Fixes #215: Fix audit package name for Debian

[djmgit]

This PR intends to fix the audit package name in Debian systems,
so that package installation works for Debian as well.

[jm404]

Hi @djmgit,

Thanks for your contribution, it's really appreciated.

We will test it and let you know the result as soon as posible.

Best regards,

Jose

[rshad]

Hi @djmgit!

Thank you for contributing to Wazuh. Wazuh gets improved by our community efforts.

I'll review your changes, test them, and, I'll be back soon.

Kr,

Rshad

[rshad]

Testing Log

• Syscheck Config

<directories check_all="yes" whodata="yes">/etc/,/usr/bin,/usr/sbin</directories>

Testing on Centos 7

• Successfult agent installation on CentOS 7 ✔️

[root@agent-client-1 vagrant]# puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Caching catalog for agent-client-1
Info: Applying configuration version '1584025887'
Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content:
--- /var/ossec/etc/ossec.conf   2020-03-12 14:29:09.640071376 +0000
+++ /tmp/puppet-file20200312-27539-1to29ir      2020-03-12 15:11:33.630409813 +0000
@@ -1,7 +1,7 @@
 <ossec_config>
   <client>
   <server>
-    <address>172.17.0.100</address>
+    <address>172.17.0.101</address>
     <protocol>udp</protocol>
     <port>1514</port>
   </server>

Info: Computing checksum on file /var/ossec/etc/ossec.conf
Info: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: Filebucketed /var/ossec/etc/ossec.conf to puppet with sum fe90ce4ae77fbe9aac3ebcc616595c8a
Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: content changed '{md5}fe90ce4ae77fbe9aac3ebcc616595c8a' to '{md5}bc2cb4c2b208e27b344e197cfd5e3ae7'
Info: Concat[ossec.conf]: Scheduling refresh of Service[wazuh-agent]
Notice: /Stage[main]/Wazuh::Agent/Exec[agent-auth-linux]/returns: executed successfully (corrective)
Notice: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: Unscheduling refresh on Service[wazuh-agent]
Notice: Applied catalog in 4.32 seconds

• Defined Audit rules with Whodata ✔️

[root@agent-client-1 ossec]# auditctl -l | grep wazuh_fim
-w /etc -p wa -k wazuh_fim
-w /usr/bin -p wa -k wazuh_fim
-w /usr/sbin -p wa -k wazuh_fim

• Successful Alert with Audit ✔️

** Alert 1584026562.326716: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI$
2020 Mar 12 15:22:42 (agent-client-1) 172.17.0.111->syscheck
Rule: 554 (level 5) -> 'File added to the system.'
File '/etc/nanorc' was added.
(Audit) User: 'root (0)'
(Audit) Login user: 'vagrant (1000)'
(Audit) Effective user: 'root (0)'
(Audit) Group: 'root (0)'
(Audit) Process id: '28969'
(Audit) Process name: '/usr/bin/python2.7'

Attributes:
 - Size: 8892
 - Date: Tue Jun 10 04:47:53 2014
 - Inode: 26675
 - User: root (0)
 - Group: root (0)
 - MD5: 96b0f722f3c8caf3cd69f0cce6096f25
 - SHA1: 9a568933aca873e00b7d581d1f2d409ad6122179
 - SHA256: 033bdfe66b40f8e9a356a6e3feefa8c33551648cd785ccc9931dab17b23fa91f
 - Permissions: 100644

---

Testing on Ubuntu Xenial

• Failed installation when using audit instead of auditd on Ubuntu Xenial ❌ Expected to Fail

Info: Loading facts
Info: Caching catalog for agent-client-1
Info: Applying configuration version '1584031801'
Error: Execution of '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold install audit' returned 100: Reading package lists...
Building dependency tree...
Reading state information...
E: Unable to locate package audit
Error: /Stage[main]/Wazuh::Agent/Package[Installing Audit...]/ensure: change from purged to present failed: Execution of '/usr/bin/apt-get -q -y -o DPkg::Options::=--force-confold install audit' returned 100: Reading package lists...
Building dependency tree...
Reading state information...
E: Unable to locate package audit
Error: Systemd start for auditd failed!
journalctl log for auditd:
-- No entries --

Error: /Stage[main]/Wazuh::Agent/Service[auditd]/ensure: change from stopped to running failed: Systemd start for auditd failed!
journalctl log for auditd:
-- No entries --

Notice: /Stage[main]/Wazuh::Repo/Apt::Key[wazuh]/Apt_key[wazuh]/ensure: created

• Successful auditd installation on Ubuntu Xenial ✔️

root@agent-client-1:~# puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for agent-client-1
Info: Applying configuration version '1584032016'
Notice: /Stage[main]/Wazuh::Agent/Package[Installing Audit...]/ensure: created
Notice: Applied catalog in 27.36 seconds
root@agent-client-1:~#

• Successful alert with Audit ✔️

** Alert 1584032536.710896: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,
2020 Mar 12 17:02:16 (agent-client-1) 172.17.0.111->syscheck
Rule: 554 (level 5) -> 'File added to the system.'
File '/etc/test3.txt' was added.
(Audit) User: 'root (0)'
(Audit) Login user: 'vagrant (1000)'
(Audit) Effective user: 'root (0)'
(Audit) Group: 'root (0)'
(Audit) Process id: '16507'
(Audit) Process name: '/bin/bash'

Attributes:
 - Size: 12
 - Date: Thu Mar 12 17:02:15 2020
 - Inode: 57954
 - User: root (0)
 - Group: root (0)
 - MD5: 6f5902ac237024bdd0c176cb93063dc4
 - SHA1: 22596363b3de40b06f981fb85d82312e8c0ed511
 - SHA256: a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447
 - Permissions: 100644

Kr,

Rshad