Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #225 : Option to configure audit rules from this module itself #226

Merged
merged 7 commits into from
Mar 20, 2020
Merged

Fixes #225 : Option to configure audit rules from this module itself #226

merged 7 commits into from
Mar 20, 2020

Conversation

djmgit
Copy link
Contributor

@djmgit djmgit commented Mar 9, 2020

The PR implements the option to configure audit rules from the Wazuh module
it self. This also moves audit configuration and installation to a separate
pp file for better management.

@djmgit
Fixes wazuh#225 : Option to configure audit rules from this module it…
855de23 
…self

The PR implements the option to configure audit rules from the Wazuh module
it self. This also moves audit configuration and installation to a separate
pp file for better management.
@djmgit
Copy link
Contributor Author

djmgit commented Mar 9, 2020

@rshad Please review.

@rshad rshad self-assigned this Mar 10, 2020
@rshad
Copy link
Contributor

rshad commented Mar 10, 2020

Hi @djmgit !

Thank you for contributing to Wazuh, we really appreciate it.

I see you've done a great work here, it looks really interesting.

I'll review it during this week for sure.

I'll be back soon.

Kr,

Rshad

@rshad rshad added this to the Sprint-108 milestone Mar 11, 2020
@rshad rshad self-requested a review March 18, 2020 12:00
@rshad
Copy link
Contributor

rshad commented Mar 18, 2020
edited
Loading

Hi all!

Having set:

$audit_manage_rules                = true

The following template should be rendered.

wazuh-puppet/templates/audit_rules.erb

Lines 1 to 18 in 855de23

## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b <%= @audit_buffer_bytes %>
## This determine how long to wait in burst of events
--backlog_wait_time <%= @audit_backlog_wait_time %>
## Set failure mode to syslog
-f 1
<% if !@audit_rules.empty? -%>
<% @audit_rules.each do |audit_rule| -%>
<%= audit_rule %>
<%- end -%>
<%- end -%>

As we checked, the template was rendered correctly.

  • /etc/audit/rules.d/audit.rules
## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## This determine how long to wait in burst of events
--backlog_wait_time 0

## Set failure mode to syslog
-f 1

Related Puppet Log

Info: Loading facts
Info: Caching catalog for agent-client-1
Info: Applying configuration version '1584538768'
Notice: /Stage[main]/Wazuh::Audit/Package[Installing Audit...]/ensure: created
Notice: /Stage[main]/Wazuh::Audit/File[Configure audit.rules]/content:
--- /etc/audit/rules.d/audit.rules      2017-10-19 22:46:39.000000000 +0000
+++ /tmp/puppet-file20200318-2962-xpvkih        2020-03-18 13:39:55.954986245 +0000
@@ -1,14 +1,13 @@
-# This file contains the auditctl rules that are loaded
-# whenever the audit daemon is started via the initscripts.
-# The rules are simply the parameters that would be passed
-# to auditctl.
-
-# First rule - delete all
+## First rule - delete all
 -D

-# Increase the buffers to survive stress events.
-# Make this bigger for busy systems
--b 320
+## Increase the buffers to survive stress events.
+## Make this bigger for busy systems
+-b 8192
+
+## This determine how long to wait in burst of events
+--backlog_wait_time 0

-# Feel free to add below this line. See auditctl man page
+## Set failure mode to syslog
+-f 1


Info: Computing checksum on file /etc/audit/rules.d/audit.rules
Info: /Stage[main]/Wazuh::Audit/File[Configure audit.rules]: Filebucketed /etc/audit/rules.d/audit.rules to puppet with sum f9869e1191838c461f5b9051c78a638d
Notice: /Stage[main]/Wazuh::Audit/File[Configure audit.rules]/content: content changed '{md5}f9869e1191838c461f5b9051c78a638d' to '{md5}9967a3542c449b61d688a4f4b465cdfa'
Notice: /Stage[main]/Wazuh::Audit/File[Configure audit.rules]/mode: mode changed '0640' to '0644'
Info: /Stage[main]/Wazuh::Audit/File[Configure audit.rules]: Scheduling refresh of Service[auditd]
Info: /Stage[main]/Wazuh::Audit/File[Configure audit.rules]: Scheduling refresh of Service[auditd]
Notice: /Stage[main]/Wazuh::Audit/Service[auditd]: Triggered 'refresh' from 2 events

Adapted audit_rules.pp and the rules array

Hi @djmgit,

I think having the template without already defined rules would be better, and these rules you consider that would come by default when enabling the rules, I moved them to the file param_agent.pp to be defined in the array:

$audit_rules                       = []

As follows,

$audit_rules                       = [
        "-b ${audit_buffer_bytes}",
        "--backlog_wait_time ${audit_backlog_wait_time}",
        "-f 1"
]

Also, I adapted the template to be as follows,

<% if !@audit_rules.empty? -%>
<% @audit_rules.each do |audit_rule| -%>
<%= audit_rule %>
<%- end -%>
<%- end -%>

In this case, I re-installed the agent, and Puppet output is:

root@agent-client-1:~# puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for agent-client-1
Info: Applying configuration version '1584544019'
Notice: /Stage[main]/Wazuh::Audit/File[Configure audit.rules]/content:
--- /etc/audit/rules.d/audit.rules      2020-03-18 15:05:49.611350290 +0000
+++ /tmp/puppet-file20200318-17015-ggysa4       2020-03-18 15:07:10.183616289 +0000
@@ -0,0 +1,5 @@
+-b 8192
+--backlog_wait_time 0
+-f 1
+

Info: Computing checksum on file /etc/audit/rules.d/audit.rules
Info: /Stage[main]/Wazuh::Audit/File[Configure audit.rules]: Filebucketed /etc/audit/rules.d/audit.rules to puppet with sum d41d8cd98f00b204e9800998ecf8427e
Notice: /Stage[main]/Wazuh::Audit/File[Configure audit.rules]/content:

Notice: /Stage[main]/Wazuh::Audit/File[Configure audit.rules]/content: content changed '{md5}d41d8cd98f00b204e9800998ecf8427e' to '{md5}a11120ea77870ba2c05b40db0b7fc0e1'
Info: /Stage[main]/Wazuh::Audit/File[Configure audit.rules]: Scheduling refresh of Service[auditd]
Notice: /Stage[main]/Wazuh::Audit/Service[auditd]: Triggered 'refresh' from 1 events
Notice: Applied catalog in 1.41 seconds
  • /etc/audit/rules.d/audit.rules
-b 8192
--backlog_wait_time 0
-f 1

I finally decided to remove -D to not delete the already loaded rules in audit.

Kr,

Rshad

rshad
rshad approved these changes Mar 18, 2020
View reviewed changes
Copy link
Contributor

@rshad rshad left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added some changes.
c0cfbd1
5972eee
16619a4

manifests/params_agent.pp Outdated
$audit_manage_rules = false
$audit_buffer_bytes = "8192"
$audit_backlog_wait_time = "0"
$audit_rules = []
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer to define the default rules you put in the template into this array, audit_rules.

I already changed it in 5972eee

Thanks,

templates/audit_rules.erb Outdated
Comment on lines 1 to 13
## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b <%= @audit_buffer_bytes %>

## This determine how long to wait in burst of events
--backlog_wait_time <%= @audit_backlog_wait_time %>

## Set failure mode to syslog
-f 1

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I commented in the previous comment, these rules should be defined in params_agent.pp.

I changed it in 5972eee

Thanks.

rshad
rshad approved these changes Mar 18, 2020
View reviewed changes
manifests/params_agent.pp Outdated
$audit_buffer_bytes = "8192"
$audit_backlog_wait_time = "0"
$audit_rules = [
'-D',
Copy link
Contributor

@rshad rshad Mar 18, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also removed -D to not delete the already loaded audit rules.

Done in 16619a4

Thank you

@rshad rshad changed the base branch from master to devel March 18, 2020 15:42
@djmgit
Copy link
Contributor Author

djmgit commented Mar 18, 2020

@rshad HI, the changes you made are very much reasonable.
The only thing that might be pointed out here is, now when a user of this module would want to add adudit rules from this puppet config, he/she would always have to precede his rules in the list by:
"-b audit_buffer_bytes",
"--backlog_wait_time audit_backlog_wait_time",
"-f 1",
since the user's list will override the default rule list and also since there will be no default value for these options in the rules file.

@manuasir manuasir linked an issue Mar 18, 2020 that may be closed by this pull request
Separate file for audit and option to configure audit rules from this module itself #225
Closed
@rshad
Copy link
Contributor

rshad commented Mar 19, 2020

@rshad HI, the changes you made are very much reasonable.
The only thing that might be pointed out here is, now when a user of this module would want to add audit rules from this puppet config, he/she would always have to precede his rules in the list by:
"-b audit_buffer_bytes",
"--backlog_wait_time audit_backlog_wait_time",
"-f 1",
since the user's list will override the default rule list and also since there will be no default value for these options in the rules file.

Hi @djmgit !

You're right. I would think about adding control variables to enable or not each one of the 3 rules we consider as default

"-b audit_buffer_bytes",
"--backlog_wait_time audit_backlog_wait_time",
"-f 1",

In this case, the user would have more control about what to add or not. Also, I will work to make the configuration add rules to the already existing ones without overwriting the original rules file.

I will try to get it today.

Kr,

Rshad

@rshad
Copy link
Contributor

rshad commented Mar 20, 2020

Hi @djmgit !

We decided to remove the template for audit rules and changed from overwriting to appending to the rules file.

wazuh-puppet/manifests/audit.pp

Lines 33 to 39 in 697bad3

$audit_rules.each |String $rule| {
file_line { "Append rule ${rule} to /etc/audit/rules.d/audit.rules":
path => '/etc/audit/rules.d/audit.rules',
line => $rule,
require => File['/etc/audit/rules.d/audit.rules']
}
}

Testing Log

Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for agent-client-1
Info: Applying configuration version '1584576544'
Notice: /Stage[main]/Wazuh::Audit/File_line[Append rule -b 8192 to /etc/audit/rules.d/audit.rules]/ensure: created
Notice: /Stage[main]/Wazuh::Audit/File_line[Append rule --backlog_wait_time 0 to /etc/audit/rules.d/audit.rules]/ensure: created
Notice: /Stage[main]/Wazuh::Audit/File_line[Append rule -f 1 to /etc/audit/rules.d/audit.rules]/ensure: created
Notice: Applied catalog in 1.08 seconds

Kr,

Rshad

@manuasir manuasir merged commit 6cc7e40 into wazuh:devel Mar 20, 2020
@manuasir manuasir removed this from the Sprint-108 milestone Mar 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rshad rshad rshad approved these changes

Assignees

@rshad rshad

Labels
community
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Separate file for audit and option to configure audit rules from this module itself
3 participants
@djmgit @rshad @manuasir