key, - owner => 'root', - group => 'ossec', - mode => '0600', - require => Package[$wazuh::params::api_package], - notify => Service[$wazuh::params::api_service], - } - - file { '/var/ossec/api/configuration/ssl/server.crt': - content => $wazuh_api_server_crt, - owner => 'root', - group => 'ossec', - mode => '0600', - require => Package[$wazuh::params::api_package], - notify => Service[$wazuh::params::api_service], - } - } - - # wazuh-api config.js - # this hash is currently only covering the basic config section of config.js - # TODO: allow customization of the entire config.js - # for reference: https://documentation.wazuh.com/current/user-manual/api/configuration.html - file { '/var/ossec/api/configuration/config.js': - content => template($api_config_template), - owner => 'root', - group => 'ossec', - mode => '0750', - require => Package[$wazuh::params::api_package], - notify => Service[$wazuh::params::api_service], - } - - service { $wazuh::params::api_service: - ensure => running, - enable => true, - hasstatus => $wazuh::params::service_has_status, - pattern => $wazuh::params::api_service, - provider => $api_service_provider, - require => Package[$wazuh::params::api_package], - } - } - # Manage firewall - if $manage_firewall { - include firewall - firewall { '1514 wazuh-manager': - dport => $ossec_server_port, - proto => $ossec_server_protocol, - action => 'accept', - state => [ - 'NEW', - 'RELATED', - 'ESTABLISHED'], - } - } -} diff --git a/modules/utilities/unix/logging/wazuh/manifests/wazuh_api.pp b/modules/utilities/unix/logging/wazuh/manifests/wazuh_api.pp new file mode 100644 index 000000000..acd3e35d7 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/manifests/wazuh_api.pp @@ -0,0 +1,49 @@ +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh API installation +class wazuh::wazuh_api ( + + $wazuh_api_package = 'wazuh-api', + $wazuh_api_service = 'wazuh-api', + $wazuh_api_version = '3.10.2-1', + + $nodejs_package = 'nodejs' + +){ + + if $::osfamily == 'Debian' { + exec { 'Updating repositories...': + path => '/usr/bin', + command => 'curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -', + + } + package { $nodejs_package: + provider => 'apt', + } + package { $wazuh_api_package: + ensure => $wazuh_api_version, + provider => 'apt', + } + + }else{ + exec { 'Updating repositories...': + path => '/usr/bin', + command => 'curl --silent --location https://rpm.nodesource.com/setup_8.x | bash -', + + } + package { $nodejs_package: + provider => 'yum', + } + package { $wazuh_api_package: + ensure => $wazuh_api_version, + provider => 'yum', + } + } + + service { 'wazuh-api': + ensure => running, + enable => true, + provider => 'systemd', + } + + +} diff --git a/modules/utilities/unix/logging/wazuh/metadata.json b/modules/utilities/unix/logging/wazuh/metadata.json index 0b73d0afe..5cad9f167 100644 --- a/modules/utilities/unix/logging/wazuh/metadata.json +++ b/modules/utilities/unix/logging/wazuh/metadata.json @@ -1,13 +1,38 @@ { "name": "wazuh-wazuh", - "version": "3.9.1", + "version": "3.10.2", "author": "WAZUH", "summary": "Install and configure Wazuh-HIDS client and server", "license": "Apache-2.0", "source": "https://github.com/wazuh/wazuh-puppet", "project_page": "https://github.com/wazuh/wazuh-puppet", "issues_url": "https://github.com/wazuh/wazuh-puppet/issues", - "tags": ["ossec", "hids", "3.9", "wazuh"], + "dependencies": [ + { + "name": "puppetlabs/stdlib", + "version_requirement": ">= 1.0.0 < 7.0.0" + }, + { + "name": "puppetlabs/concat", + "version_requirement": ">= 1.0.0 < 7.0.0" + }, + { + "name": "puppetlabs/apt", + "version_requirement": ">= 2.0.0 < 8.0.0" + }, + { + "name": "puppet/selinux", + "version_requirement": ">= 0.8.0 < 4.0.0" + }, + { + "name": "puppet/nodejs", + "version_requirement": ">= 3.0.0 < 8.0.0" + }, + { + "name": "puppetlabs/firewall", + "version_requirement": ">= 1.7.0 < 3.0.0" + } + ], "operatingsystem_support": [ { "operatingsystem": "Windows", @@ -21,7 +46,7 @@ "Windows 10" ] }, - { + { "operatingsystem": "CentOS", "operatingsystemrelease": [ "5", @@ -43,7 +68,7 @@ "22", "23", "24", - "25" + "25" ] }, { @@ -55,7 +80,7 @@ "Wily", "Xenial", "Yakketi", - "Bionic" + "Bionic" ] }, { @@ -68,34 +93,19 @@ ] } ], - "dependencies": [ + "requirements": [ { - "name": "puppetlabs/stdlib", - "version_range": ">= 1.0.0" - }, - { - "name": "puppetlabs/concat", - "version_range": ">= 1.0.0" - }, - { - "name": "stahnma/epel", - "version_range": ">= 1.0.0" - }, - { - "name": "puppetlabs/apt", - "version_range": ">= 2.0.0" - }, - { - "name": "puppet/selinux", - "version_range": ">= 0.8.0" - }, - { - "name": "puppet/nodejs", - "version_range": ">= 3.0.0 < 4.0.0" - }, - { - "name": "puppetlabs/firewall", - "version_range": ">= 1.7.0" + "name": "puppet", + "version_requirement": ">= 6.0.0 < 7.0.0" } - ] + ], + "tags": [ + "ossec", + "hids", + "3.10", + "wazuh" + ], + "pdk-version": "1.10.0", + "template-url": "file:///opt/puppetlabs/pdk/share/cache/pdk-templates.git#1.10.0", + "template-ref": "1.10.0-0-gbba9ac3" } diff --git a/modules/utilities/unix/logging/wazuh/spec/classes/client_spec.rb b/modules/utilities/unix/logging/wazuh/spec/classes/client_spec.rb index e0f7a3efb..3328f0351 100644 --- a/modules/utilities/unix/logging/wazuh/spec/classes/client_spec.rb +++ b/modules/utilities/unix/logging/wazuh/spec/classes/client_spec.rb @@ -1,38 +1,41 @@ require 'spec_helper' -describe 'wazuh::client' do +describe 'wazuh::agent' do on_supported_os.each do |os, facts| context "on #{os}" do - let (:facts) do - facts.merge({ :concat_basedir => '/dummy' }) + let(:facts) do + facts.merge(concat_basedir: '/dummy') end + context 'with defaults for all parameters' do it do - expect { is_expected.to compile.with_all_deps }.to raise_error(/must pass either/) + expect { is_expected.to compile.with_all_deps }.to raise_error(%r{must pass either}) end end - context 'with ossec_server_ip' do - let (:params) do + context 'with ossec_ip' do + let(:params) do { - :ossec_server_ip => '127.0.0.1', + ossec_ip: '127.0.0.1', } end + it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('wazuh::client') } - it { is_expected.not_to contain_Concat__Fragment('ossec.conf_10').with_content(/local.test<\/server-hostname>/) } - it { is_expected.to contain_Concat__Fragment('ossec.conf_10').with_content(/127.0.0.1<\/server-ip>/) } + it { is_expected.to contain_class('wazuh::agent') } + it { is_expected.not_to contain_Concat__Fragment('ossec.conf_10').with_content(%r{/local.test<\/server-hostname>/}) } + it { is_expected.to contain_Concat__Fragment('ossec.conf_10').with_content(%r{/127.0.0.1<\/server-ip>/}) } end context 'with ossec_server_hostname' do - let (:params) do + let(:params) do { - :ossec_server_hostname => 'local.test', + ossec_server_hostname: 'local.test', } end + it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('wazuh::client') } - it { is_expected.not_to contain_Concat__Fragment('ossec.conf_10').with_content(/127.0.0.1<\/server-ip>/) } - it { is_expected.to contain_Concat__Fragment('ossec.conf_10').with_content(/local.test<\/server-hostname>/) } + it { is_expected.to contain_class('wazuh::wazuh-agent') } + it { is_expected.not_to contain_Concat__Fragment('ossec.conf_10').with_content(%r{/127.0.0.1<\/server-ip>/}) } + it { is_expected.to contain_Concat__Fragment('ossec.conf_10').with_content(%r{/local.test<\/server-hostname>/}) } end end end diff --git a/modules/utilities/unix/logging/wazuh/spec/classes/init_spec.rb b/modules/utilities/unix/logging/wazuh/spec/classes/init_spec.rb index 06d761d59..629770e5e 100644 --- a/modules/utilities/unix/logging/wazuh/spec/classes/init_spec.rb +++ b/modules/utilities/unix/logging/wazuh/spec/classes/init_spec.rb @@ -2,7 +2,8 @@ require 'spec_helper' describe 'ossec' do on_supported_os.each do |os, facts| context "on #{os}" do - let (:facts) { facts } + let(:facts) { facts } + context 'with defaults for all parameters' do it { is_expected.to compile.with_all_deps } it { is_expected.to contain_class('ossec') } diff --git a/modules/utilities/unix/logging/wazuh/spec/classes/server_spec.rb b/modules/utilities/unix/logging/wazuh/spec/classes/server_spec.rb index 8b47121c6..c0682ff47 100644 --- a/modules/utilities/unix/logging/wazuh/spec/classes/server_spec.rb +++ b/modules/utilities/unix/logging/wazuh/spec/classes/server_spec.rb @@ -1,24 +1,26 @@ require 'spec_helper' -describe 'wazuh::server' do +describe 'wazuh::manager' do on_supported_os.each do |os, facts| context "on #{os}" do - let (:facts) do - facts.merge({ :concat_basedir => '/dummy' }) + let(:facts) do + facts.merge(concat_basedir: '/dummy') end + context 'with defaults for all parameters' do it do - expect { is_expected.to compile.with_all_deps }.to raise_error(/Must pass smtp_server/) + expect { is_expected.to compile.with_all_deps }.to raise_error(%r{Must pass smtp_server}) end end context 'with valid paramaters' do - let (:params) do + let(:params) do { - :smtp_server => '127.0.0.1', - :ossec_emailto => 'root@localhost.localdomain', + smtp_server: '127.0.0.1', + ossec_emailto: 'root@localhost.localdomain', } end + it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('wazuh::server') } + it { is_expected.to contain_class('wazuh::manager') } end end end diff --git a/modules/utilities/unix/logging/wazuh/spec/spec_helper.rb b/modules/utilities/unix/logging/wazuh/spec/spec_helper.rb index 4b7111482..93b25ecbd 100644 --- a/modules/utilities/unix/logging/wazuh/spec/spec_helper.rb +++ b/modules/utilities/unix/logging/wazuh/spec/spec_helper.rb @@ -1,23 +1,47 @@ -dir = File.expand_path(File.dirname(__FILE__)) -$LOAD_PATH.unshift File.join(dir, 'lib') - -require 'mocha' -require 'puppet' -require 'rspec' -require 'rspec-puppet-facts' require 'puppetlabs_spec_helper/module_spec_helper' +require 'rspec-puppet-facts' + +require 'spec_helper_local' if File.file?(File.join(File.dirname(__FILE__), 'spec_helper_local.rb')) include RspecPuppetFacts -#require 'spec/autorun' +default_facts = { + puppetversion: Puppet.version, + facterversion: Facter.version, +} -#Spec::Runner.configure do |config| -RSpec.configure do |config| - config.mock_with :mocha +default_fact_files = [ + File.expand_path(File.join(File.dirname(__FILE__), 'default_facts.yml')), + File.expand_path(File.join(File.dirname(__FILE__), 'default_module_facts.yml')), +] + +default_fact_files.each do |f| + next unless File.exist?(f) && File.readable?(f) && File.size?(f) + + begin + default_facts.merge!(YAML.safe_load(File.read(f), [], [], true)) + rescue => e + RSpec.configuration.reporter.message "WARNING: Unable to load #{f}: #{e}" + end end -# We need this because the RAL uses 'should' as a method. This -# allows us the same behaviour but with a different method name. -#class Object -# alias :must :should -#end +RSpec.configure do |c| + c.default_facts = default_facts + c.before :each do + # set to strictest setting for testing + # by default Puppet runs at warning level + Puppet.settings[:strict] = :warning + end + c.filter_run_excluding(bolt: true) unless ENV['GEM_BOLT'] + c.after(:suite) do + end +end + +def ensure_module_defined(module_name) + module_name.split('::').reduce(Object) do |last_module, next_module| + last_module.const_set(next_module, Module.new) unless last_module.const_defined?(next_module, false) + last_module.const_get(next_module, false) + end +end + +# 'spec_overrides' from sync.yml will appear below this line diff --git a/modules/utilities/unix/logging/wazuh/templates/default_commands.erb b/modules/utilities/unix/logging/wazuh/templates/default_commands.erb new file mode 100644 index 000000000..6be428693 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/templates/default_commands.erb @@ -0,0 +1,63 @@ + + disable-account + disable-account.sh + user + yes + + + + restart-ossec + restart-ossec.sh + + + + + firewall-drop + firewall-drop.sh + srcip + yes + + + + host-deny + host-deny.sh + srcip + yes + + + + route-null + route-null.sh + srcip + yes + + + + win_route-null + route-null.cmd + srcip + yes + + + + win_route-null-2012 + route-null-2012.cmd + srcip + yes + + + + netsh + netsh.cmd + srcip + yes + + + + netsh-win-2016 + netsh-win-2016.cmd + srcip + yes + + + \ No newline at end of file diff --git a/modules/utilities/unix/logging/wazuh/templates/elasticsearch_yml.erb b/modules/utilities/unix/logging/wazuh/templates/elasticsearch_yml.erb new file mode 100644 index 000000000..a211b64de --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/templates/elasticsearch_yml.erb @@ -0,0 +1,89 @@ +# ======================== Elasticsearch Configuration ========================= +# +# NOTE: Elasticsearch comes with reasonable defaults for most settings. +# Before you set out to tweak and tune the configuration, make sure you +# understand what are you trying to accomplish and the consequences. +# +# The primary way of configuring a node is via this file. This template lists +# the most important settings you may want to configure for a production cluster. +# +# Please consult the documentation for further information on configuration options: +# https://www.elastic.co/guide/en/elasticsearch/reference/index.html +# +# ---------------------------------- Cluster ----------------------------------- +# +# Use a descriptive name for your cluster: +# +cluster.name: <%= @elasticsearch_cluster_name %> +# +# ------------------------------------ Node ------------------------------------ +# +# Use a descriptive name for the node: +# +node.name: <%= @elasticsearch_node_name %> +# +# Add custom attributes to the node: +# +node.master: <%= @elasticsearch_node_master %> +# +# ----------------------------------- Paths ------------------------------------ +# +# Path to directory where to store the data (separate multiple locations by comma): +# +path.data: <%= @elasticsearch_path_data %> +# +# Path to log files: +# +path.logs: <%= @elasticsearch_path_logs %> +# +# ----------------------------------- Memory ----------------------------------- +# +# Lock the memory on startup: +# +#bootstrap.memory_lock: true +# +# Make sure that the heap size is set to about half the memory available +# on the system and that the owner of the process is allowed to use this +# limit. +# +# Elasticsearch performs poorly when the system is swapping the memory. +# +# ---------------------------------- Network ----------------------------------- +# +# Set the bind address to a specific IP (IPv4 or IPv6): +# +network.host: <%= @elasticsearch_ip %> +# +# Set a custom port for HTTP: +# +http.port: <%= @elasticsearch_port %> +# +# For more information, consult the network module documentation. +# +# --------------------------------- Discovery ---------------------------------- +# +# Pass an initial list of hosts to perform discovery when this node is started: +# The default list of hosts is ["127.0.0.1", "[::1]"] +# +#discovery.seed_hosts: ["host1", "host2"] +# +# Bootstrap the cluster using an initial set of master-eligible nodes: +# +<%= @elasticsearch_cluster_initial_master_nodes %> +<%= @elasticsearch_discovery_option %> +# +# For more information, consult the discovery and cluster formation module documentation. +# +# ---------------------------------- Gateway ----------------------------------- +# +# Block initial recovery after a full cluster restart until N nodes are started: +# +#gateway.recover_after_nodes: 3 +# +# For more information, consult the gateway module documentation. +# +# ---------------------------------- Various ----------------------------------- +# +# Require explicit names when deleting indices: +# +#action.destructive_requires_name: true \ No newline at end of file diff --git a/modules/utilities/unix/logging/wazuh/templates/filebeat_yml.erb b/modules/utilities/unix/logging/wazuh/templates/filebeat_yml.erb new file mode 100644 index 000000000..1dd0e75f9 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/templates/filebeat_yml.erb @@ -0,0 +1,58 @@ +# Wazuh - Filebeat configuration file + +filebeat.inputs: + - type: log + paths: + - '/var/ossec/logs/alerts/alerts.json' + +setup.template.json.enabled: true +setup.template.json.path: "/etc/filebeat/wazuh-template.json" +setup.template.json.name: "wazuh" +setup.template.overwrite: true + +processors: + - decode_json_fields: + fields: ['message'] + process_array: true + max_depth: 200 + target: '' + overwrite_keys: true + - drop_fields: + fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host'] + - rename: + fields: + - from: "data.aws.sourceIPAddress" + to: "@src_ip" + ignore_missing: true + fail_on_error: false + when: + regexp: + data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b + - rename: + fields: + - from: "data.srcip" + to: "@src_ip" + ignore_missing: true + fail_on_error: false + when: + regexp: + data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b + - rename: + fields: + - from: "data.win.eventdata.ipAddress" + to: "@src_ip" + ignore_missing: true + fail_on_error: false + when: + regexp: + data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b + +# Send events directly to Elasticsearch +output.elasticsearch: + hosts: [<%= @elasticsearch_server_ip %>] + #pipeline: geoip + indices: + - index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}' + +# Optional. Send events to Logstash instead of Elasticsearch +#output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"] diff --git a/modules/utilities/unix/logging/wazuh/templates/fragments/_auth.erb b/modules/utilities/unix/logging/wazuh/templates/fragments/_auth.erb index 1f36abcb5..49f7bb99c 100644 --- a/modules/utilities/unix/logging/wazuh/templates/fragments/_auth.erb +++ b/modules/utilities/unix/logging/wazuh/templates/fragments/_auth.erb @@ -1,30 +1,18 @@ - <%- if @manage_client_keys == 'authd' -%> - no + <%= @ossec_auth_disabled %> <%= @ossec_auth_port %> - <%- if @ossec_auth_ssl_ca -%> - <%= @ossec_auth_ssl_ca%> - <%- end -%> - <%- if @ossec_auth_ssl_cert -%> - <%= @ossec_auth_ssl_cert%> - <%- end -%> - <%- if @ossec_auth_ssl_key -%> - <%= @ossec_auth_ssl_key%> - <%- end -%> - <%- if @ossec_auth_use_srcip -%> - yes - <%- end -%> - <%- if @ossec_auth_use_password -%> - yes - <%- end -%> - <%- if @ossec_auth_force_insert -%> - yes - <%- end -%> - <%- if @ossec_auth_purge -%> - yes - <%- end -%> - <%- else -%> - yes - <%- end -%> + <%= @ossec_auth_use_source_ip %> + <%= @ossec_auth_force_insert %> + <%= @ossec_auth_force_time %> + <%= @ossec_auth_purgue %> + <%= @ossec_auth_use_password %> + <%= @ossec_auth_limit_maxagents %> + <%= @ossec_auth_ciphers %> + <%= @ossec_auth_ssl_verify_host %> + <%= @ossec_auth_ssl_manager_cert %> + <%= @ossec_auth_ssl_manager_key %> + <%= @ossec_auth_ssl_auto_negotiate %> + + \ No newline at end of file diff --git a/modules/utilities/unix/logging/wazuh/templates/fragments/_cluster.erb b/modules/utilities/unix/logging/wazuh/templates/fragments/_cluster.erb index bb81930e4..90869be25 100644 --- a/modules/utilities/unix/logging/wazuh/templates/fragments/_cluster.erb +++ b/modules/utilities/unix/logging/wazuh/templates/fragments/_cluster.erb @@ -1,17 +1,35 @@ - <%= @cl_name %> - <%= @cl_node_name %> - <%= @cl_node_type %> - <% if @cl_key != '' -%> - <%= @cl_key %> - <% end -%> - <%= @cl_port %> - <%= @cl_bin_addr %> - - <% @cl_node.each do |node| %> - <%= node %> - <% end %> - - <%= @cl_hidden %> - <%= @cl_disabled %> + <% if @ossec_cluster_name -%> + <%=@ossec_cluster_name%> + <% end -%> + <% if @ossec_cluster_node_name -%> + <%=@ossec_cluster_node_name%> + <% end -%> + <% if @ossec_cluster_node_type -%> + <%=@ossec_cluster_node_type%> + <% end -%> + <% if @ossec_cluster_key -%> + <%=@ossec_cluster_key%> + <% end -%> + <% if @ossec_cluster_port -%> + <%=@ossec_cluster_port%> + <% end -%> + <% if @ossec_cluster_bind_addr -%> + <%=@ossec_cluster_bind_addr%> + <% end -%> + <% if @ossec_cluster_nodes -%> + + <% @ossec_cluster_nodes.each do |node| -%> + <%= node %> + <% end -%> + + <% end -%> + <% if @ossec_cluster_hidden -%> + <%=@ossec_cluster_hidden %> + <% end -%> + <% if @ossec_cluster_disabled -%> + <%=@ossec_cluster_disabled%> + <% end -%> + + diff --git a/modules/utilities/unix/logging/wazuh/templates/command.erb b/modules/utilities/unix/logging/wazuh/templates/fragments/_command.erb similarity index 99% rename from modules/utilities/unix/logging/wazuh/templates/command.erb rename to modules/utilities/unix/logging/wazuh/templates/fragments/_command.erb index 39b3c9c00..e1f7353b1 100644 --- a/modules/utilities/unix/logging/wazuh/templates/command.erb +++ b/modules/utilities/unix/logging/wazuh/templates/fragments/_command.erb @@ -4,3 +4,4 @@ <%= @command_expect %> <%= @command_timeout_allowed %> + diff --git a/modules/utilities/unix/logging/wazuh/templates/fragments/_common.erb b/modules/utilities/unix/logging/wazuh/templates/fragments/_common.erb deleted file mode 100644 index b28d18e73..000000000 --- a/modules/utilities/unix/logging/wazuh/templates/fragments/_common.erb +++ /dev/null @@ -1,103 +0,0 @@ - - - - <%= @ossec_syscheck_frequency %> - yes - yes - <%= @ossec_auto_ignore %> - - - <%- @ossec_scanpaths.each do |scanpath| -%> " realtime="<%= scanpath['realtime'] %>" whodata="<%= scanpath['whodata'] || 'no' %>"><%= scanpath['path'] %> -<%- end -%> - - - <%- @ossec_ignorepaths.each do |path| -%> - <%= path %> - <%- end -%> - <% @ossec_ignorepaths_regex.each do |path| -%> - <%= path %> - <% end -%> - <%- if @ossec_prefilter == true then %> - /usr/sbin/prelink -y - <%- end -%> - - <%- if @ossec_rootcheck == false then -%> - - yes - - <%- if @ossec_rootcheck_frequency then -%> - <%= @ossec_rootcheck_frequency %> - <%- end -%> - <%- if @ossec_rootcheck_checkports == false then -%> - no - <%- end -%> - <%- if @ossec_rootcheck_checkfiles == false then -%> - no - <%- end -%> - - <%- end -%> -<%- if @ar_repeated_offenders != '' and @ossec_active_response -%> - - <%= @ar_repeated_offenders %> - -<%- elsif !@ossec_active_response -%> - - yes - -<%- end -%> - - - -<%- @ossec_local_files.each do |localfile| -%> - - <%= localfile['log_format'] %> - <%- if localfile.key?('location') -%> - <%= localfile['location'] %> - <%- end -%> - <%- if localfile.key?('frequency') -%> - <%= localfile['frequency'] %> - <%- end -%> - <%- if localfile.key?('query') -%> - <%= localfile['query'] %> - <%- end -%> - <%- if localfile.key?('command') -%> - <%= localfile['command'] %> - <%- end -%> - <%- if localfile.key?('alias') -%> - <%= localfile['alias'] %> - <%- end -%> - <%- if localfile.key?('label') -%> - - <%- end -%> - <%- if localfile.key?('only-future-events') -%> - <%= localfile['only-future-events'] %> - <%- end -%> - <%- if localfile.key?('target') -%> - <%= localfile['target'] %> - <%- end -%> - <%- if localfile.key?('out_format') -%> - target="<%= localfile['out_format']['attributes']['target'] %>"<%- end -%> ><%= localfile['out_format']['value'] %> - <%- end -%> - -<%- end %> - -<%- if @kernel == 'Linux' -%> - - command - df -P - 360 - - - - full_command - netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d - netstat listening ports - 360 - - - - full_command - last -n 20 - 360 - -<%- end %> diff --git a/modules/utilities/unix/logging/wazuh/templates/fragments/_default_activeresponse.erb b/modules/utilities/unix/logging/wazuh/templates/fragments/_default_activeresponse.erb new file mode 100644 index 000000000..ef329cc5e --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/templates/fragments/_default_activeresponse.erb @@ -0,0 +1,7 @@ + + no + /var/ossec/etc/wpk_root.pem + yes + + + \ No newline at end of file diff --git a/modules/utilities/unix/logging/wazuh/templates/email_alert.erb b/modules/utilities/unix/logging/wazuh/templates/fragments/_email_alert.erb similarity index 100% rename from modules/utilities/unix/logging/wazuh/templates/email_alert.erb rename to modules/utilities/unix/logging/wazuh/templates/fragments/_email_alert.erb diff --git a/modules/utilities/unix/logging/wazuh/templates/fragments/_integration.erb b/modules/utilities/unix/logging/wazuh/templates/fragments/_integration.erb index d6111f67b..fe202875f 100644 --- a/modules/utilities/unix/logging/wazuh/templates/fragments/_integration.erb +++ b/modules/utilities/unix/logging/wazuh/templates/fragments/_integration.erb @@ -12,7 +12,9 @@ <% if @in_level != '' -%> <%= @in_level %> <% end %> - <%= @in_group %> + <% if @in_group != '' -%> + <%= @in_group %> + <% end %> <% if @in_location != '' -%> <%= @in_location %> <% end %> @@ -20,4 +22,6 @@ <% if @in_max_log != '' -%> <%= @in_max_log %> <% end %> - \ No newline at end of file + + + diff --git a/modules/utilities/unix/logging/wazuh/templates/fragments/_localfile.erb b/modules/utilities/unix/logging/wazuh/templates/fragments/_localfile.erb index a6d218fd7..ebb5d2520 100644 --- a/modules/utilities/unix/logging/wazuh/templates/fragments/_localfile.erb +++ b/modules/utilities/unix/logging/wazuh/templates/fragments/_localfile.erb @@ -1,15 +1,53 @@ +<%- @ossec_local_files.each do |localfile| -%> - <%= @logtype %> - <%- if @logfile -%> - <%= @logfile %> + <%= localfile['log_format'] %> + <%- if localfile.key?('location') -%> + <%= localfile['location'] %> <%- end -%> - <%- if @logcommand -%> - <%= @logcommand %> + <%- if localfile.key?('frequency') -%> + <%= localfile['frequency'] %> <%- end -%> - <%- if @commandalias -%> - <%= @commandalias %> + <%- if localfile.key?('query') -%> + <%= localfile['query'] %> <%- end -%> - <%- if @frequency -%> - <%= @frequency %> + <%- if localfile.key?('command') -%> + <%= localfile['command'] %> <%- end -%> - \ No newline at end of file + <%- if localfile.key?('alias') -%> + <%= localfile['alias'] %> + <%- end -%> + <%- if localfile.key?('label') -%> + + <%- end -%> + <%- if localfile.key?('only-future-events') -%> + <%= localfile['only-future-events'] %> + <%- end -%> + <%- if localfile.key?('target') -%> + <%= localfile['target'] %> + <%- end -%> + <%- if localfile.key?('out_format') -%> + target="<%= localfile['out_format']['attributes']['target'] %>"<%- end -%> ><%= localfile['out_format']['value'] %> + <%- end -%> + +<%- end %> +<%- if @kernel == 'Linux' -%> + + command + df -P + 360 + + + + full_command + netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d + netstat listening ports + 360 + + + + full_command + last -n 20 + 360 + +<%- end %> + diff --git a/modules/utilities/unix/logging/wazuh/templates/fragments/_localfile_generation.erb b/modules/utilities/unix/logging/wazuh/templates/fragments/_localfile_generation.erb new file mode 100644 index 000000000..81db6051d --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/templates/fragments/_localfile_generation.erb @@ -0,0 +1,17 @@ + + <%= @logtype %> + <%- if @logfile -%> + <%= @logfile %> + <%- end -%> + <%- if @logcommand -%> + <%= @logcommand %> + <%- end -%> + <%- if @commandalias -%> + <%= @commandalias %> + <%- end -%> + <%- if @frequency -%> + <%= @frequency %> + <%- end -%> + + + \ No newline at end of file diff --git a/modules/utilities/unix/logging/wazuh/templates/fragments/_reports.erb b/modules/utilities/unix/logging/wazuh/templates/fragments/_reports.erb index 29b6845ae..758465985 100644 --- a/modules/utilities/unix/logging/wazuh/templates/fragments/_reports.erb +++ b/modules/utilities/unix/logging/wazuh/templates/fragments/_reports.erb @@ -26,3 +26,4 @@ <%= @r_showlogs %> <%- end -%> + diff --git a/modules/utilities/unix/logging/wazuh/templates/fragments/_rootcheck.erb b/modules/utilities/unix/logging/wazuh/templates/fragments/_rootcheck.erb new file mode 100644 index 000000000..8578cc7f6 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/templates/fragments/_rootcheck.erb @@ -0,0 +1,47 @@ +<%- if @kernel == 'Linux' -%> + + <% if @ossec_rootcheck_disabled -%> + <%= @ossec_rootcheck_disabled %> + <%- end -%> + <% if @ossec_rootcheck_check_files -%> + <%= @ossec_rootcheck_check_files %> + <%- end -%> + <% if @ossec_rootcheck_check_trojans-%> + <%= @ossec_rootcheck_check_trojans %> + <%- end -%> + <% if @ossec_rootcheck_check_dev -%> + <%= @ossec_rootcheck_check_dev %> + <%- end -%> + <% if @ossec_rootcheck_check_sys -%> + <%= @ossec_rootcheck_check_sys %> + <%- end -%> + <% if @ossec_rootcheck_check_pids -%> + <%= @ossec_rootcheck_check_pids %> + <%- end -%> + <% if @ossec_rootcheck_check_ports -%> + <%= @ossec_rootcheck_check_ports %> + <%- end -%> + <% if @ossec_rootcheck_check_if -%> + <%= @ossec_rootcheck_check_if %> + <%- end -%> + <% if @ossec_rootcheck_frequency-%> + <%= @ossec_rootcheck_frequency %> + <%- end -%> + <% if @ossec_rootcheck_rootkit_files-%> + <%= @ossec_rootcheck_rootkit_files %> + <%- end -%> + <% if @ossec_rootcheck_rootkit_trojans-%> + <%= @ossec_rootcheck_rootkit_trojans %> + <%- end -%> + <% if @ossec_rootcheck_skip_nfs-%> + <%= @ossec_rootcheck_skip_nfs%> + <%- end -%> + +<%- else -%> + + + ./shared/win_audit_rcl.txt + ./shared/win_applications_rcl.txt + ./shared/win_malware_rcl.txt + +<%- end -%> diff --git a/modules/utilities/unix/logging/wazuh/templates/fragments/_rootcheck_linux.erb b/modules/utilities/unix/logging/wazuh/templates/fragments/_rootcheck_linux.erb deleted file mode 100644 index 99f06dd01..000000000 --- a/modules/utilities/unix/logging/wazuh/templates/fragments/_rootcheck_linux.erb +++ /dev/null @@ -1,25 +0,0 @@ - - - no - yes - yes - yes - yes - yes - yes - yes - yes - - <%= @ossec_rootcheck_frequency %> - - /var/ossec/etc/shared/rootkit_files.txt - /var/ossec/etc/shared/rootkit_trojans.txt - - /var/ossec/etc/shared/system_audit_rcl.txt - /var/ossec/etc/shared/system_audit_ssh.txt - /var/ossec/etc/shared/cis_debian_linux_rcl.txt - /var/ossec/etc/shared/cis_rhel_linux_rcl.txt - /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt - - yes - diff --git a/modules/utilities/unix/logging/wazuh/templates/fragments/_rootcheck_windows.erb b/modules/utilities/unix/logging/wazuh/templates/fragments/_rootcheck_windows.erb deleted file mode 100644 index 89cfe64e7..000000000 --- a/modules/utilities/unix/logging/wazuh/templates/fragments/_rootcheck_windows.erb +++ /dev/null @@ -1,6 +0,0 @@ - - - ./shared/win_audit_rcl.txt - ./shared/win_applications_rcl.txt - ./shared/win_malware_rcl.txt - \ No newline at end of file diff --git a/modules/utilities/unix/logging/wazuh/templates/fragments/_ruleset.erb b/modules/utilities/unix/logging/wazuh/templates/fragments/_ruleset.erb new file mode 100644 index 000000000..d7bb57629 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/templates/fragments/_ruleset.erb @@ -0,0 +1,15 @@ + + + ruleset/decoders + ruleset/rules + 0215-policy_rules.xml + etc/lists/audit-keys + etc/lists/amazon/aws-eventnames + etc/lists/security-eventchannel + + + etc/decoders + etc/rules + + + \ No newline at end of file diff --git a/modules/utilities/unix/logging/wazuh/templates/fragments/_sca.erb b/modules/utilities/unix/logging/wazuh/templates/fragments/_sca.erb new file mode 100644 index 000000000..15213872c --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/templates/fragments/_sca.erb @@ -0,0 +1,70 @@ +<%- if @kernel == 'Linux' -%> + <%- if @apply_template_os == 'centos' -%> + + yes + yes + 12h + yes + + + cis_rhel7_linux_rcl.yml + system_audit_rcl.yml + system_audit_ssh.yml + system_audit_pw.yml + + + <%- elsif @apply_template_os =='amazon' -%> + + yes + yes + 12h + yes + + + system_audit_rcl.yml + system_audit_ssh.yml + system_audit_pw.yml + + + <%- elsif @apply_template_os =='rhel' -%> + + yes + yes + 12h + yes + + + <%- if @rhel_version == '7' -%> + cis_rhel7_linux_rcl.yml + <%- elsif @rhel_version =='6' -%> + cis_rhel6_linux_rcl.yml + <%- elsif @rhel_version =='5' -%> + cis_rhel5_linux_rcl.yml + <%- end -%> + system_audit_rcl.yml + system_audit_ssh.yml + system_audit_pw.yml + + + <%- else -%> + + yes + yes + 12h + yes + + + cis_debian_linux_rcl.yml + <%- if @debian_additional_templates == 'yes' -%> + cis_debianlinux7-8_L1_rcl.yml + cis_debianlinux7-8_L2_rcl.yml + <%- end -%> + system_audit_rcl.yml + system_audit_ssh.yml + system_audit_pw.yml + + + <%- end -%> +<%- end -%> + + \ No newline at end of file diff --git a/modules/utilities/unix/logging/wazuh/templates/fragments/_syscheck_windows.erb b/modules/utilities/unix/logging/wazuh/templates/fragments/_syscheck.erb similarity index 77% rename from modules/utilities/unix/logging/wazuh/templates/fragments/_syscheck_windows.erb rename to modules/utilities/unix/logging/wazuh/templates/fragments/_syscheck.erb index 0d0710e84..403522057 100644 --- a/modules/utilities/unix/logging/wazuh/templates/fragments/_syscheck_windows.erb +++ b/modules/utilities/unix/logging/wazuh/templates/fragments/_syscheck.erb @@ -1,5 +1,5 @@ - - + <%- if @kernel == 'windows' -%> + %WINDIR%/win.ini %WINDIR%/system.ini C:\autoexec.bat @@ -82,4 +82,47 @@ HKEY_LOCAL_MACHINE\Security\Policy\Secrets HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users \Enum$ - \ No newline at end of file + + + <%- else -%> + + <%- if @ossec_syscheck_disabled -%> + <%= @ossec_syscheck_disabled %> + <%- end -%> + <%- if @ossec_syscheck_frequency -%> + <%=@ossec_syscheck_frequency%> + <%- end -%> + <%- if @ossec_syscheck_scan_on_start -%> + <%=@ossec_syscheck_scan_on_start%> + <%- end -%> + <%- if @ossec_syscheck_alert_new_files -%> + <%=@ossec_syscheck_alert_new_files%> + <%- end -%> + <%- if @ossec_syscheck_auto_ignore -%> + <%=@ossec_syscheck_auto_ignore%> + <%- end -%> + <%- if @ossec_syscheck_directories_1 -%> + <%=@ossec_syscheck_directories_1%> + <%- end -%> + <%- if @ossec_syscheck_directories_2 -%> + <%=@ossec_syscheck_directories_2%> + <%- end -%> + <%- if @ossec_syscheck_ignore_list -%> + <%- @ossec_syscheck_ignore_list.each do |ignore_element| -%> + <%= ignore_element %> + <%- end -%> + <%- end -%> + <%- if @ossec_syscheck_ignore_type_1 -%> + <%=@ossec_syscheck_ignore_type_1%> + <%- end -%> + <%- if @ossec_syscheck_ignore_type_2 -%> + <%=@ossec_syscheck_ignore_type_2%> + <%- end -%> + <%- if @ossec_syscheck_nodiff -%> + <%=@ossec_syscheck_nodiff%> + <%- end -%> + <%- if @ossec_syscheck_skip_nfs -%> + <%=@ossec_syscheck_skip_nfs%> + <%- end -%> + + <%- end -%> diff --git a/modules/utilities/unix/logging/wazuh/templates/fragments/_syscheck_linux.erb b/modules/utilities/unix/logging/wazuh/templates/fragments/_syscheck_linux.erb deleted file mode 100644 index a2b67619d..000000000 --- a/modules/utilities/unix/logging/wazuh/templates/fragments/_syscheck_linux.erb +++ /dev/null @@ -1,21 +0,0 @@ - - - /etc,/usr/bin,/usr/sbin - /bin,/sbin,/boot - - - /etc/mtab - /etc/mnttab - /etc/hosts.deny - /etc/mail/statistics - /etc/random-seed - /etc/adjtime - /etc/httpd/logs - /etc/utmpx - /etc/wtmpx - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile - /etc/puppetlabs/mcollective/facts.yaml - /etc/mcollective/facts.yaml - diff --git a/modules/utilities/unix/logging/wazuh/templates/fragments/_wodle_cis_cat.erb b/modules/utilities/unix/logging/wazuh/templates/fragments/_wodle_cis_cat.erb new file mode 100644 index 000000000..f945ef0a0 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/templates/fragments/_wodle_cis_cat.erb @@ -0,0 +1,10 @@ + + yes + 1800 + 1d + yes + + wodles/java + wodles/ciscat + + diff --git a/modules/utilities/unix/logging/wazuh/templates/fragments/_wodle_openscap.erb b/modules/utilities/unix/logging/wazuh/templates/fragments/_wodle_openscap.erb index f2a3733b4..8028bb0df 100644 --- a/modules/utilities/unix/logging/wazuh/templates/fragments/_wodle_openscap.erb +++ b/modules/utilities/unix/logging/wazuh/templates/fragments/_wodle_openscap.erb @@ -1,16 +1,18 @@ - no + yes 1800 1d yes - + <%- @wodle_openscap_content.each do |path, value| -%> <%- if value['profiles'] then -%> - <%- value['profiles'].each do |profile| -%> - <%= profile %> - <%- end -%> + <%- value['profiles'].each do |profile| -%> + <%= profile %> + <%- end -%> <%- end -%> <%- end -%> + + \ No newline at end of file diff --git a/modules/utilities/unix/logging/wazuh/templates/fragments/_wodle_osquery.erb b/modules/utilities/unix/logging/wazuh/templates/fragments/_wodle_osquery.erb new file mode 100644 index 000000000..acdb8e07d --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/templates/fragments/_wodle_osquery.erb @@ -0,0 +1,9 @@ + + yes + yes + /var/log/osquery/osqueryd.results.log + /etc/osquery/osquery.conf + yes + + + \ No newline at end of file diff --git a/modules/utilities/unix/logging/wazuh/templates/fragments/_wodle_syscollector.erb b/modules/utilities/unix/logging/wazuh/templates/fragments/_wodle_syscollector.erb new file mode 100644 index 000000000..b56f4e28d --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/templates/fragments/_wodle_syscollector.erb @@ -0,0 +1,12 @@ + + no + 1h + yes + yes + yes + yes + yes + yes + yes + + diff --git a/modules/utilities/unix/logging/wazuh/templates/fragments/_wodle_vulnerability_detector.erb b/modules/utilities/unix/logging/wazuh/templates/fragments/_wodle_vulnerability_detector.erb new file mode 100644 index 000000000..2162282c5 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/templates/fragments/_wodle_vulnerability_detector.erb @@ -0,0 +1,20 @@ + + yes + 5m + 6h + yes + + yes + 1h + + + yes + 2010 + 1h + + + yes + 1h + + + diff --git a/modules/utilities/unix/logging/wazuh/templates/jvm_options.erb b/modules/utilities/unix/logging/wazuh/templates/jvm_options.erb new file mode 100644 index 000000000..60d48d777 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/templates/jvm_options.erb @@ -0,0 +1,120 @@ +################################################################ +## IMPORTANT: JVM heap size +################################################################ +## +## You should always set the min and max JVM heap +## size to the same value. For example, to set +## the heap to 4 GB, set: +## +## -Xms4g +## -Xmx4g +## +## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html +## for more information +## +################################################################ + +# Xms represents the initial size of total heap space +# Xmx represents the maximum size of total heap space + +-Xms<%= @jvm_options_memmory %> +-Xmx<%= @jvm_options_memmory %> + +################################################################ +## Expert settings +################################################################ +## +## All settings below this section are considered +## expert settings. Don't tamper with them unless +## you understand what you are doing +## +################################################################ + +## GC configuration +-XX:+UseConcMarkSweepGC +-XX:CMSInitiatingOccupancyFraction=75 +-XX:+UseCMSInitiatingOccupancyOnly + +## G1GC Configuration +# NOTE: G1GC is only supported on JDK version 10 or later. +# To use G1GC uncomment the lines below. +# 10-:-XX:-UseConcMarkSweepGC +# 10-:-XX:-UseCMSInitiatingOccupancyOnly +# 10-:-XX:+UseG1GC +# 10-:-XX:InitiatingHeapOccupancyPercent=75 + +## DNS cache policy +# cache ttl in seconds for positive DNS lookups noting that this overrides the +# JDK security property networkaddress.cache.ttl; set to -1 to cache forever +-Des.networkaddress.cache.ttl=60 +# cache ttl in seconds for negative DNS lookups noting that this overrides the +# JDK security property networkaddress.cache.negative ttl; set to -1 to cache +# forever +-Des.networkaddress.cache.negative.ttl=10 + +## optimizations + +# pre-touch memory pages used by the JVM during initialization +-XX:+AlwaysPreTouch + +## basic + +# explicitly set the stack size +-Xss1m + +# set to headless, just in case +-Djava.awt.headless=true + +# ensure UTF-8 encoding by default (e.g. filenames) +-Dfile.encoding=UTF-8 + +# use our provided JNA always versus the system one +-Djna.nosys=true + +# turn off a JDK optimization that throws away stack traces for common +# exceptions because stack traces are important for debugging +-XX:-OmitStackTraceInFastThrow + +# flags to configure Netty +-Dio.netty.noUnsafe=true +-Dio.netty.noKeySetOptimization=true +-Dio.netty.recycler.maxCapacityPerThread=0 + +# log4j 2 +-Dlog4j.shutdownHookEnabled=false +-Dlog4j2.disable.jmx=true + +-Djava.io.tmpdir=${ES_TMPDIR} + +## heap dumps + +# generate a heap dump when an allocation from the Java heap fails +# heap dumps are created in the working directory of the JVM +-XX:+HeapDumpOnOutOfMemoryError + +# specify an alternative path for heap dumps; ensure the directory exists and +# has sufficient space +-XX:HeapDumpPath=/var/lib/elasticsearch + +# specify an alternative path for JVM fatal error logs +-XX:ErrorFile=/var/log/elasticsearch/hs_err_pid%p.log + +## JDK 8 GC logging + +8:-XX:+PrintGCDetails +8:-XX:+PrintGCDateStamps +8:-XX:+PrintTenuringDistribution +8:-XX:+PrintGCApplicationStoppedTime +8:-Xloggc:/var/log/elasticsearch/gc.log +8:-XX:+UseGCLogFileRotation +8:-XX:NumberOfGCLogFiles=32 +8:-XX:GCLogFileSize=64m + +# JDK 9+ GC logging +9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m +# due to internationalization enhancements in JDK 9 Elasticsearch need to set the provider to COMPAT otherwise +# time/date parsing will break in an incompatible way for some date patterns and locals +9-:-Djava.locale.providers=COMPAT + +# temporary workaround for C2 bug with JDK 10 on hardware with AVX-512 +10-:-XX:UseAVX=2 \ No newline at end of file diff --git a/modules/utilities/unix/logging/wazuh/templates/kibana_yml.erb b/modules/utilities/unix/logging/wazuh/templates/kibana_yml.erb new file mode 100644 index 000000000..07c1e4017 --- /dev/null +++ b/modules/utilities/unix/logging/wazuh/templates/kibana_yml.erb @@ -0,0 +1,116 @@ +# The default roles file is empty as the preferred method of defining roles is +# through the API/UI. File based roles are useful in error scenarios when the +# API based roles may not be available. +# Kibana is served by a back end server. This setting specifies the port to use. +server.port: <%= @kibana_server_port %> + +# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values. +# The default is 'localhost', which usually means remote machines will not be able to connect. +# To allow connections from remote users, set this parameter to a non-loopback address. +server.host: <%= @kibana_server_host %> + +# Enables you to specify a path to mount Kibana at if you are running behind a proxy. +# Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath +# from requests it receives, and to prevent a deprecation warning at startup. +# This setting cannot end in a slash. +#server.basePath: "" + +# Specifies whether Kibana should rewrite requests that are prefixed with +# `server.basePath` or require that they are rewritten by your reverse proxy. +# This setting was effectively always `false` before Kibana 6.3 and will +# default to `true` starting in Kibana 7.0. +#server.rewriteBasePath: false + +# The maximum payload size in bytes for incoming server requests. +#server.maxPayloadBytes: 1048576 + +# The Kibana server's name. This is used for display purposes. +#server.name: "your-hostname" + +# The URLs of the Elasticsearch instances to use for all your queries. +elasticsearch.hosts: ["<%= @kibana_elasticsearch_server_hosts %>"] + +# When this setting's value is true Kibana uses the hostname specified in the server.host +# setting. When the value of this setting is false, Kibana uses the hostname of the host +# that connects to this Kibana instance. +#elasticsearch.preserveHost: true + +# Kibana uses an index in Elasticsearch to store saved searches, visualizations and +# dashboards. Kibana creates a new index if the index doesn't already exist. +#kibana.index: ".kibana" + +# The default application to load. +#kibana.defaultAppId: "home" + +# If your Elasticsearch is protected with basic authentication, these settings provide +# the username and password that the Kibana server uses to perform maintenance on the Kibana +# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which +# is proxied through the Kibana server. +#elasticsearch.username: "user" +#elasticsearch.password: "pass" + +# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively. +# These settings enable SSL for outgoing requests from the Kibana server to the browser. +#server.ssl.enabled: false +#server.ssl.certificate: /path/to/your/server.crt +#server.ssl.key: /path/to/your/server.key + +# Optional settings that provide the paths to the PEM-format SSL certificate and key files. +# These files validate that your Elasticsearch backend uses the same key files. +#elasticsearch.ssl.certificate: /path/to/your/client.crt +#elasticsearch.ssl.key: /path/to/your/client.key + +# Optional setting that enables you to specify a path to the PEM file for the certificate +# authority for your Elasticsearch instance. +#elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ] + +# To disregard the validity of SSL certificates, change this setting's value to 'none'. +#elasticsearch.ssl.verificationMode: full + +# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of +# the elasticsearch.requestTimeout setting. +#elasticsearch.pingTimeout: 1500 + +# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value +# must be a positive integer. +#elasticsearch.requestTimeout: 30000 + +# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side +# headers, set this value to [] (an empty list). +#elasticsearch.requestHeadersWhitelist: [ authorization ] + +# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten +# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration. +#elasticsearch.customHeaders: {} + +# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable. +#elasticsearch.shardTimeout: 30000 + +# Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying. +#elasticsearch.startupTimeout: 5000 + +# Logs queries sent to Elasticsearch. Requires logging.verbose set to true. +#elasticsearch.logQueries: false + +# Specifies the path where Kibana creates the process ID file. +#pid.file: /var/run/kibana.pid + +# Enables you specify a file where Kibana stores log output. +#logging.dest: stdout + +# Set the value of this setting to true to suppress all logging output. +#logging.silent: false + +# Set the value of this setting to true to suppress all logging output other than error messages. +#logging.quiet: false + +# Set the value of this setting to true to log all events, including system usage information +# and all requests. +#logging.verbose: false + +# Set the interval in milliseconds to sample system and process performance +# metrics. Minimum is 100ms. Defaults to 5000. +#ops.interval: 5000 + +# Specifies locale to be used for all localizable strings, dates and number formats. +#i18n.locale: "en" \ No newline at end of file diff --git a/modules/utilities/unix/logging/wazuh/templates/ossec_shared_agent.conf.erb b/modules/utilities/unix/logging/wazuh/templates/ossec_shared_agent.conf.erb index 319d19095..69f5eed1b 100644 --- a/modules/utilities/unix/logging/wazuh/templates/ossec_shared_agent.conf.erb +++ b/modules/utilities/unix/logging/wazuh/templates/ossec_shared_agent.conf.erb @@ -13,9 +13,9 @@ - <%= scope.function_template(["wazuh/fragments/_rootcheck_linux.erb"]) %> + <%= scope.function_template(["wazuh/fragments/_rootcheck.erb"]) %> - <%= scope.function_template(["wazuh/fragments/_syscheck_linux.erb"]) %> + <%= scope.function_template(["wazuh/fragments/_syscheck.erb"]) %> @@ -25,9 +25,9 @@ - <%= scope.function_template(["wazuh/fragments/_rootcheck_windows.erb"]) %> + <%= scope.function_template(["wazuh/fragments/_rootcheck.erb"]) %> - <%= scope.function_template(["wazuh/fragments/_syscheck_windows.erb"]) %> + <%= scope.function_template(["wazuh/fragments/_syscheck.erb"]) %> eventlog diff --git a/modules/utilities/unix/logging/wazuh/templates/wazuh_agent.conf.erb b/modules/utilities/unix/logging/wazuh/templates/wazuh_agent.conf.erb index ee60a3fb5..4b7fdedc2 100644 --- a/modules/utilities/unix/logging/wazuh/templates/wazuh_agent.conf.erb +++ b/modules/utilities/unix/logging/wazuh/templates/wazuh_agent.conf.erb @@ -1,30 +1,33 @@ - <%- if @ossec_server_ip then -%> -
<%= @ossec_server_ip %>
+ <%- if @wazuh_reporting_endpoint then -%> +
<%= @wazuh_reporting_endpoint %>
<%- end -%> - <%- if @ossec_server_hostname then -%> -
<%= @ossec_server_hostname %>
+ <%- if @ossec_protocol then -%> + <%= @ossec_protocol %> <%- end -%> - <%- if @wazuh_manager_address then -%> -
<%= @wazuh_manager_address %>
- <%- end -%> - <%- if @ossec_server_protocol then -%> - <%= @ossec_server_protocol %> - <%- end -%> - <%= @ossec_server_port %> + <%= @ossec_port %> <%- if @ossec_config_profiles then -%> <%= @ossec_config_profiles.join(',') %> <%- end -%> - <%- if @ossec_server_notify_time then -%> - <%= @ossec_server_notify_time %> + <%- if @ossec_notify_time then -%> + <%= @ossec_notify_time %> <%- end -%> - <%- if @ossec_server_time_reconnect then -%> - <%= @ossec_server_time_reconnect %> + <%- if @ossec_time_reconnect then -%> + <%= @ossec_time_reconnect %> + <%- end -%> + <%- if @ossec_crypto_method then -%> + <%= @ossec_crypto_method %> + <%- end -%> + <%- if @ossec_auto_restart then -%> + <%= @ossec_auto_restart %> <%- end -%> - <%= @agent_auto_restart %> + + + plain + @@ -33,8 +36,3 @@ <%= @client_buffer_events_per_second %> - <%= scope.function_template(["wazuh/fragments/_common.erb"]) -%> - - <%- if @enable_wodle_openscap and @wodle_openscap_content -%> - <%= scope.function_template(["wazuh/fragments/_wodle_openscap.erb"]) -%> - <%- end -%> diff --git a/modules/utilities/unix/logging/wazuh/templates/wazuh_manager.conf.erb b/modules/utilities/unix/logging/wazuh/templates/wazuh_manager.conf.erb index f782dbe8a..daa9cf466 100644 --- a/modules/utilities/unix/logging/wazuh/templates/wazuh_manager.conf.erb +++ b/modules/utilities/unix/logging/wazuh/templates/wazuh_manager.conf.erb @@ -8,72 +8,33 @@ <%- @ossec_emailto.each do |emailto| -%> <%= emailto %> <%- end -%> - <%= @smtp_server %> + <%= @ossec_smtp_server %> <%= @ossec_emailfrom %> <%= @ossec_email_maxperhour %> <%- unless @ossec_email_idsname.nil? -%> <%= @ossec_email_idsname %> <%- end -%> - <%- else -%> - no - <%- end -%> - <%= @ossec_global_stat_level %> - <%= @ossec_global_host_information_level %> - <%- @ossec_white_list.each do |ipaddress| -%><%= ipaddress %> + <%- else -%> + no <%- end -%> + <%- @ossec_white_list.each do |ipaddress| -%> + <%= ipaddress %> + <%- end -%> -<%- if @syslog_output -%> - - <%= @syslog_output_server %> - <%= @syslog_output_port %> - <%= @syslog_output_format %> - <%= @syslog_output_level %> - -<%- end -%> -<%- if @use_mysql -%> - - <%= @mysql_hostname %> - <%= @mysql_username %> - <%= @mysql_password %> - <%= @mysql_name %> - mysql - -<%- end -%> - - - ruleset/decoders - ruleset/rules - 0215-policy_rules.xml - <%- @rule_exclude.each do |r| -%> - <%= r %> - <%- end -%> - etc/lists/audit-keys - - - etc/decoders - etc/rules - <%- @decoder_exclude.each do |r| -%> - <%= r %> - <%- end -%> - - - - secure - <%= @ossec_server_port %> - <%= @ossec_server_protocol %> - - -<%= scope.function_template(["wazuh/fragments/_common.erb"]) -%> - -<%= scope.function_template(["wazuh/fragments/_auth.erb"]) -%> - -<%- if @enable_wodle_openscap and @wodle_openscap_content -%> -<%= scope.function_template(["wazuh/fragments/_wodle_openscap.erb"]) -%> -<%- end -%> - - - 3 + <%= @ossec_alert_level %> <%= @ossec_email_alert_level %> + + + plain + + + + <%= @ossec_remote_connection %> + <%= @ossec_remote_port %> + <%= @ossec_remote_protocol %> + <%= @ossec_remote_queue_size %> + + diff --git a/modules/utilities/unix/logging/wazuh/tests/init.pp b/modules/utilities/unix/logging/wazuh/tests/init.pp deleted file mode 100644 index 40580a7e6..000000000 --- a/modules/utilities/unix/logging/wazuh/tests/init.pp +++ /dev/null @@ -1,12 +0,0 @@ -# The baseline for module testing used by Puppet Labs is that each manifest -# should have a corresponding test manifest that declares that class or defined -# type. -# -# Tests are then run by using puppet apply --noop (to check for compilation -# errors and view a log of events) or by fully applying the test in a virtual -# environment (to compare the resulting system state to the desired state). -# -# Learn more about module testing here: -# http://docs.puppetlabs.com/guides/tests_smoke.html -# -include ossec diff --git a/modules/utilities/unix/logging/wazuh/wazuh.pp b/modules/utilities/unix/logging/wazuh/wazuh.pp index 30b1831db..46096bab7 100644 --- a/modules/utilities/unix/logging/wazuh/wazuh.pp +++ b/modules/utilities/unix/logging/wazuh/wazuh.pp @@ -1,14 +1,15 @@ $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file) $component = $secgen_parameters['component'][0] if ($component == 'server') { - class { '::wazuh::server': - smtp_server => 'localhost', + class { '::wazuh::manager': + ossec_smtp_server => 'localhost', ossec_emailto => ['user@mycompany.com'], agent_auth_password => '6663484170b2c69451e01ba11f319533', #todo: obviously fix this - must be 32char } } elsif ($component == 'client') { - class { "::wazuh::client": - ossec_server_ip => "192.168.209.166", + class { "::wazuh::agent": + wazuh_register_endpoint => "192.168.209.166", + wazuh_reporting_endpoint => "192.168.209.166", agent_name => 'test_name', } } \ No newline at end of file diff --git a/scenarios/auto_grading_tracer.xml b/scenarios/auto_grading_tracer.xml index 0442d8dd0..511933bd4 100644 --- a/scenarios/auto_grading_tracer.xml +++ b/scenarios/auto_grading_tracer.xml @@ -15,17 +15,95 @@ ids_server + + 192.168.209.166 + + + + 9200 + + + + 5044 + + + + 5601 + + + + + IP_address + + + elasticsearch_port + + + + + + logstash_port + + + IP_address + + + elasticsearch_port + + + + + + IP_address + + + kibana_port + + + IP_address + + + elasticsearch_port + + + + + + IP_address + + + logstash_port + + + + + + IP_address + + + logstash_port + + + server + + - 192.168.209.166 + IP_address + + + + test + + @@ -38,11 +116,33 @@ + + + + test + + + + + Read me! + + + + + /root + + + 192.168.209.165 - + + + test + + +