Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes #227 : Add system_audit subsection in rootcheck #228

Merged
merged 5 commits into from
Mar 18, 2020

Conversation

djmgit
Copy link
Contributor

@djmgit djmgit commented Mar 9, 2020

The PR adds system_audit subsection configuration in rootcheck

The PR adds system_audit subsection configuration in rootcheck
@djmgit
Copy link
Contributor Author

djmgit commented Mar 9, 2020

@rshad Please review.

@rshad rshad self-assigned this Mar 10, 2020
@rshad
Copy link
Contributor

rshad commented Mar 10, 2020

Hi @djmgit !

Thank you again for contributing to Wazuh. Many interesting changes.

I'll be reviewing this PR as soon as possible.

Kr,

Rshad

@rshad rshad self-requested a review March 18, 2020 16:15
@rshad rshad changed the base branch from master to devel March 18, 2020 16:16
@rshad
Copy link
Contributor

rshad commented Mar 18, 2020

Hi all!

Having set,

$ossec_rootcheck_system_audit = [
        "/var/ossec/etc/shared/system_audit_rcl.txt",
        "/var/ossec/etc/shared/system_audit_ssh.txt",
]

Puppet Output

root@agent-client-1:/var/ossec# puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for agent-client-1
Info: Applying configuration version '1584552989'
Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content:
--- /var/ossec/etc/ossec.conf   2020-03-18 17:10:30.699103339 +0000
+++ /tmp/puppet-file20200318-19690-u64wlq       2020-03-18 17:36:36.223103339 +0000
@@ -37,6 +37,8 @@
     <frequency>43200</frequency>
     <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
     <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
+      <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
+      <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
     <skip_nfs>yes</skip_nfs>

 </rootcheck>

Info: Computing checksum on file /var/ossec/etc/ossec.conf
Info: FileBucket got a duplicate file {md5}c3c737c431b9a624f96675fa760d3bf1
Info: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: Filebucketed /var/ossec/etc/ossec.conf to puppet with sum c3c737c431b9a624f96675fa760d3bf1
Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: content changed '{md5}c3c737c431b9a624f96675fa760d3bf1' to '{md5}aea8237268bd066a67c6cdca2f3208b2'
Info: Concat[ossec.conf]: Scheduling refresh of Service[wazuh-agent]
Notice: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: Triggered 'refresh' from 1 events
Notice: Applied catalog in 3.78 seconds

And when setting,

$ossec_rootcheck_system_audit = []
root@agent-client-1:/var/ossec# puppet agent -t
.
.
Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content:
--- /var/ossec/etc/ossec.conf   2020-03-18 17:48:45.503103339 +0000
+++ /tmp/puppet-file20200318-21987-16vvtjc      2020-03-18 17:51:06.439103339 +0000
@@ -37,8 +37,6 @@
     <frequency>43200</frequency>
     <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
     <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
-      <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
-      <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
     <skip_nfs>yes</skip_nfs>

 </rootcheck>
.
.
Notice: Applied catalog in 3.78 seconds


Added Changes

  • The defined paths are wrong. Getting the error:
2020/03/18 17:37:01 rootcheck: ERROR: No unixaudit file: './shared/system_audit_rcl.txt'
2020/03/18 17:37:01 rootcheck: ERROR: No unixaudit file: './shared/system_audit_ssh.txt'

So, when I tested the PR I replaced,

        "./shared/system_audit_rcl.txt",
        "./shared/system_audit_ssh.txt",

by

        "/var/ossec/etc/shared/system_audit_rcl.txt",
        "/var/ossec/etc/shared/system_audit_ssh.txt",
  • Removed the auxiliary variable default_rootcheck_system_audit.

  • Defined the variable for both Linux and Windows. Empty by default.

  • Added a condition to check if the files list is empty or not.

Kr,

Rshad

Copy link
Contributor

@rshad rshad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added some changes in

96e2e89
624daa7
057f54e
f8614d0

@@ -81,6 +81,7 @@
$ossec_rootcheck_frequency = $wazuh::params_agent::ossec_rootcheck_frequency,
$ossec_rootcheck_rootkit_files = $wazuh::params_agent::ossec_rootcheck_rootkit_files,
$ossec_rootcheck_rootkit_trojans = $wazuh::params_agent::ossec_rootcheck_rootkit_trojans,
$ossec_rootcheck_system_audit = $wazuh::params_agent::default_rootcheck_system_audit,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to use an auxiliary variable default_rootcheck_system_audit.

Changed in 624daa7 & 057f54e.

Thanks,

Comment on lines 239 to 243
$default_rootcheck_system_audit = [
"./shared/system_audit_rcl.txt",
"./shared/system_audit_ssh.txt",
]

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to use an auxiliary variable default_rootcheck_system_audit.

Changed in 624daa7 & 057f54e.

Thanks,

@@ -35,6 +35,11 @@
<% if @ossec_rootcheck_rootkit_trojans-%>
<rootkit_trojans><%= @ossec_rootcheck_rootkit_trojans %></rootkit_trojans>
<%- end -%>
<%- if @ossec_rootcheck_system_audit -%>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would check if the list is empty or not, rather than checking if it's defined.

Changed in 96e2e89

Thanks,

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rshad ah! my bad, thanks for pointing it out and fixing it :)

@rshad rshad added this to the Sprint-108 milestone Mar 18, 2020
@djmgit
Copy link
Contributor Author

djmgit commented Mar 18, 2020

@rshad Hi, great work :) Thanks for fixing and improving this PR.
I was wondering why you emptied out the audit list for Linux too? It worked with absolute path right?

@rshad
Copy link
Contributor

rshad commented Mar 18, 2020

@rshad Hi, great work :) Thanks for fixing and improving this PR.
I was wondering why you emptied out the audit list for Linux too? It worked with absolute path right?

Hi @djmgit !

With relative paths I got the following error:

2020/03/18 17:37:01 rootcheck: ERROR: No unixaudit file: './shared/system_audit_rcl.txt'
2020/03/18 17:37:01 rootcheck: ERROR: No unixaudit file: './shared/system_audit_ssh.txt'

With absolute paths it worked, but I removed them and set the list as empty because we set our wazuh-puppet configuration to generate an exact or most-similar configuration to the one given by default when installing wazuh from a package.

Kr,

Rshad

@rshad rshad merged commit 589aa38 into wazuh:devel Mar 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants