diff --git a/manifests/agent.pp b/manifests/agent.pp index d7c556c3..d0dcec6b 100644 --- a/manifests/agent.pp +++ b/manifests/agent.pp @@ -167,6 +167,7 @@ $ossec_syscheck_auto_ignore = $wazuh::params_agent::ossec_syscheck_auto_ignore, $ossec_syscheck_directories_1 = $wazuh::params_agent::ossec_syscheck_directories_1, $ossec_syscheck_directories_2 = $wazuh::params_agent::ossec_syscheck_directories_2, + $ossec_syscheck_whodata_directories_1 = $wazuh::params_agent::ossec_syscheck_whodata_directories_1, $ossec_syscheck_realtime_directories_1 = $wazuh::params_agent::ossec_syscheck_realtime_directories_1, $ossec_syscheck_whodata_directories_2 = $wazuh::params_agent::ossec_syscheck_whodata_directories_2, @@ -178,6 +179,12 @@ $ossec_syscheck_skip_nfs = $wazuh::params_agent::ossec_syscheck_skip_nfs, $ossec_syscheck_windows_audit_interval = $wazuh::params_agent::windows_audit_interval, + # Audit + $audit_manage_rules = $wazuh::params_agent::audit_manage_rules, + $audit_buffer_bytes = $wazuh::params_agent::audit_buffer_bytes, + $audit_backlog_wait_time = $wazuh::params_agent::audit_backlog_wait_time, + $audit_rules = $wazuh::params_agent::audit_rules, + # active-response $ossec_active_response_disabled = $wazuh::params_agent::active_response_disabled, $ossec_active_response_linux_ca_store = $wazuh::params_agent::active_response_linux_ca_store, @@ -209,25 +216,11 @@ validate_string($agent_service_name) if (( $ossec_syscheck_whodata_directories_1 == 'yes' ) or ( $ossec_syscheck_whodata_directories_2 == 'yes' )) { - case $::kernel { - 'Linux': { - case $::operatingsystem { - 'Debian', 'debian', 'Ubuntu', 'ubuntu': { - package { 'Installing Audit...': - name => 'auditd', - } - } - default: { - package { 'Installing Audit...': - name => 'audit', - } - } - } - service { 'auditd': - ensure => running, - enable => true, - } - } + class { "wazuh::audit": + audit_manage_rules => $audit_manage_rules, + audit_backlog_wait_time => $audit_backlog_wait_time, + audit_buffer_bytes => $audit_buffer_bytes, + audit_rules => $audit_rules, } } diff --git a/manifests/audit.pp b/manifests/audit.pp new file mode 100644 index 00000000..612b8650 --- /dev/null +++ b/manifests/audit.pp @@ -0,0 +1,43 @@ +class wazuh::audit ( + $audit_manage_rules = false, + $audit_buffer_bytes = "8192", + $audit_backlog_wait_time = "0", + $audit_rules = [], +) { + + case $::kernel { + 'Linux': { + case $::operatingsystem { + 'Debian', 'debian', 'Ubuntu', 'ubuntu': { + package { 'Installing Audit...': + name => 'auditd', + } + } + default: { + package { 'Installing Audit...': + name => 'audit' + } + } + } + + service { 'auditd': + ensure => running, + enable => true, + } + + if $audit_manage_rules == true { + file { '/etc/audit/rules.d/audit.rules': + ensure => present + } + + $audit_rules.each |String $rule| { + file_line { "Append rule ${rule} to /etc/audit/rules.d/audit.rules": + path => '/etc/audit/rules.d/audit.rules', + line => $rule, + require => File['/etc/audit/rules.d/audit.rules'] + } + } + } + } + } +} diff --git a/manifests/params_agent.pp b/manifests/params_agent.pp index 0807a3d6..39be5be8 100644 --- a/manifests/params_agent.pp +++ b/manifests/params_agent.pp @@ -225,6 +225,16 @@ $ossec_syscheck_nodiff = '/etc/ssl/private.key' $ossec_syscheck_skip_nfs = 'yes' + # Audit + $audit_manage_rules = false + $audit_buffer_bytes = "8192" + $audit_backlog_wait_time = "0" + $audit_rules = [ + "-b ${audit_buffer_bytes}", + "--backlog_wait_time ${audit_backlog_wait_time}", + "-f 1" + ] + # active-response $active_response_linux_ca_store = '/var/ossec/etc/wpk_root.pem'