digital-forensics-labs/SecGen
1
0
Fork 0
mirror of https://github.com/cliffe/SecGen.git synced 2026-02-23 04:08:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

auditbeat version update

Browse Source
This commit is contained in:
thomashaw
2020-12-09 14:11:32 +00:00
parent ba90ed8445
commit 8359752a47
14 changed files with 275 additions and 335 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
modules/utilities/unix/logging/auditbeat/.puppet-lint.rc Normal file
View File

@@ -0,0 +1 @@
--relative

99
modules/utilities/unix/logging/auditbeat/CHANGELOG.md
View File

@@ -1,28 +1,105 @@
# Changelog
# Change log
All notable changes to this project will be documented in this file.
All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org).
## Release 0.1.2
## [v0.2.5](https://github.com/noris-network/norisnetwork-auditbeat/tree/v0.2.5) (2020-06-07)
**Bugfixes**
[Full Changelog](https://github.com/noris-network/norisnetwork-auditbeat/compare/v0.2.1...v0.2.5)
# Added
- added **update README.md**
## [v0.2.4](https://github.com/noris-network/norisnetwork-auditbeat/tree/v0.2.4) (2020-06-07)
[Full Changelog](https://github.com/noris-network/norisnetwork-auditbeat/compare/v0.2.1...v0.2.5)
# Added
- added **support for additional configuration keys**
- Puppet version 4 testing removed
## [v0.2.3](https://github.com/noris-network/norisnetwork-auditbeat/tree/v0.2.3) (2020-04-07)
[Full Changelog](https://github.com/noris-network/norisnetwork-auditbeat/compare/v0.2.1...v0.2.3
## [v0.2.2](https://github.com/noris-network/norisnetwork-auditbeat/tree/v0.2.2) (2020-01-24)
[Full Changelog](https://github.com/noris-network/norisnetwork-auditbeat/compare/v0.2.1...v0.2.2)
# Added
- added **monitoring** Hash for new elastic major version 7 and 8
- added **$gpg_key_id** to repo.pp variables in case of elastic wants to change the gpg key some time
- added **Puppet version 4 testing** since PDK does not test puppet 4
# Fixed
- fixed typo in **metadata.json**
- improved **dependencies versions** in metadata.json for stdlib and apt
## [v0.2.1](https://github.com/noris-network/norisnetwork-auditbeat/tree/v0.2.1) (2020-01-10)
[Full Changelog](https://github.com/noris-network/norisnetwork-auditbeat/compare/v0.2.0...v0.2.1)
### Added
- added possibility to install major version **5** additional to already configured versions **6** and **7**
- changed default major version from **6** to **7**
- added **$apt_repo_url**, **$yum_repo_url** and **$gpg_key_url** variables to enhance repo management
- enhanced repo management itself by better variable management
- updated spec tests to elastic major version **7** instead of major version **6** tests
### Fixed
- **.fixtures** updated and yaml structure fixed
- **.vscode** folder readded to repo and removed from **.gitignore** since it is a part of the current pdk
- removed **.project** file since it is a part of **.gitignore** now
- switched from github pdk template to default pdk template
## [v0.2.0](https://github.com/noris-network/norisnetwork-auditbeat/tree/v0.2.0) (2019-12-27)
[Full Changelog](https://github.com/noris-network/norisnetwork-auditbeat/compare/v0.1.2...v0.2.0)
### Added
- switched to latest Puppet Development Kit **PDK 1.15.0.0**
- added service_provider directive
- Puppet 6 compatibility
- allowed major version 7 to be installed
- execute a *apt update* before installing the package for Debian
- added *setup* in configuration for template setup
- improved the repo management
### Fixed
- the repo was replaced with a static URL in a pull request and was replaced with variables afterwards
## [v0.1.2](https://github.com/noris-network/norisnetwork-auditbeat/tree/v0.1.2) (2019-12-27)
[Full Changelog](https://github.com/noris-network/norisnetwork-auditbeat/compare/v0.1.1...v0.1.2)
### Fixed
- Modified the allowed values for the parameter *service_provider*
- The repo file is created only when *manage_repo* is set to *true* and *ensure* is set to *present*.
## Release 0.1.1
**Features**
## [v0.1.1](https://github.com/noris-network/norisnetwork-auditbeat/tree/v0.1.1) (2018-06-20)
[Full Changelog](https://github.com/noris-network/norisnetwork-auditbeat/compare/v0.1.0...v0.1.1)
### Added
- Added support for the configuration of the x-pack monitoring section.
## Release 0.1.0
## [v0.1.0](https://github.com/noris-network/norisnetwork-auditbeat/tree/v0.1.0) (2018-06-11)
**Features**
### Added
- First implementation.
**Bugfixes**
**Known Issues**
### Known issues
- Only Linux (Debian, CentOS, SuSE Ubuntu) supported

96
modules/utilities/unix/logging/auditbeat/README.md
View File

@@ -1,21 +1,23 @@
# auditbeat
# norisnetwork-auditbeat
![Travis (.org)](https://img.shields.io/travis/noris-network/norisnetwork-auditbeat) [![GitHub license](https://img.shields.io/github/license/noris-network/norisnetwork-auditbeat)](https://github.com/noris-network/norisnetwork-auditbeat/blob/master/LICENSE) ![GitHub repo size](https://img.shields.io/github/repo-size/noris-network/norisnetwork-auditbeat) ![Puppet Forge version](https://img.shields.io/puppetforge/v/norisnetwork/auditbeat) ![Puppet Forge PDK version](https://img.shields.io/puppetforge/pdk-version/norisnetwork/auditbeat)
#### Table of Contents
## Table of Contents
1. [Description](#description)
2. [Setup - The basics of getting started with auditbeat](#setup)
1. [Setup - The basics of getting started with auditbeat](#setup)
* [What auditbeat affects](#what-auditbeat-affects)
* [Setup requirements](#setup-requirements)
* [Beginning with auditbeat](#beginning-with-auditbeat)
3. [Usage - Configuration options and additional functionality](#usage)
4. [Reference - An under-the-hood peek at what the module is doing and how](#reference)
5. [Limitations - OS compatibility, etc.](#limitations)
6. [Development - Guide for contributing to the module](#development)
1. [Usage - Configuration options and additional functionality](#usage)
1. [Reference - An under-the-hood peek at what the module is doing and how](#reference)
1. [Limitations - OS compatibility, etc.](#limitations)
1. [Development - Guide for contributing to the module](#development)
## Description
This module installs and configures the [Auditbeat shipper](https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-overview.html) by Elastic. It has been tested on Puppet 5.x and on the following OSes: Debian 9.1, CentOS 7.3, Ubuntu 16.04
This is a Puppet module for installing, managing and configuring the [Auditbeat lightweight shipper](https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-overview.html) for audit data by elastic.
It has been tested on Puppet 5.x and on the following OSes: Debian 9.1, CentOS 7.3, Ubuntu 16.04
## Setup
@@ -25,17 +27,17 @@ This module installs and configures the [Auditbeat shipper](https://www.elastic.
### Setup Requirements
`auditbeat` needs `puppetlabs/stdlib`, `puppetlabs/apt` (for Debian and derivatives), `puppet/yum` (for RedHat or RedHat-like systems), `darin-zypprepo` (on SuSE based system)
`auditbeat` needs `puppetlabs/stdlib`, `puppetlabs/apt` (for Debian and derivatives), `puppetlabs-yumrepo_core` (for RedHat or RedHat-like systems), `puppet-zypprepo` (on SuSE based systems)
### Beginning with auditbeat
The module can be installed manually, typing `puppet module install noris-auditbeat`, or by means of an environment manager (r10k, librarian-puppet, ...).
The module can be installed manually, typing `puppet module install norisnetwork-auditbeat`, or by means of an environment manager (r10k, librarian-puppet, ...).
`auditbeat` requires at least the `outputs` and `modules` sections in order to start. Please refer to the software documentation to find out the [available modules] (https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-modules.html) and the [supported outputs] (https://www.elastic.co/guide/en/beats/auditbeat/current/configuring-output.html). On the other hand, the sections [logging] (https://www.elastic.co/guide/en/beats/auditbeat/current/configuration-logging.html) and [queue] (https://www.elastic.co/guide/en/beats/auditbeat/current/configuring-internal-queue.html) already contains meaningful default values.
`auditbeat` requires at least the `outputs` and `modules` sections in order to start. Please refer to the software documentation to find out the [available modules](https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-modules.html) and the [supported outputs](https://www.elastic.co/guide/en/beats/auditbeat/current/configuring-output.html). On the other hand, the sections [logging](https://www.elastic.co/guide/en/beats/auditbeat/current/configuration-logging.html) and [queue](https://www.elastic.co/guide/en/beats/auditbeat/current/configuring-internal-queue.html) already contains meaningful default values.
A basic setup configuring the `file_integrity` module to check some paths and writing the results directly in Elasticsearch.
```puppet
``` puppet
class{'auditbeat':
modules => [
{
@@ -54,7 +56,7 @@ class{'auditbeat':
The same example using Hiera:
```
``` yaml
classes:
include:
- 'auditbeat'
@@ -82,7 +84,7 @@ The configuration is written to the configuration file `/etc/auditbeat/auditbeat
Send data to two Redis servers, loadbalancing between the instances.
```puppet
``` puppet
class{'auditbeat':
modules => [
{
@@ -98,9 +100,10 @@ class{'auditbeat':
},
},
```
or, using Hiera
```
``` yaml
classes:
include:
- 'auditbeat'
@@ -122,9 +125,10 @@ auditbeat::outputs:
- 'itger:redis:6379'
index: 'auditbeat'
```
Add the `auditd` module to the configuration, specifying a rule to detect 32 bit system calls. Output to Elasticsearch.
```puppet
``` puppet
class{'auditbeat':
modules => [
{
@@ -145,9 +149,10 @@ class{'auditbeat':
},
},
```
In Hiera format it would look like:
```
``` yaml
classes:
include:
- 'auditbeat'
@@ -173,17 +178,23 @@ auditbeat::outputs:
index: "auditbeat-%%{}{+YYYY.MM.dd}"
```
## pass additional options to config like "http endpoint metrics"
``` yaml
auditbeat::additional_config:
http.enabled: true
http.host: 10.0.0.1
```
## Reference
* [Public Classes](#public-classes)
* [Class: auditbeat](#class-auditbeat)
* [Class: auditbeat](#class-auditbeat)
* [Private Classes](#private-classes)
* [Class: auditbeat::repo](#class-auditbeat-repo)
* [Class: auditbeat::install](#class-auditbeat-install)
* [Class: auditbeat::config](#class-auditbeat-config)
* [Class: auditbeat::service](#class-auditbeat-service)
* [Class: auditbeat::repo](#class-auditbeat-repo)
* [Class: auditbeat::install](#class-auditbeat-install)
* [Class: auditbeat::config](#class-auditbeat-config)
* [Class: auditbeat::service](#class-auditbeat-service)
### Public Classes
@@ -197,59 +208,52 @@ Installation and configuration.
* `fields_under_root`: [Boolean] whether to add the custom fields to the root of the document (default is *false*).
* `queue`: [Hash] auditbeat's internal queue, before the events publication (default is *4096* events in *memory* with immediate flush).
* `logging`: [Hash] the auditbeat's logfile configuration (default: writes to `/var/log/auditbeat/auditbeat`, maximum 7 files, rotated when bigger than 10 MB).
* `outputs`: [Hash] the options of the mandatory [outputs] (https://www.elastic.co/guide/en/beats/auditbeat/current/configuring-output.html) section of the configuration file (default: undef).
* `outputs`: [Hash] the options of the mandatory [outputs](https://www.elastic.co/guide/en/beats/auditbeat/current/configuring-output.html) section of the configuration file (default: undef).
* `major_version`: [Enum] the major version of the package to install (default: '6', the only accepted value. Implemented for future reference).
* `ensure`: [Enum 'present', 'absent']: whether Puppet should manage `auditbeat` or not (default: 'present').
* `service_provider`: [Enum 'systemd', 'init', 'debian', 'redhat', 'upstart', undef] which boot framework to use to install and manage the service (default: undef).
* `service_ensure`: [Enum 'enabled', 'running', 'disabled', 'unmanaged'] the status of the audit service (default 'enabled'). In more details:
* *enabled*: service is running and started at every boot;
* *running*: service is running but not started at boot time;
* *disabled*: service is not running and not started at boot time;
* *unamanged*: Puppet does not manage the service.
* *enabled*: service is running and started at every boot;
* *running*: service is running but not started at boot time;
* *disabled*: service is not running and not started at boot time;
* *unamanged*: Puppet does not manage the service.
* `package_ensure`: [String] the package version to install. It could be 'latest' (for the newest release) or a specific version number, in the format *x.y.z*, i.e., *6.2.0* (default: latest).
* `manage_repo`: [Boolean] whether to add the elastic upstream repo to the package manager (default: true).
* `config_file_mode`: [String] the octal file mode of the configuration file `/etc/auditbeat/auditbeat.yml` (default: 0644).
* `disable_configtest`: [Boolean] whether to check if the configuration file is valid before attempting to run the service (default: true).
* `tags`: [Array[Strings]]: the tags to add to each document (default: undef).
* `fields`: [Hash] the fields to add to each document (default: undef).
* `xpack`: [Hash] the configuration to export internal metrics to an Elasticsearch monitoring instance (default: undef).
* `modules`: [Array[Hash]] the required [modules] (https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-modules.html) to load (default: undef).
* `processors`: [Array[Hash]] the optional [processors] (https://www.elastic.co/guide/en/beats/auditbeat/current/defining-processors.html) for event enhancement (default: undef).
* `xpack`: [Hash] the configuration to export internal metrics to an Elasticsearch monitoring instance (default: undef).
* `monitoring`: [Hash] the configuration to export internal metrics to an Elasticsearch monitoring instance since Version 7.x (default: undef).
* `modules`: [Array[Hash]] the required [modules](https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-modules.html) to load (default: undef).
* `processors`: [Array[Hash]] the optional [processors](https://www.elastic.co/guide/en/beats/auditbeat/current/defining-processors.html) for event enhancement (default: undef).
* `setup`: [Hash] setup the configuration of the setup namespace (kibana, dashboards, template, etc.)(default: undef).
* `additional_config` : [Hash] pass additional options to config like "http endpoint metrics"
### Private Classes
#### Class: `auditbeat::repo`
Configuration of the package repository to fetch auditbeat.
#### Class: `auditbeat::install`
Installation of the auditbeat package.
#### Class: `auditbeat::config`
Configuration of the auditbeat daemon.
#### Class: `auditbeat::service`
Management of the auditbeat service.
Management of the auditbeat service.
## Limitations
This module does not load the index template in Elasticsearch nor the auditbeat example dashboards in Kibana. These two tasks should be carried out manually. Please follow the documentation to [manually load the index template in Elasticsearch] (https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-template.html#load-template-manually-alternate) and to [import the auditbeat dashboards in Kibana] (https://www.elastic.co/guide/en/beats/devguide/6.2/import-dashboards.html).
This module does not load the index template in Elasticsearch nor the auditbeat example dashboards in Kibana. These two tasks should be carried out manually. Please follow the documentation to [manually load the index template in Elasticsearch](https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-template.html#load-template-manually-alternate) and to [import the auditbeat dashboards in Kibana](https://www.elastic.co/guide/en/beats/devguide/7.8/import-dashboards.html).
The option `manage_repo` does not remove the repo file, even if set to *false*. Please delete it manually.
The module allows to set up the
[x-pack section] (https://www.elastic.co/guide/en/beats/auditbeat/current/monitoring.html)
of the configuration file, in order to set the internal statistics of packetbeat to an Elasticsearch cluster.
In order to do that the parameter `package_ensure` should be set to:
* `latest`
* `6.1.0` or a higher version
Unfortunately when `package_ensure` is equal to `installed` or `present`, the `x-pack` section is removed,
beacuse there is no way to know which version of the package is going to be handled (unless a specific fact is
added).
## Development
Please feel free to report bugs and to open pull requests for new features or to fix a problem.

1
modules/utilities/unix/logging/auditbeat/data/common.yaml Normal file
View File

@@ -0,0 +1 @@
---

21
modules/utilities/unix/logging/auditbeat/hiera.yaml Normal file
View File

@@ -0,0 +1,21 @@
---
version: 5
defaults: # Used for any hierarchy level that omits these keys.
datadir: data # This path is relative to hiera.yaml's directory.
data_hash: yaml_data # Use the built-in YAML backend.
hierarchy:
- name: "osfamily/major release"
paths:
- "os/%{facts.os.family}/%{facts.os.release.major}.yaml"
# Used for Solaris
- "os/%{facts.os.family}/%{facts.kernelrelease}.yaml"
# Used to distinguish between Debian and Ubuntu
- "os/%{facts.os.name}/%{facts.os.release.major}.yaml"
- name: "osfamily"
paths:
- "os/%{facts.os.family}.yaml"
- "os/%{facts.os.name}.yaml"
- name: 'common'
path: 'common.yaml'

16
modules/utilities/unix/logging/auditbeat/manifests/config.pp
View File

@@ -15,32 +15,26 @@ class auditbeat::config {
'fields_under_root' => $auditbeat::fields_under_root,
'fields' => $auditbeat::fields,
'xpack' => $auditbeat::xpack,
'monitoring' => $auditbeat::monitoring,
'tags' => $auditbeat::tags,
'queue' => $auditbeat::queue,
'logging' => $auditbeat::logging,
'output' => $auditbeat::outputs,
'processors' => $auditbeat::processors,
'setup' => $auditbeat::setup,
'auditbeat' => {
'modules' => $auditbeat::modules,
},
})
$merged_config = deep_merge($auditbeat_config, $auditbeat::additional_config)
file { '/etc/auditbeat/auditbeat.yml':
ensure => $auditbeat::ensure,
owner => 'root',
group => 'root',
mode => $auditbeat::config_file_mode,
content => inline_template('<%= @auditbeat_config.to_yaml() %>'),
content => inline_template('<%= @merged_config.to_yaml() %>'),
validate_cmd => $validate_cmd,
require => Package['auditbeat'],
}
file { '/etc/auditbeat/audit.rules.d/custom-rules.conf': # rules must have .conf extension
ensure => file,
owner => 'root',
group => 'root',
mode => $auditbeat::config_file_mode,
source => 'puppet:///modules/auditbeat/rules/auditbeat_rules_file.conf',
require => Package['auditbeat'],
}
}

99
modules/utilities/unix/logging/auditbeat/manifests/init.pp
View File

@@ -42,52 +42,60 @@
# @param xpack the configuration of x-pack monitoring.
# @param modules the required modules to load.
# @param processors the optional processors for events enhancement.
# @param setup the configuration of the setup namespace (kibana, dashboards, template, etc.)
#
class auditbeat (
String $beat_name = $::hostname,
Boolean $fields_under_root = false,
Hash $queue = {
String $beat_name = $::hostname,
Boolean $fields_under_root = false,
Hash $queue = {
'mem' => {
'events' => 4096,
'flush' => {
'flush' => {
'min_events' => 0,
'timeout' => '0s',
'timeout' => '0s',
},
},
},
Hash $logging = {
'level' => 'info',
'selectors' => undef,
'to_syslog' => false,
Hash $logging = {
'level' => 'info',
'selectors' => undef,
'to_syslog' => false,
'to_eventlog' => false,
'json' => true,
'to_files' => true,
'files' => {
'path' => '/var/log/auditbeat',
'name' => 'auditbeat',
'keepfiles' => 7,
'json' => false,
'to_files' => true,
'files' => {
'path' => '/var/log/auditbeat',
'name' => 'auditbeat',
'keepfiles' => 7,
'rotateeverybytes' => 10485760,
'permissions' => '0600',
'permissions' => '0600',
},
'metrics' => {
'metrics' => {
'enabled' => true,
'period' => '30s',
'period' => '30s',
},
},
Hash $outputs = {},
Enum['6'] $major_version = '6',
Enum['present', 'absent'] $ensure = 'present',
Optional[Enum['systemd', 'init', 'debian', 'redhat', 'upstart']] $service_provider = undef,
Boolean $manage_repo = true,
Enum['enabled', 'running', 'disabled', 'unmanaged'] $service_ensure = 'enabled',
String $package_ensure = 'latest',
String $config_file_mode = '0644',
Boolean $disable_configtest = false,
Optional[Array[String]] $tags = undef,
Optional[Hash] $fields = undef,
Optional[Array[Hash]] $modules = undef,
Optional[Array[Hash]] $processors = undef,
Optional[Hash] $xpack = undef,
Hash $outputs = {},
Enum['5', '6', '7'] $major_version = '7',
Enum['present', 'absent'] $ensure = 'present',
Optional[Enum['systemd', 'init', 'debian', 'redhat', 'upstart']] $service_provider = undef,
Boolean $manage_repo = true,
Optional[Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]] $apt_repo_url = undef,
Optional[Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]] $yum_repo_url = undef,
Optional[Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]] $gpg_key_url = undef,
String $gpg_key_id = '',
Enum['enabled', 'running', 'disabled', 'unmanaged'] $service_ensure = 'enabled',
String $package_ensure = 'latest',
String $config_file_mode = '0644',
Boolean $disable_configtest = false,
Optional[Array[String]] $tags = undef,
Optional[Hash] $fields = undef,
Optional[Array[Hash]] $modules = undef,
Optional[Array[Hash]] $processors = undef,
Optional[Hash] $xpack = undef,
Optional[Hash] $monitoring = undef,
Optional[Hash] $setup = undef,
Optional[Hash] $additional_config = {},
) {
contain auditbeat::repo
@@ -96,21 +104,20 @@ class auditbeat (
contain auditbeat::service
if $manage_repo {
notice('Managing repo...')
Class['auditbeat::repo']
-> Class['auditbeat::install']
} else {
case $ensure {
'present': {
Class['auditbeat::install']
-> Class['auditbeat::config']
~> Class['auditbeat::service']
}
default: {
Class['auditbeat::service']
-> Class['auditbeat::config']
-> Class['auditbeat::install']
}
->Class['auditbeat::install']
}
case $ensure {
'present': {
Class['auditbeat::install']
->Class['auditbeat::config']
~>Class['auditbeat::service']
}
default: {
Class['auditbeat::service']
->Class['auditbeat::config']
->Class['auditbeat::install']
}
}
}

1
modules/utilities/unix/logging/auditbeat/manifests/install.pp
View File

@@ -13,6 +13,5 @@ class auditbeat::install {
}
package{'auditbeat':
ensure => $package_ensure,
require => Class['auditbeat::repo']
}
}

64
modules/utilities/unix/logging/auditbeat/manifests/repo.pp
View File

@@ -1,71 +1,69 @@
# auditbeat::repo
# @api private
#
# @summary It manages the package repositories to isntall auditbeat
class auditbeat::repo {
# @summary Manages the package repositories on the target nodes to install auditbeat
class auditbeat::repo inherits auditbeat {
$apt_repo_url = $auditbeat::apt_repo_url ? {
undef => "https://artifacts.elastic.co/packages/${auditbeat::major_version}.x/apt",
default => $auditbeat::apt_repo_url,
}
$yum_repo_url = $auditbeat::yum_repo_url ? {
undef => "https://artifacts.elastic.co/packages/${auditbeat::major_version}.x/yum",
default => $auditbeat::yum_repo_url,
}
$gpg_key_url = $auditbeat::gpg_key_url ? {
undef => 'https://artifacts.elastic.co/GPG-KEY-elasticsearch',
default => $auditbeat::gpg_key_url,
}
$gpg_key_id = $auditbeat::gpg_key_id ? {
'' => '46095ACC8548582C1A2699A9D27D666CD88E42B4',
default => $auditbeat::gpg_key_id,
}
if ($auditbeat::manage_repo == true) and ($auditbeat::ensure == 'present') {
notice('auditbeat::repo - Managing and present')
$family = $facts['osfamily']
notice("auditbeat::repo - facts[\'osfamily\']::: $family")
case $facts['osfamily'] {
'Debian': {
notice("auditbeat::repo - facts[\'osfamily\']::: $family")
include ::apt
$download_url = 'https://artifacts.elastic.co/packages/6.x/apt'
if !defined(Apt::Source['beats']) {
notice('auditbeat::repo - installing beats...')
apt::source{'beats':
ensure => $auditbeat::ensure,
location => $download_url,
location => $apt_repo_url,
release => 'stable',
repos => 'main',
key => {
id => '46095ACC8548582C1A2699A9D27D666CD88E42B4',
source => 'https://artifacts.elastic.co/GPG-KEY-elasticsearch',
id => $gpg_key_id,
source => $gpg_key_url,
},
}->
exec { 'post-source-apt-update':
command => "/usr/bin/apt-get update --fix-missing",
tries => 5,
try_sleep => 30,
}
Class['apt::update'] -> Package['auditbeat']
}
}
'RedHat': {
$download_url = 'https://artifacts.elastic.co/packages/6.x/yum'
if !defined(Yumrepo['beats']) {
yumrepo{'beats':
ensure => $auditbeat::ensure,
descr => 'Elastic repository for 6.x packages',
baseurl => $download_url,
descr => "Elastic repository for ${auditbeat::major_version}.x packages",
baseurl => $yum_repo_url,
gpgcheck => 1,
gpgkey => 'https://artifacts.elastic.co/GPG-KEY-elasticsearch',
gpgkey => $gpg_key_url,
enabled => 1,
}
}
}
'SuSe': {
$download_url = 'https://artifacts.elastic.co/packages/6.x/yum'
exec { 'topbeat_suse_import_gpg':
command => '/usr/bin/rpmkeys --import https://artifacts.elastic.co/GPG-KEY-elasticsearch',
unless => '/usr/bin/test $(rpm -qa gpg-pubkey | grep -i "D88E42B4" | wc -l) -eq 1 ',
exec { 'suse_import_gpg':
command => "/usr/bin/rpmkeys --import ${gpg_key_url}",
unless => "/usr/bin/test $(rpm -qa gpg-pubkey | grep -i \"${gpg_key_id}\" | wc -l) -eq 1",
notify => [ Zypprepo['beats'] ],
}
if !defined (Zypprepo['beats']) {
zypprepo{'beats':
baseurl => $download_url,
baseurl => $yum_repo_url,
enabled => 1,
autorefresh => 1,
name => 'beats',
gpgcheck => 1,
gpgkey => 'https://artifacts.elastic.co/GPG-KEY-elasticsearch',
gpgkey => $gpg_key_url,
type => 'yum',
}
}

1
modules/utilities/unix/logging/auditbeat/manifests/service.pp
View File

@@ -33,6 +33,5 @@ class auditbeat::service {
ensure => $service_status,
enable => $service_enabled,
provider => $auditbeat::service_provider,
require => Package['auditbeat'],
}
}

38
modules/utilities/unix/logging/auditbeat/metadata.json
View File

@@ -1,27 +1,30 @@
{
"name": "norisnetwork-auditbeat",
"version": "0.1.2",
"version": "0.2.5",
"author": "norisnetwork",
"summary": "This module installs and configures the Auditbeat shipper by Elastic.",
"summary": "Module for installing, managing and configuring the Auditbeat lightweight shipper for audit data by elastic.",
"license": "Apache-2.0",
"source": "https://github.com/noris-network/puppet-auditbeat",
"source": "https://github.com/noris-network/norisnetwork-auditbeat",
"project_page": "https://github.com/noris-network/norisnetwork-auditbeat",
"issues_url": "https://github.com/noris-network/norisnetwork-auditbeat/issues",
"dependencies": [
{
"name": "puppetlabs-stdlib",
"version_requirement": ">= 4.13.0 < 5.0.0"
"version_requirement": ">= 4.13.0 < 7.0.0"
},
{
"name": "puppetlabs-apt",
"version_requirement": ">= 4.0.0 < 5.0.0"
"version_requirement": ">= 2.0.0 < 8.0.0"
},
{
"name": "darin-zypprepo",
"name": "puppet-zypprepo",
"version_requirement": ">= 2.0.0 < 3.0.0"
},
{
"name": "puppetlabs-yumrepo_core",
"version_requirement": ">= 1.0.0 < 2.0.0"
}
],
"data_provider": null,
"operatingsystem_support": [
{
"operatingsystem": "CentOS",
@@ -44,23 +47,32 @@
{
"operatingsystem": "Ubuntu",
"operatingsystemrelease": [
"16.04"
"18.04"
]
},
{
"operatingsystem": "SLES",
"operatingsystemrelease": [
"12"
"15"
]
}
],
"requirements": [
{
"name": "puppet",
"version_requirement": ">= 4.7.0 < 6.0.0"
"version_requirement": ">= 5.0.0 < 7.0.0"
}
],
"pdk-version": "1.5.0",
"template-url": "file:///opt/puppetlabs/pdk/share/cache/pdk-templates.git",
"template-ref": "1.5.0-0-gd1b3eca"
"tags": [
"auditbeat",
"elasticsearch",
"elastic_stack",
"elastic",
"norisnetwork",
"logstash",
"kibana"
],
"pdk-version": "1.18.0",
"template-url": "pdk-default#1.18.0",
"template-ref": "tags/1.18.0-0-g095317c"
}

129
modules/utilities/unix/logging/auditbeat/spec/classes/auditbeat_spec.rb
View File

@@ -1,129 +0,0 @@
require 'spec_helper'
describe 'auditbeat', 'type' => 'class' do
on_supported_os.each do |os, facts|
context "on #{os}" do
let(:facts) { facts }
it { is_expected.to compile }
it { is_expected.to create_class('auditbeat') }
it { is_expected.to create_class('auditbeat::install') }
it { is_expected.to create_class('auditbeat::config') }
it { is_expected.to create_class('auditbeat::service') }
describe 'with ensure present' do
let(:params) { { 'ensure' => 'present' } }
it do
is_expected.to contain_package('auditbeat').with(
'ensure' => 'latest',
)
end
end
describe 'with ensure absent' do
let(:params) { { 'ensure' => 'absent' } }
it do
is_expected.to contain_package('auditbeat').with(
'ensure' => 'absent',
)
is_expected.to contain_service('auditbeat').with(
'ensure' => 'stopped',
'enable' => false,
)
end
end
describe 'with version 6.2.0' do
let(:params) { { 'package_ensure' => '6.2.0' } }
it do
is_expected.to contain_package('auditbeat').with(
'ensure' => '6.2.0',
)
end
end
describe 'with disable_configtest false and file permission 0600' do
let(:params) { { 'disable_configtest' => false, 'config_file_mode' => '0600' } }
it do
is_expected.to contain_file('/etc/auditbeat/auditbeat.yml').with(
'ensure' => 'present',
'owner' => 'root',
'group' => 'root',
'mode' => '0600',
'validate_cmd' => '/usr/share/auditbeat/bin/auditbeat test config -c %',
)
end
end
describe 'with disable_configtest true' do
let(:params) { { 'disable_configtest' => true } }
it do
is_expected.to contain_file('/etc/auditbeat/auditbeat.yml').with(
'ensure' => 'present',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
'validate_cmd' => nil,
)
end
end
describe 'with service enabled' do
let(:params) { { 'ensure' => 'present', 'service_ensure' => 'enabled' } }
it do
is_expected.to contain_service('auditbeat').with(
'ensure' => 'running',
'enable' => true,
)
end
end
case os
when %r{centos-7-|redhat-7-}
describe 'with manage_repo true on RedHat family' do
let(:params) { { 'ensure' => 'present', 'manage_repo' => true } }
it do
is_expected.to contain_yumrepo('beats').with(
'ensure' => 'present',
'baseurl' => 'https://artifacts.elastic.co/packages/6.x/yum',
'gpgkey' => 'https://artifacts.elastic.co/GPG-KEY-elasticsearch',
)
end
end
when %r{sles-12-}
describe 'with manage_repo true on SLES family' do
let(:params) { { 'ensure' => 'present', 'manage_repo' => true } }
it do
is_expected.to contain_zypprepo('beats').with(
'enabled' => 1,
'autorefresh' => 1,
'gpgcheck' => 1,
'name' => 'beats',
'type' => 'yum',
'baseurl' => 'https://artifacts.elastic.co/packages/6.x/yum',
'gpgkey' => 'https://artifacts.elastic.co/GPG-KEY-elasticsearch',
)
end
end
when %r{debian-9-|ubuntu-16.04-}
describe 'with manage_repo true on Debian family' do
let(:params) { { 'ensure' => 'present', 'manage_repo' => true } }
it do
is_expected.to contain_apt__source('beats').with(
'ensure' => 'present',
'location' => 'https://artifacts.elastic.co/packages/6.x/apt',
'release' => 'stable',
'repos' => 'main',
'key' => {
'id' => '46095ACC8548582C1A2699A9D27D666CD88E42B4',
'source' => 'https://artifacts.elastic.co/GPG-KEY-elasticsearch',
},
)
end
end
end
end
end
end

8
modules/utilities/unix/logging/auditbeat/spec/default_facts.yml
View File

@@ -1,8 +0,0 @@
# Use default_module_facts.yml for module specific facts.
#
# Facts specified here will override the values provided by rspec-puppet-facts.
---
concat_basedir: "/tmp"
ipaddress: "172.16.254.254"
is_pe: false
macaddress: "AA:AA:AA:AA:AA:AA"

36
modules/utilities/unix/logging/auditbeat/spec/spec_helper.rb
View File

@@ -1,36 +0,0 @@
require 'puppetlabs_spec_helper/module_spec_helper'
require 'rspec-puppet-facts'
begin
require 'spec_helper_local' if File.file?(File.join(File.dirname(__FILE__), 'spec_helper_local.rb'))
rescue LoadError => loaderror
warn "Could not require spec_helper_local: #{loaderror.message}"
end
include RspecPuppetFacts
default_facts = {
puppetversion: Puppet.version,
facterversion: Facter.version,
}
default_facts_path = File.expand_path(File.join(File.dirname(__FILE__), 'default_facts.yml'))
default_module_facts_path = File.expand_path(File.join(File.dirname(__FILE__), 'default_module_facts.yml'))
if File.exist?(default_facts_path) && File.readable?(default_facts_path)
default_facts.merge!(YAML.safe_load(File.read(default_facts_path)))
end
if File.exist?(default_module_facts_path) && File.readable?(default_module_facts_path)
default_facts.merge!(YAML.safe_load(File.read(default_module_facts_path)))
end
RSpec.configure do |c|
c.default_facts = default_facts
c.before :each do
# set to strictest setting for testing
# by default Puppet runs at warning level
Puppet.settings[:strict] = :warning
end
end