OSSEC Puppet module

This module installs and configure OSSEC HIDS agent and manager.

Documentation

• Full documentation
• OSSEC Puppet module documentation
• Puppet Forge

Credits and thank you

This Puppet module has been authored by Nicolas Zin, and updated by Jonathan Gazeley and Michael Porter. Wazuh has forked it with the purpose of maintaing it. Thank you to the authors for the contribution.

Beaker Test

• set chocolatey installation support - $ export OSSEC_CHOCOLATEY_ENABLED=true.

• add puppet environment variables for spec_helper_acceptance.rb

  $ export PUPPET_INSTALL_TYPE=agent
  $ export PUPPET_INSTALL_VERSION=1.9.3
  

• run default acceptance test $ bundle exec rake beaker. This will only execute the windows test with ossec agent 2.9.2

• run ubuntu agent test BEAKER_setfile=spec/acceptance/nodesets/ubuntu-1404.yaml bundle exec rspec spec/acceptance/.

• run centos agent test BEAKER_setfile=spec/acceptance/nodesets/centos-72.yaml bundle exec rspec spec/acceptance

• run windows 2012r2 with agent 2.8 BEAKER_setfile=spec/acceptance/nodesets/windows-2012r2-ossec28.yaml bundle exec rspec spec/acceptance

References

• Wazuh website
• OSSEC project website

2014-11-28 Jonathan Gazeley jonathan.gazeley@bristol.ac.uk - 1.3.0

Jonathan Gazeley jonathan.gazeley@bristol.ac.uk:

• Add support for Debian "Jessie" (thanks to @ivan7farre)

2015-01-16 Jonathan Gazeley jonathan.gazeley@bristol.ac.uk - 1.3.3

Jonathan Gazeley jonathan.gazeley@bristol.ac.uk:

• Fix compatibility issue with PuppetServer (thanks to @d9705996)

2015-03-02 Jonathan Gazeley jonathan.gazeley@bristol.ac.uk - 1.4.0

Jonathan Gazeley jonathan.gazeley@bristol.ac.uk:

• Fix dependency problem by providing EPEL on RHEL (thanks to @otteydw for reporting)

2015-05-28 Jonathan Gazeley jonathan.gazeley@bristol.ac.uk - 1.4.1

Jonathan Gazeley jonathan.gazeley@bristol.ac.uk:

• Email notification is no longer hard-coded in ossec.conf (thanks to @earsdown)

2015-06-10 Jonathan Gazeley jonathan.gazeley@bristol.ac.uk - 1.4.2

Jonathan Gazeley jonathan.gazeley@bristol.ac.uk:

• Fix regression that breaks behaviour on CentOS 6 and lower

2015-06-11 Jonathan Gazeley jonathan.gazeley@bristol.ac.uk - 1.5.1

Jonathan Gazeley jonathan.gazeley@bristol.ac.uk:

• Stop using andyshinn/atomic and configure Atomicorp's OSSEC repo locally

2015-06-30 Jonathan Gazeley jonathan.gazeley@bristol.ac.uk - 1.5.3

Jonathan Gazeley jonathan.gazeley@bristol.ac.uk:

• Fix permissions on log files so logwatch on EL7 doesn't complain
• Key concat::fragment for agentkeys on $agent_name to avoid duplicated resources

2015-07-06 Jonathan Gazeley jonathan.gazeley@bristol.ac.uk - 1.5.4

Jonathan Gazeley jonathan.gazeley@bristol.ac.uk:

• Fix regression in log file permissions (thanks to @paulseward)

2015-07-20 Jonathan Gazeley jonathan.gazeley@bristol.ac.uk - 1.6.0

Jonathan Gazeley jonathan.gazeley@bristol.ac.uk:

• Enable SELinux support

2015-08-03 Jonathan Gazeley jonathan.gazeley@bristol.ac.uk - 1.6.2

Jonathan Gazeley jonathan.gazeley@bristol.ac.uk:

• Fix log directory permissions

2015-08-07 Jonathan Gazeley jonathan.gazeley@bristol.ac.uk - 1.7.0

Jonathan Gazeley jonathan.gazeley@bristol.ac.uk:

• Use puppetlabs/mysql to manage MySQL client

2015-08-21 Jonathan Gazeley jonathan.gazeley@bristol.ac.uk - 1.7.2

Jonathan Gazeley jonathan.gazeley@bristol.ac.uk:

• SELinux permissions fix

2015-09-16 Michael Porter michael.porter@lightningsource.com - 2.0.0

Michael Porter michael.porter@lightningsource.com:

• Allow skipping MySQL dependency, disabling active response, and executing rootcheck
• Windows agent support
• Use Puppet md5 support, instead of adding parser function
• Utilize centralized agent configuration
• Various clean-up and reorganization of Puppet module structure
• Utilize 'hostname' instead of 'uniqueid' for agent ID, due to uniqueid not existing on Windows, and not necessarily being unique across the org on Linux

2015-09-16 Jose Luis Ruiz jose@wazuh.com - 2.0.0

Jose Luis Ruiz jose@wazuh.com:

• Update for all kind of Windows
• Change repos to Wazuh, Inc.

2015-10-13 Jose Luis Ruiz jose@wazuh.com - 2.0.1

Jose Luis Ruiz jose@wazuh.com:

• Update Windows Agent to version 2.8.1
• Fix a bug with the Windows Agent ID, now use for all systems fqdn_rand to generate the client.keys ID

2015-10-13 Jose Luis Ruiz jose@wazuh.com - 2.0.2

Jose Luis Ruiz jose@wazuh.com:

• Update Windows Agent to version 2.8.3
• Update packaget to Ubuntu Vivid and Wily
• Update packages to Debian Stretch and Sid

2015-12-02 Jose Luis Ruiz jose@wazuh.com - 2.0.3

Jose Luis Ruiz jose@wazuh.com:

• Fix server package name for Ubuntu (thanks to @HielkeJ for Pull request)
• Add full fingerprint for Ubuntu and Debian (thanks to @HielkeJ for Pull request)

2015-12-21 Jose Luis Ruiz jose@wazuh.com - 2.0.4

Jose Luis Ruiz jose@wazuh.com:

• Add manage_repo option on client.pp (issue #2 reported by @cudgel)
• Add new repo for RHEL5 and CentOS5 have different rpm signature.

2016-01-19 Jose Luis Ruiz jose@wazuh.com - 2.0.5

Jose Luis Ruiz jose@wazuh.com:

• Add multiple email_to addresses
• Adding support for server-hostname in agent config (pull request #3 thanks @alustenberg)
• Adding ossec_scanpaths configuration thanks to @djjudas21 repository

2016-02-03 Jose Luis Ruiz jose@wazuh.com - 2.0.6

Jose Luis Ruiz jose@wazuh.com:

• Add ability to manage epel repo to master/client configs (pull request #4 thanks @justicel)
• The @path uses the puppet level path variable (pull request #5 thanks @justicel)
• Allow whitelisting of IP addreses (thanks @chaordix)
• Provides an option to tell the puppet module to not manage the client.keys file at all. (pull request #7 thanks @TravellingGuy)

2016-02-05 Jose Luis Ruiz jose@wazuh.com - 2.0.7

Jose Luis Ruiz jose@wazuh.com:

• Run agent-auth if client.keys doesn't exist an agent. (pull request #9 thanks @TravellingGuy)

2016-02-05 Jose Luis Ruiz - 2.0.8

Jose Luis Ruiz jose@wazuh.com:

• Fix some typos with puppet-lint.

2016-02-23 Jose Luis Ruiz - 2.0.9

Jose Luis Ruiz jose@wazuh.com:

• Allow the agent identity to be modified. (pull request #10 thanks @damoxc)
• prevent the agent-auth command being used. (pull request #11 thanks @damoxc)
• Change log directory to only be readable by user and group. (pull request #12 thanks @damoxc)
• Add the ability to configure a MySQL database with OSSEC server. (pull request #14 thanks @coreone)

2016-04-26 Jose Luis Ruiz - 2.0.10

Jose Luis Ruiz jose@wazuh.com:

• Extra rules config to integrate Wazuh ruleset. (pull request #17 thanks @TravellingGUy)
• Allow configuration of the email_maxperhour and email_idsname configuration items. (pull request #18 thanks @TravellingGUy)
• Fix bug in client exported resources (pull request #19 thanks @scottcunningham)

2016-05-04 Jose Luis Ruiz - 2.0.11

Jose Luis Ruiz jose@wazuh.com:

• Fix windows installation error in params. (pull request #20 thanks @cmblong)
• Added support for repeated_offenders in activeresponse (pull request #21 thanks @ialokin)

2016-05-04 Jose Luis Ruiz - 2.0.12

Jose Luis Ruiz jose@wazuh.com:

• Add MariaDB support ( (pull reques #3 thanks @ialokin)
• Permit admin to disable auto_ignore for files which change more than three times. (pull request #24 thanks @cmblong)
• Change fqdn_rand(3000) to a variable to allow us to increase the number of available clients. (pull request #25 thanks @cmblong)
• Can now set a minimal activeresponse entry containing just repeated_offenders by defining $ar_repeated_offenders in the ossec::client. (pull request #26 thanks @ialokin)
• Add variable to enable prefilter command. (pull request #27 thanks @cmblong)
• Set service provider to redhat on Redhat systems. (pull request #28 thanks @cmblong))

2016-06-14 Jose Luis Ruiz - 2.0.13

• Adding xenial to the supported distributions.(pull request #31 thanks @stephen-kainos)

2016-06-14 Jose Luis Ruiz - 2.0.14

• Add prefilter to agent config. (pull request #32 thanks @cmblong )
• Add function addlog to the agent. (issue #30 thanks @paul-cs)
• Add the apt::key can set a proxy and the key add process could be done. (issue #34 thanks @drequena)

2016-10-15 Jose Luis Ruiz - 2.0.15

• Add option to enable syslog output. (pull request #35 thanks @TravellingGUy )
• Add Add Amazon Linux support. (pull request #37 thanks @seefood)
• Hard-coded GPG key for RHEL-like systems. (pull request #37 thanks @tobowers)
• Override package & service name for client installation. (pull request #43 thanks MrSecure)

2016-10-18 Jose Luis Ruiz - 2.0.16

• Add local_decoder.xml and local_rules.xml templates

2016-10-18 Jose Luis Ruiz - 2.0.17

• Fixed gpgkey path under CentOS and RHEL

2016-10-20 Jose Luis Ruiz - 2.0.18

• Fixed 10_ossec.conf.erb template, "local_decoder" added to rules configuration

2016-12-08 Jose Luis Ruiz - 2.0.19

• Compat with Older versions facter. (pull request #47 thanks @seefood)
• Template paths as parameters. (pull request #48 thanks @seefood )
• Client: allow configurable service_has_status, default to params. (pull request #51 thanks @josephholsten )
• Added Yakketi to the supported distributions.
• Modified activeresponse.erb to include <rules_id></rules_id> tags (pull request #56 thanks @MatthewRBruce)
• Modified client.pp and server.pp to accept package versions as parameter. (pull request #57 thanks @MatthewRBruce)

2016-12-08 Jose Luis Ruiz - 2.0.20

• Fixed typo in the windows package, this type made the deploy fails under windows.

2017-04-24 Jose Luis Ruiz - 2.0.21

• Fix apt deprecation warnings. (pull request #58 thanks @kdole)
• Avoid warnings when storeconfigs are not available. (pull request #59 thanks @kdole)
• Use default local_files setting. (pull request #60 thanks @kdole)
• Making ossec server port configurable. (pull request #62 thanks @edge-records)
• Allow custom agent configurations (pull request #64 thanks @ffleming)
• Fixed issec #66 (thanks @thedawidbalut)
• Adds options to control rootcheck feature. (pull request #67 thanks @netman2k)
• Use puppet-selinux instead of jfryman-selinux (pull request #68 thanks @netman2k)
• Allow custom ossec.conf in agent and server template (pull request #69 thanks @sam-wouters)
• Fixed issue #71. (Thanks for reporting it @sc-chad)
• Fixed issue #72. (Thanks for reporting it @sc-chad)

2017-xx-xx Jose Luis Ruiz - 2.0.22

• Add FreeBSD support for client (pull request #73 thanks @zados)
• Adding ability to pass syslog output port (pull request #78 thanks @anujp)
• Ability to configure rootkit options and toggle alert_new_files (pull request #65 thanks @adamschleter)
• Add ignore path regex in Server and Agent manifest (pull request #79 thanks @vietcgi)
• Add support for beaker on windows (pull request #80 thanks @lmayorga1980)
• Add support for chocolatey package deployments (pull request #80 thanks @lmayorga1980)
• Add support for non-chocolatey installations. (pull request #81 thanks @lmayorga1980)