Add new variable for revision in agent.pp to 4.3 #575

c-bordon · 2022-09-14T12:56:51Z

closes #561

Added a new variable for review, this prevents new puppet agent -t runs from failing on Windows

Before:

After:

Ubuntu 20.04:

root@ubuntu-focal-2:~# puppet agent -t
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for ubuntu-focal-2
Info: Applying configuration version '1663159600'
Notice: /Stage[main]/Wazuh::Agent/Package[wazuh-agent]/ensure: created
Notice: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: 
--- /var/ossec/etc/ossec.conf   2022-09-14 12:46:43.623182167 +0000
+++ /tmp/puppet-file20220914-5651-dtimv5        2022-09-14 12:46:46.924832045 +0000
@@ -1,23 +1,23 @@
-<!--
-  Wazuh - Agent - Default configuration for ubuntu 20.04
-  More info at: https://documentation.wazuh.com
-  Mailing list: https://groups.google.com/forum/#!forum/wazuh
--->
-
 <ossec_config>
   <client>
-    <server>
-      <address>MANAGER_IP</address>
-      <port>1514</port>
-      <protocol>tcp</protocol>
-    </server>
-    <config-profile>ubuntu, ubuntu20, ubuntu20.04</config-profile>
+  <server>
+    <address>192.168.56.253</address>
+    <protocol>tcp</protocol>
+    <port>1514</port>
+    <max_retries>5</max_retries>
+    <retry_interval>5</retry_interval>
+  </server>
+    <config-profile>ubuntu, ubuntu18, ubuntu18.04</config-profile>
     <notify_time>10</notify_time>
     <time-reconnect>60</time-reconnect>
-    <auto_restart>yes</auto_restart>
     <crypto_method>aes</crypto_method>
+    <auto_restart>yes</auto_restart>
   </client>
 
+  <logging>
+    <log_format>plain</log_format>
+  </logging>
+
   <client_buffer>
     <!-- Agent buffer options -->
     <disabled>no</disabled>
@@ -25,8 +25,9 @@
     <events_per_second>500</events_per_second>
   </client_buffer>
 
-  <!-- Policy monitoring -->
-  <rootcheck>
+
+
+<rootcheck>
     <disabled>no</disabled>
     <check_files>yes</check_files>
     <check_trojans>yes</check_trojans>
@@ -35,171 +36,141 @@
     <check_pids>yes</check_pids>
     <check_ports>yes</check_ports>
     <check_if>yes</check_if>
-
-    <!-- Frequency that rootcheck is executed - every 12 hours -->
-    <frequency>43200</frequency>
-
-    <rootkit_files>etc/shared/rootkit_files.txt</rootkit_files>
-    <rootkit_trojans>etc/shared/rootkit_trojans.txt</rootkit_trojans>
-
+    <frequency>36000</frequency>
+    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
     <skip_nfs>yes</skip_nfs>
-  </rootcheck>
+</rootcheck>
 
-  <wodle name="cis-cat">
+<wodle name="open-scap">
     <disabled>yes</disabled>
     <timeout>1800</timeout>
     <interval>1d</interval>
     <scan-on-start>yes</scan-on-start>
 
+</wodle>
+<wodle name="cis-cat">    
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
     <java_path>wodles/java</java_path>
     <ciscat_path>wodles/ciscat</ciscat_path>
-  </wodle>
+</wodle>
+
 
-  <!-- Osquery integration -->
-  <wodle name="osquery">
+<wodle name="osquery">
     <disabled>yes</disabled>
     <run_daemon>yes</run_daemon>
+    <bin_path>/usr/bin/osqueryd</bin_path>
     <log_path>/var/log/osquery/osqueryd.results.log</log_path>
     <config_path>/etc/osquery/osquery.conf</config_path>
     <add_labels>yes</add_labels>
-  </wodle>
+</wodle>
 
-  <!-- System inventory -->
-  <wodle name="syscollector">
-    <disabled>no</disabled>
-    <interval>1h</interval>
-    <scan_on_start>yes</scan_on_start>
-    <hardware>yes</hardware>
-    <os>yes</os>
-    <network>yes</network>
-    <packages>yes</packages>
-    <ports all="no">yes</ports>
-    <processes>yes</processes>
-
-    <!-- Database synchronization settings -->
-    <synchronization>
-      <max_eps>10</max_eps>
-    </synchronization>
-  </wodle>
+  
+<wodle name="syscollector">
+  <disabled>no</disabled>
+  <interval>1h</interval>
+  <scan_on_start>yes</scan_on_start>
+  <hardware>yes</hardware>
+  <os>yes</os>
+  <network>yes</network>
+  <packages>yes</packages>
+  <ports all="no">yes</ports>
+  <processes>yes</processes>
+</wodle>
 
-  <sca>
+<sca>
     <enabled>yes</enabled>
     <scan_on_start>yes</scan_on_start>
     <interval>12h</interval>
     <skip_nfs>yes</skip_nfs>
+  
   </sca>
+    
+  
+<syscheck>
+  <disabled>no</disabled>
+  <frequency>43200</frequency>
+  <scan_on_start>yes</scan_on_start>
+  <process_priority>10</process_priority>
+  <synchronization>
+    <enabled>yes</enabled>
+    <interval>5m</interval>
+    <max_interval>1h</max_interval>
+    <max_eps>10</max_eps>
+  </synchronization>
+
+  <directories check_all="yes" >/etc,/usr/bin,/usr/sbin</directories>
+  <directories check_all="yes" >/bin,/sbin,/boot</directories>
+  <ignore>/etc/mtab</ignore>
+  <ignore>/etc/hosts.deny</ignore>
+  <ignore>/etc/mail/statistics</ignore>
+  <ignore>/etc/random-seed</ignore>
+  <ignore>/etc/random.seed</ignore>
+  <ignore>/etc/adjtime</ignore>
+  <ignore>/etc/httpd/logs</ignore>
+  <ignore>/etc/utmpx</ignore>
+  <ignore>/etc/wtmpx</ignore>
+  <ignore>/etc/cups/certs</ignore>
+  <ignore>/etc/dumpdates</ignore>
+  <ignore>/etc/svc/volatile</ignore>
+  <ignore>/sys/kernel/security</ignore>
+  <ignore>/sys/kernel/debug</ignore>
+  <ignore>/dev/core</ignore>
+  <ignore type="sregex">^/proc</ignore>
+  <ignore type="sregex">.log$|.swp$</ignore>
+  <nodiff>/etc/ssl/private.key</nodiff>
+  <skip_nfs>yes</skip_nfs>
+</syscheck>
 
-  <!-- File integrity monitoring -->
-  <syscheck>
-    <disabled>no</disabled>
-
-    <!-- Frequency that syscheck is executed default every 12 hours -->
-    <frequency>43200</frequency>
 
-    <scan_on_start>yes</scan_on_start>
 
-    <!-- Directories to check  (perform all possible verifications) -->
-    <directories>/etc,/usr/bin,/usr/sbin</directories>
-    <directories>/bin,/sbin,/boot</directories>
-
-    <!-- Files/directories to ignore -->
-    <ignore>/etc/mtab</ignore>
-    <ignore>/etc/hosts.deny</ignore>
-    <ignore>/etc/mail/statistics</ignore>
-    <ignore>/etc/random-seed</ignore>
-    <ignore>/etc/random.seed</ignore>
-    <ignore>/etc/adjtime</ignore>
-    <ignore>/etc/httpd/logs</ignore>
-    <ignore>/etc/utmpx</ignore>
-    <ignore>/etc/wtmpx</ignore>
-    <ignore>/etc/cups/certs</ignore>
-    <ignore>/etc/dumpdates</ignore>
-    <ignore>/etc/svc/volatile</ignore>
 
-    <!-- File types to ignore -->
-    <ignore type="sregex">.log$|.swp$</ignore>
 
-    <!-- Check the file, but never compute the diff -->
-    <nodiff>/etc/ssl/private.key</nodiff>
-
-    <skip_nfs>yes</skip_nfs>
-    <skip_dev>yes</skip_dev>
-    <skip_proc>yes</skip_proc>
-    <skip_sys>yes</skip_sys>
-
-    <!-- Nice value for Syscheck process -->
-    <process_priority>10</process_priority>
-
-    <!-- Maximum output throughput -->
-    <max_eps>100</max_eps>
-
-    <!-- Database synchronization settings -->
-    <synchronization>
-      <enabled>yes</enabled>
-      <interval>5m</interval>
-      <max_interval>1h</max_interval>
-      <max_eps>10</max_eps>
-    </synchronization>
-  </syscheck>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/syslog</location>
+  </localfile>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/kern.log</location>
+  </localfile>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/auth.log</location>
+  </localfile>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/dpkg.log</location>
+  </localfile>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/ossec/logs/active-responses.log</location>
+  </localfile>
 
-  <!-- Log analysis -->
   <localfile>
     <log_format>command</log_format>
     <command>df -P</command>
     <frequency>360</frequency>
   </localfile>
-
   <localfile>
     <log_format>full_command</log_format>
     <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
     <alias>netstat listening ports</alias>
     <frequency>360</frequency>
   </localfile>
-
   <localfile>
     <log_format>full_command</log_format>
     <command>last -n 20</command>
     <frequency>360</frequency>
   </localfile>
 
-  <!-- Active response -->
+
   <active-response>
     <disabled>no</disabled>
-    <ca_store>etc/wpk_root.pem</ca_store>
+    <ca_store>/var/ossec/etc/wpk_root.pem</ca_store>
     <ca_verification>yes</ca_verification>
   </active-response>
-
-  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
-  <logging>
-    <log_format>plain</log_format>
-  </logging>
-
-</ossec_config>
-
-<ossec_config>
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/ossec/logs/active-responses.log</location>
-  </localfile>
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/auth.log</location>
-  </localfile>
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/syslog</location>
-  </localfile>
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/dpkg.log</location>
-  </localfile>
-
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/kern.log</location>
-  </localfile>
-
-</ossec_config>
+</ossec_config>
\ No newline at end of file

Info: Computing checksum on file /var/ossec/etc/ossec.conf
Info: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]: Filebucketed /var/ossec/etc/ossec.conf to puppet with sum d93645c33d5e8fe051ce9e11fda36ec8fc3651927e7d5a5dda07a4a2f3ce6c2c
Notice: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: content changed '{sha256}d93645c33d5e8fe051ce9e11fda36ec8fc3651927e7d5a5dda07a4a2f3ce6c2c' to '{sha256}65fc27efc90220e412351fdf322e4d15abda4430a48ad8a80a5a4484b7a4b5b3'
Notice: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]/mode: mode changed '0660' to '0640'
Info: Concat[agent_ossec.conf]: Scheduling refresh of Service[wazuh-agent]
Notice: /Stage[main]/Wazuh::Agent/Exec[agent-auth-linux]/returns: executed successfully
Info: /Stage[main]/Wazuh::Agent/Exec[agent-auth-linux]: Scheduling refresh of Service[wazuh-agent]
Notice: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: Unscheduling refresh on Service[wazuh-agent]
Notice: Applied catalog in 14.53 seconds

Tested in Ubuntu 20.04 and Windows Server 2019

vcerenu

LGTM

Add new Variable for revision in agent.pp

61a7f8f

c-bordon requested a review from vcerenu September 14, 2022 12:56

c-bordon self-assigned this Sep 14, 2022

c-bordon changed the title ~~Add new Variable for revision in agent.pp to 4.3~~ Add new variable for revision in agent.pp to 4.3 Sep 14, 2022

teddytpc1 approved these changes Sep 14, 2022

View reviewed changes

vcerenu approved these changes Sep 14, 2022

View reviewed changes

teddytpc1 merged commit e4f2b21 into 4.3 Sep 14, 2022

teddytpc1 deleted the 561-AddRevisionVariable-to4.3 branch September 14, 2022 13:34

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add new variable for revision in agent.pp to 4.3 #575

Add new variable for revision in agent.pp to 4.3 #575

c-bordon commented Sep 14, 2022

vcerenu left a comment

Add new variable for revision in agent.pp to 4.3 #575

Add new variable for revision in agent.pp to 4.3 #575

Conversation

c-bordon commented Sep 14, 2022

Before:

After:

Ubuntu 20.04:

vcerenu left a comment

Choose a reason for hiding this comment