ossec

Table of Contents

1. Overview
2. Module Description - What the module does and why it is useful
3. Usage - Configuration options and additional functionality
4. Reference - An under-the-hood peek at what the module is doing and how
5. Limitations - OS compatibility, etc.
6. Development - Guide for contributing to the module
7. Release notes

Overview

This module installs and configures OSSEC-HIDS client and server.

Module Description

The server is configured by installing the ossec::server class, and using optionally

• ossec::command : to define active/response command (like firewall-drop.sh)
• ossec::activeresponse : to link rules to active/response command
• ossec:: email_alert : to receive to other email adress specific group of rules information
• ossec::addlog : to define additional log files to monitor

Usage

SERVER

class { 'ossec::server':
  mailserver_ip => 'mailserver.mycompany.com',
  ossec_emailto => 'nicolas.zin@mycompany.com',
}

ossec::command { 'firewallblock':
  command_name       => 'firewall-drop',
  command_executable => 'firewall-drop.sh',
  command_expect     => 'srcip'
}

ossec::activeresponse { 'blockWebattack':
  command_name => 'firewall-drop',
  ar_level     => 9,
  ar_rules_id  => [31153,31151]
}

ossec::addlog { 'monitorLogFile':
  logfile => '/var/log/secure',
  logtype => 'syslog'
}

CLIENT

class { "ossec::client":
  ossec_server_ip => "10.10.130.66"
}

Reference

SERVER

class ossec::server

• $mailserver_ip smtp mail server,
• $ossec_emailfrom (default: ossec@${domain}) email origin sent by ossec,
• $ossec_emailto who will receive it,
• $ossec_active_response (default: true) if active response should be configure on the server (beware to configure it on clients also),
• $ossec_global_host_information_level (default: 8) Alerting level for the events generated by the host change monitor (from 0 to 16)
• $ossec_global_stat_level (default: 8) Alerting level for the events generated by the statistical analysis (from 0 to 16)
• $ossec_email_alert_level (default: 7) It correspond to a threshold (from 0 to 156 to sort alert send by email. Some alerts circumvent this threshold (when they have alert_email option),
• $ossec_emailnotification (default: yes) Whether to send email notifications
• $ossec_white_list Specify array of IP addresses to be whitelisted by OSSEC
• $ossec_scanpaths Specify hash of paths to scan, with realtime and report_changes (see below for configuration)
• $ossec_package_status (default: installed) Package status. See https://docs.puppetlabs.com/references/latest/type.html#package-attribute-ensure

function ossec::email_alert

• $alert_email email to send to
• $alert_group (default: false) array of name of rules group

Caution: no email will be send below the global $ossec_email_alert_level

About active-response mechanism, check the documentation (and extends the function maybe :-) ): http://www.ossec.net/main/manual/manual-active-responses

function ossec::command

• $command_name human readable name for ossec::activeresponse usage
• $command_executable name of the executable. Ossec comes preloaded with disable-account.sh, host-deny.sh, ipfw.sh, pf.sh, route-null.sh, firewall-drop.sh, ipfw_mac.sh, ossec-tweeter.sh, restart-ossec.sh
• $command_expect (default: srcip)
• $timeout_allowed (default: true)

function ossec::activeresponse

• $command_name,
• $ar_location (default: local) it can be "local","server","defined-agent","all"
• $ar_level (default: 7) between 0 and 16
• $ar_rules_id (default: []) list of rules id
• $ar_timeout (default: 300) usually active reponse blocks for a certain amount of time.

function ossec::addlog

• $log_name,
• $logfile /path/to/log/file
• $logtype (default: syslog) The ossec log_format of the file. Valid values can be found in the documentation.

CLIENT

• $ossec_server_ip IP of the server
• $ossec_active_response (default: true) allows active response on this host
• $ossec_emailnotification (default: yes) Whether to send email notifications <<<<<<< HEAD
• $ossec_scanpaths Specify hash of paths to scan, with realtime and report_changes (see below for configuration)
• $ossec_ip_fact (default: ::ipaddress) allow override of the fact used to find the client's IP address. This is useful for when you have multiple IP addresses on a given client and ::ipaddress returns the incorrect IP for connection to the OSSEC server
• $ossec_package_status (default: installed) Package status. See https://docs.puppetlabs.com/references/latest/type.html#package-attribute-ensure

ossec_scanpaths configuration

Leaving this unconfigured will result on OSSEC using the module defaults. By default, it will monitor /etc, /usr/bin, /usr/sbin, /bin and /sbin, with real time monitoring disabled and report_changes enabled.

To overwrite the defaults or add in new paths to scan, you can use hiera to overwrite the defaults.

To tell OSSEC to enable real time monitoring of the default paths:

ossec::client::ossec_scanpaths:
  - path: /etc
    report_changes: 'yes'
    realtime: 'yes'
  - path: /usr/bin
    report_changes: 'yes'
    realtime: 'yes'
  - path: /usr/sbin
    report_changes: 'yes'
    realtime: 'yes'
  - path: /bin
    report_changes: 'yes'
    realtime: 'yes'
  - path: /sbin
    report_changes: 'yes'
    realtime: 'yes'

ossec::server::ossec_scanpaths:
  - path: /etc
    report_changes: 'yes'
    realtime: 'yes'
  - path: /usr/bin
    report_changes: 'yes'
    realtime: 'yes'
  - path: /usr/sbin
    report_changes: 'yes'
    realtime: 'yes'
  - path: /bin
    report_changes: 'yes'
    realtime: 'yes'
  - path: /sbin
    report_changes: 'yes'
    realtime: 'yes'

Note: Configuring the ossec_scanpaths variable will overwrite the defaults. i.e. if you want to add a new directory to monitor, you must also add the above default paths to be monitored. ||||||| merged common ancestors

• $selinux (default: false) Whether to install an SELinux policy to allow rotation of OSSEC logs =======
• $selinux (default: false) Whether to install an SELinux policy to allow rotation of OSSEC logs
• $ossec_scanpaths Specify hash of paths to scan, with realtime and report_changes (see below for configuration)

ossec_scanpaths configuration

Leaving this unconfigured will result on OSSEC using the module defaults. By default, it will monitor /etc, /usr/bin, /usr/sbin, /bin and /sbin, with real time monitoring disabled and report_changes enabled.

To overwrite the defaults or add in new paths to scan, you can use hiera to overwrite the defaults.

To tell OSSEC to enable real time monitoring of the default paths:

ossec::client::ossec_scanpaths:
  - path: /etc
    report_changes: 'yes'
    realtime: 'yes'
  - path: /usr/bin
    report_changes: 'yes'
    realtime: 'yes'
  - path: /usr/sbin
    report_changes: 'yes'
    realtime: 'yes'
  - path: /bin
    report_changes: 'yes'
    realtime: 'yes'
  - path: /sbin
    report_changes: 'yes'
    realtime: 'yes'

ossec::server::ossec_scanpaths:
  - path: /etc
    report_changes: 'yes'
    realtime: 'yes'
  - path: /usr/bin
    report_changes: 'yes'
    realtime: 'yes'
  - path: /usr/sbin
    report_changes: 'yes'
    realtime: 'yes'
  - path: /bin
    report_changes: 'yes'
    realtime: 'yes'
  - path: /sbin
    report_changes: 'yes'
    realtime: 'yes'

Note: Configuring the ossec_scanpaths variable will overwrite the defaults. i.e. if you want to add a new directory to monitor, you must also add the above default paths to be monitored.

0a557dc92aef49f08d7aa429f14b172cb2627883

Limitations

On RedHat-like systems, this module depends on the Atomic repo to provide the OSSEC packages, and on the EPEL repo to provide a dependency, inotify-tools.

On Debian-like systems, this module depends on the Alienvault repo to provide the OSSEC packages.

Development

This module was forked from nzin/puppet-ossec so I could package it for Puppet Forge. The original author is not willing to maintain the code so please contribute to this fork.

Release Notes

Author Nicolas Zin Maintained by Jonathan Gazeley