This module has been authored by Nicolas Zin and updated by Jonathan Gazeley and Michael Porter. Wazuh has forked it with the purpose of maintaining it. Thank you to the authors for the contribution.
Download and install the Wazuh module from Puppet Forge:
# puppet module install wazuh-wazuh --version |WAZUH_LATEST_PUPPET|Notice: Preparing to install into /etc/puppet/modules ... Notice: Downloading from https://forgeapi.puppetlabs.com ... Notice: Installing -- do not interrupt ... /etc/puppet/modules └─┬ wazuh-wazuh (v|WAZUH_LATEST_PUPPET|) ├── puppet-nodejs (v7.0.1) ├── puppet-selinux (v3.2.0) ├── puppetlabs-apt (v7.7.0) ├── puppetlabs-concat (v6.3.0) ├── puppetlabs-firewall (v2.7.0) ├── puppetlabs-powershell (v2.3.0) └── puppetlabs-stdlib (v6.5.0)
This module installs and configures Wazuh agent and manager.
The manager is configured by installing the wazuh::manager class, and optionally using:
wazuh::command: to define active response command (likefirewall-drop.sh).wazuh::activeresponse: to link rules to active response commands.wazuh::addlog: to define additional log files to monitor.
Warning
On Debian-based operating systems, we will have to add the following section to the /etc/puppetlabs/code/environments/production/modules/wazuh/manifests/repo.pp file for proper execution:
server => 'pgp.mit.edu'. Line 9 to 12, do not forget the , after source entry.
apt::key { 'wazuh':
id => '0DCFCA5547B19D2A6099506096B3EE5F29111145',
source => 'https://packages.wazuh.com/key/GPG-KEY-WAZUH',
server => 'pgp.mit.edu'
}Here is an example of a manifest wazuh-manager.pp
node "server.yourhost.com" { class { 'wazuh::manager': ossec_smtp_server => 'localhost', ossec_emailto => ['user@mycompany.com'], } wazuh::command { 'firewallblock': command_name => 'firewall-drop', command_executable => 'firewall-drop.sh', command_expect => 'srcip' } wazuh::activeresponse { 'blockWebattack': command_name => 'firewall-drop', ar_level => 9, ar_agent_id => 123, ar_rules_id => [31153,31151], ar_repeated_offenders => '30,60,120' } wazuh::addlog { 'monitorLogFile': logfile => '/var/log/secure', logtype => 'syslog' } }
Place the file at /etc/puppetlabs/code/environments/production/manifests/ in your Puppet master and it will be executed in the specified node after the runinterval time set in puppet.conf. However, if you want to run it first, try the following command in the Puppet agent.
# puppet agent -t
The agent is configured by installing the wazuh::agent class.
Here is an example of a manifest wazuh-agent.pp (please replace with your IP address)
node "client.yourhost.com" { class { "wazuh::agent": wazuh_register_endpoint => "192.168.209.166", wazuh_reporting_endpoint => "192.168.209.167" } }
Place the file at /etc/puppetlabs/code/environments/production/manifests/ in your Puppet master and it will be executed in the specified node after the runinterval time set in puppet.conf. However, if you want to run it first, try the following command in the Puppet agent.
# puppet agent -t
| Sections | Variables | Functions |
|---|---|---|
Wazuh manager class <reference_wazuh_manager_class> |
|
|
Wazuh agent class <reference_wazuh_agent_class> |
|
addlog <ref_agent_addlog> |
Contents
reference-wazuh-puppet/wazuh-agent-class reference-wazuh-puppet/wazuh-manager-class