-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #225 : Option to configure audit rules from this module itself #226
Conversation
…self The PR implements the option to configure audit rules from the Wazuh module it self. This also moves audit configuration and installation to a separate pp file for better management.
@rshad Please review. |
Hi @djmgit ! Thank you for contributing to Wazuh, we really appreciate it. I see you've done a great work here, it looks really interesting. I'll review it during this week for sure. I'll be back soon. Kr, Rshad |
Hi all! Having set:
The following template should be rendered. wazuh-puppet/templates/audit_rules.erb Lines 1 to 18 in 855de23
As we checked, the template was rendered correctly.
## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192
## This determine how long to wait in burst of events
--backlog_wait_time 0
## Set failure mode to syslog
-f 1 Related Puppet Log
Adapted Hi @djmgit, I think having the template without already defined rules would be better, and these rules you consider that would come by default when enabling the rules, I moved them to the file $audit_rules = [] As follows, $audit_rules = [
"-b ${audit_buffer_bytes}",
"--backlog_wait_time ${audit_backlog_wait_time}",
"-f 1"
] Also, I adapted the template to be as follows, <% if !@audit_rules.empty? -%>
<% @audit_rules.each do |audit_rule| -%>
<%= audit_rule %>
<%- end -%>
<%- end -%> In this case, I re-installed the agent, and Puppet output is: root@agent-client-1:~# puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for agent-client-1
Info: Applying configuration version '1584544019'
Notice: /Stage[main]/Wazuh::Audit/File[Configure audit.rules]/content:
--- /etc/audit/rules.d/audit.rules 2020-03-18 15:05:49.611350290 +0000
+++ /tmp/puppet-file20200318-17015-ggysa4 2020-03-18 15:07:10.183616289 +0000
@@ -0,0 +1,5 @@
+-b 8192
+--backlog_wait_time 0
+-f 1
+
Info: Computing checksum on file /etc/audit/rules.d/audit.rules
Info: /Stage[main]/Wazuh::Audit/File[Configure audit.rules]: Filebucketed /etc/audit/rules.d/audit.rules to puppet with sum d41d8cd98f00b204e9800998ecf8427e
Notice: /Stage[main]/Wazuh::Audit/File[Configure audit.rules]/content:
Notice: /Stage[main]/Wazuh::Audit/File[Configure audit.rules]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}a11120ea77870ba2c05b40db0b7fc0e1'
Info: /Stage[main]/Wazuh::Audit/File[Configure audit.rules]: Scheduling refresh of Service[auditd]
Notice: /Stage[main]/Wazuh::Audit/Service[auditd]: Triggered 'refresh' from 1 events
Notice: Applied catalog in 1.41 seconds
I finally decided to remove Kr, Rshad |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
manifests/params_agent.pp
Outdated
$audit_manage_rules = false | ||
$audit_buffer_bytes = "8192" | ||
$audit_backlog_wait_time = "0" | ||
$audit_rules = [] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would prefer to define the default rules you put in the template into this array, audit_rules.
I already changed it in 5972eee
Thanks,
templates/audit_rules.erb
Outdated
## First rule - delete all | ||
-D | ||
|
||
## Increase the buffers to survive stress events. | ||
## Make this bigger for busy systems | ||
-b <%= @audit_buffer_bytes %> | ||
|
||
## This determine how long to wait in burst of events | ||
--backlog_wait_time <%= @audit_backlog_wait_time %> | ||
|
||
## Set failure mode to syslog | ||
-f 1 | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I commented in the previous comment, these rules should be defined in params_agent.pp
.
I changed it in 5972eee
Thanks.
manifests/params_agent.pp
Outdated
$audit_buffer_bytes = "8192" | ||
$audit_backlog_wait_time = "0" | ||
$audit_rules = [ | ||
'-D', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rshad HI, the changes you made are very much reasonable. |
Hi @djmgit ! You're right. I would think about adding control variables to enable or not each one of the 3 rules we consider as default
In this case, the user would have more control about what to add or not. Also, I will work to make the configuration add rules to the already existing ones without overwriting the original rules file. I will try to get it today. Kr, Rshad |
Hi @djmgit ! We decided to remove the template for wazuh-puppet/manifests/audit.pp Lines 33 to 39 in 697bad3
Testing Log
Kr, Rshad |
The PR implements the option to configure audit rules from the Wazuh module
it self. This also moves audit configuration and installation to a separate
pp file for better management.