- Overview
- Module Description - What the module does and why it is useful
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
- Release notes
This module installs and configures OSSEC-HIDS client and server.
The server is configured by installing the ossec::server class, and using optionally
ossec::command: to define active/response command (likefirewall-drop.sh)ossec::activeresponse: to link rules to active/response commandossec:: email_alert: to receive to other email adress specific group of rules informationossec::addlog: to define additional log files to monitor
class { 'ossec::server':
mailserver_ip => 'mailserver.mycompany.com',
ossec_emailto => 'nicolas.zin@mycompany.com',
}
ossec::command { 'firewallblock':
command_name => 'firewall-drop',
command_executable => 'firewall-drop.sh',
command_expect => 'srcip'
}
ossec::activeresponse { 'blockWebattack':
command_name => 'firewall-drop',
ar_level => 9,
ar_rules_id => [31153,31151]
}
ossec::addlog { 'monitorLogFile':
logfile => '/var/log/secure',
logtype => 'syslog'
}class { "ossec::client":
ossec_server_ip => "10.10.130.66"
}$mailserver_ipsmtp mail server,$ossec_emailfrom(default:ossec@${domain}) email origin sent by ossec,$ossec_emailtowho will receive it,$ossec_active_response(default:true) if active response should be configure on the server (beware to configure it on clients also),$ossec_global_host_information_level(default: 8) Alerting level for the events generated by the host change monitor (from 0 to 16)$ossec_global_stat_level(default: 8) Alerting level for the events generated by the statistical analysis (from 0 to 16)$ossec_email_alert_level(default: 7) It correspond to a threshold (from 0 to 156 to sort alert send by email. Some alerts circumvent this threshold (when they have alert_email option),$ossec_emailnotification(default: yes) Whether to send email notifications
$alert_emailemail to send to$alert_group(default:false) array of name of rules group
Caution: no email will be send below the global $ossec_email_alert_level
About active-response mechanism, check the documentation (and extends the function maybe :-) ): http://www.ossec.net/main/manual/manual-active-responses
$command_namehuman readable name forossec::activeresponseusage$command_executablename of the executable. Ossec comes preloaded withdisable-account.sh,host-deny.sh,ipfw.sh,pf.sh,route-null.sh,firewall-drop.sh,ipfw_mac.sh,ossec-tweeter.sh,restart-ossec.sh$command_expect(default:srcip)$timeout_allowed(default:true)
$command_name,$ar_location(default:local) it can be "local","server","defined-agent","all"$ar_level(default: 7) between 0 and 16$ar_rules_id(default:[]) list of rules id$ar_timeout(default: 300) usually active reponse blocks for a certain amount of time.
$log_name,$logfile/path/to/log/file$logtype(default: syslog) The ossec log_format of the file. Valid values can be found in the documentation.
$ossec_server_ipIP of the server$ossec_active_response(default: true) allows active response on this host$ossec_emailnotification(default: yes) Whether to send email notifications$selinux(default: false) Whether to install an SELinux policy to allow rotation of OSSEC logs
On RedHat-like systems, this module depends on the Atomic repo
to provide the OSSEC packages, and on the EPEL repo to provide
a dependency, inotify-tools.
On Debian-like systems, this module depends on the Alienvault repo to provide the OSSEC packages.
Enabling SELinux support requires jfryman/selinux
This module was forked from djjudas21/puppet-ossec which was itself
forked from nzin/puppet-ossec. The purpose of this fork was to separate
Debian and Red Hat log specifics and to make the rootcheck optional.
Author Nicolas Zin Enhanced by Jonathan Gazeley Maintained by Thomas Hays