Add support for Wazuh 3.x

CHANGELOG

@@ -295,3 +295,6 @@ Jose Luis Ruiz <jose@wazuh.com>:
   * Adding the ability to set "type" attribute for "ignore" tag, fixed #19
   * Adding support to OracleLinux, Fixed #43
   * Add an option for the agent/manager class to manage the firewall automatically with puppetlabs/firewall
+  * Update URL repository to support Wazuh 3.x
+  * Update templates with new Wazuh 3.x terminology.
+

README.md

@@ -17,6 +17,10 @@ This module installs and configure Wazuh agent and manager.
 
 This Puppet module has been authored by Nicolas Zin, and updated by Jonathan Gazeley and Michael Porter. Wazuh has forked it with the purpose of maintaining it. Thank you to the authors for the contribution.
 
+## License and copyright
+
+Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+
 ## References
 
 * [Wazuh website](http://wazuh.com)

manifests/activeresponse.pp

@@ -1,3 +1,4 @@
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 #Define for a specific ossec active-response
 define wazuh::activeresponse(
   $command_name,

manifests/addlog.pp

@@ -1,3 +1,4 @@
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 #Define a log-file to add to ossec
 define wazuh::addlog(
   $logfile,

manifests/agentkey.pp

@@ -1,3 +1,4 @@
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 # utility function to fill up /var/ossec/etc/client.keys
 define wazuh::agentkey(
   $agent_id,

manifests/client.pp

@@ -1,44 +1,49 @@
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 # Setup for ossec client
 class wazuh::client(
-  $ossec_active_response       = true,
-  $ossec_rootcheck             = true,
-  $ossec_rootcheck_frequency   = 36000,
-  $ossec_rootcheck_checkports  = true,
-  $ossec_rootcheck_checkfiles  = true,
-  $ossec_server_ip             = undef,
-  $ossec_server_hostname       = undef,
-  $ossec_server_port           = '1514',
-  $ossec_server_protocol       = 'udp',
-  $ossec_server_notify_time    = undef,
-  $ossec_server_time_reconnect = undef,
-  $ossec_scanpaths             = [],
-  $ossec_emailnotification     = 'yes',
-  $ossec_ignorepaths           = [],
-  $ossec_ignorepaths_regex     = [],
-  $ossec_local_files           = $::wazuh::params::default_local_files,
-  $ossec_syscheck_frequency    = 43200,
-  $ossec_prefilter             = false,
-  $ossec_service_provider      = $::wazuh::params::ossec_service_provider,
-  $ossec_config_profiles       = [],
-  $selinux                     = false,
-  $agent_name                  = $::hostname,
-  $agent_ip_address            = $::ipaddress,
-  $manage_repo                 = true,
-  $manage_epel_repo            = true,
-  $agent_package_name          = $::wazuh::params::agent_package,
-  $agent_package_version       = 'installed',
-  $agent_service_name          = $::wazuh::params::agent_service,
-  $manage_client_keys          = 'export',
-  $agent_auth_password         = undef,
-  $wazuh_manager_root_ca_pem   = undef,
-  $agent_seed                  = undef,
-  $max_clients                 = 3000,
-  $ar_repeated_offenders       = '',
-  $enable_wodle_openscap       = false,
-  $wodle_openscap_content      = $::wazuh::params::wodle_openscap_content,
-  $service_has_status          = $::wazuh::params::service_has_status,
-  $ossec_conf_template         = 'wazuh/wazuh_agent.conf.erb',
-  Boolean $manage_firewall     = $::wazuh::params::manage_firewall,
+  $ossec_active_response           = true,
+  $ossec_rootcheck                 = true,
+  $ossec_rootcheck_frequency       = 36000,
+  $ossec_rootcheck_checkports      = true,
+  $ossec_rootcheck_checkfiles      = true,
+  $ossec_server_ip                 = undef,
+  $ossec_server_hostname           = undef,
+  $wazuh_manager_address           = undef,
+  $ossec_server_port               = '1514',
+  $ossec_server_protocol           = 'udp',
+  $ossec_server_notify_time        = undef,
+  $ossec_server_time_reconnect     = undef,
+  $ossec_scanpaths                 = [],
+  $ossec_ignorepaths               = [],
+  $ossec_ignorepaths_regex         = [],
+  $ossec_local_files               = $::wazuh::params::default_local_files,
+  $ossec_syscheck_frequency        = 43200,
+  $ossec_prefilter                 = false,
+  $ossec_service_provider          = $::wazuh::params::ossec_service_provider,
+  $ossec_config_profiles           = [],
+  $selinux                         = false,
+  $agent_name                      = $::hostname,
+  $agent_ip_address                = $::ipaddress,
+  $manage_repo                     = true,
+  $manage_epel_repo                = true,
+  $agent_package_name              = $::wazuh::params::agent_package,
+  $agent_package_version           = 'installed',
+  $agent_service_name              = $::wazuh::params::agent_service,
+  $agent_auto_restart              = 'yes',
+  # client_buffer configuration
+  $client_buffer_queue_size        = 5000,
+  $client_buffer_events_per_second = 500,
+  $manage_client_keys              = 'authd',
+  $agent_auth_password             = undef,
+  $wazuh_manager_root_ca_pem       = undef,
+  $agent_seed                      = undef,
+  $max_clients                     = 3000,
+  $ar_repeated_offenders           = '',
+  $enable_wodle_openscap           = false,
+  $wodle_openscap_content          = $::wazuh::params::wodle_openscap_content,
+  $service_has_status              = $::wazuh::params::service_has_status,
+  $ossec_conf_template             = 'wazuh/wazuh_agent.conf.erb',
+  Boolean $manage_firewall         = $::wazuh::params::manage_firewall,
 ) inherits wazuh::params {
   validate_bool(
     $ossec_active_response, $ossec_rootcheck,
@@ -50,8 +55,8 @@
   validate_string($agent_package_name)
   validate_string($agent_service_name)
 
-  if ( ( $ossec_server_ip == undef ) and ( $ossec_server_hostname == undef ) ) {
-    fail('must pass either $ossec_server_ip or $ossec_server_hostname to Class[\'wazuh::client\'].')
+  if ( ( $ossec_server_ip == undef ) and ( $ossec_server_hostname == undef ) and ( $wazuh_manager_address == undef ) ) {
+    fail('must pass either $ossec_server_ip or $ossec_server_hostname or $wazuh_manager_address to Class[\'wazuh::client\'].')
   }
 
   case $::kernel {

manifests/cluster.pp

@@ -0,0 +1,21 @@
+#Define for a specific ossec cluster
+define wazuh::cluster(
+  $cl_name,
+  $cl_node_name = 'node01',
+  $cl_node_type = 'master',
+  $cl_key       = '',
+  $cl_port      = '1516',
+  $cl_bin_addr  = '0.0.0.0',
+  $cl_node      = ['NODE_IP','NODE_IP2'],
+  $cl_hidden    = 'no',
+  $cl_disabled  = 'yes',
+) { 
+
+  require wazuh::params
+
+  concat::fragment { $name:
+    target  => 'ossec.conf',
+    order   => 95,
+    content => template('wazuh/fragments/_cluster.erb')
+  }
+} 

manifests/collect_agent_keys.pp

@@ -1,3 +1,4 @@
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 # Class to collect the agent keys
 class wazuh::collect_agent_keys {
   Wazuh::Agentkey<<| |>>

manifests/command.pp

@@ -1,3 +1,4 @@
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 # Define an ossec command
 define wazuh::command(
   $command_name,

manifests/email_alert.pp

@@ -1,3 +1,4 @@
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 # Define an email alert
 define wazuh::email_alert(
   $alert_email,

manifests/export_agent_key.pp

@@ -1,3 +1,4 @@
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 #Export agent key
 class wazuh::export_agent_key(
   $max_clients,

manifests/init.pp

@@ -1,2 +1,3 @@
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 # Blank container class
 class wazuh { }

manifests/params.pp

@@ -1,3 +1,4 @@
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 # Paramas file
 class wazuh::params {
   case $::kernel {
@@ -84,7 +85,7 @@
                 }
               }
             }
-            /^(wheezy|stretch|sid|precise|trusty|vivid|wily|xenial)$/: {
+            /^(wheezy|stretch|sid|precise|trusty|vivid|wily|xenial|bionic)$/: {
               $server_service = 'wazuh-manager'
               $server_package = 'wazuh-manager'
               $api_service = 'wazuh-api'

manifests/repo.pp

@@ -1,3 +1,4 @@
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 # Repo installation
 class wazuh::repo (
   $redhat_manage_epel = true,
@@ -15,27 +16,13 @@
         server => 'pgp.mit.edu'
       }
       case $::lsbdistcodename {
-        /(precise|trusty|vivid|wily|xenial|yakketi)/: {
+        /(jessie|wheezy|stretch|sid|precise|trusty|vivid|wily|xenial|yakketi|bionic)/: {
 
           apt::source { 'wazuh':
             ensure   => present,
             comment  => 'This is the WAZUH Ubuntu repository',
-            location => 'https://packages.wazuh.com/apt',
-            release  => $::lsbdistcodename,
-            repos    => 'main',
-            include  => {
-              'src' => false,
-              'deb' => true,
-            },
-          }
-
-        }
-        /^(jessie|wheezy|stretch|sid)$/: {
-          apt::source { 'wazuh':
-            ensure   => present,
-            comment  => 'This is the WAZUH Debian repository',
-            location => 'https://packages.wazuh.com/apt',
-            release  => $::lsbdistcodename,
+            location => 'https://packages.wazuh.com/3.x/apt',
+            release  => 'stable',
             repos    => 'main',
             include  => {
               'src' => false,
@@ -47,46 +34,21 @@
       }
     }
     'Linux', 'Redhat' : {
-      if ( $::operatingsystem == 'Amazon' ) {
-        $repotype = 'Amazon Linux'
-        $baseurl  = 'https://packages.wazuh.com/yum/rhel/6Server/$basearch'
-        $gpgkey   = 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
-      }
-      else {
         case $::os[name] {
-          'CentOS': {
+          /^(CentOS|RedHat|OracleLinux|Fedora|Amazon)$/: {
             if ( $::operatingsystemrelease =~ /^5.*/ ) {
-              $repotype = 'CentOS 5'
-              $baseurl  = 'https://packages.wazuh.com/yum/el/$releasever/$basearch'
-              $gpgkey   = 'https://packages.wazuh.com/key/RPM-GPG-KEY-OSSEC-RHEL5'
+              $baseurl  = 'https://packages.wazuh.com/3.x/yum/5/'
+              $gpgkey   = 'http://packages.wazuh.com/key/GPG-KEY-WAZUH-5'
             } else {
-              $repotype = 'CentOS > 5'
-              $baseurl  = 'https://packages.wazuh.com/yum/el/$releasever/$basearch'
+              $baseurl  = 'https://packages.wazuh.com/3.x/yum/'
               $gpgkey   = 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
             }
           }
-          /^(RedHat|OracleLinux)$/: {
-            if ( $::operatingsystemrelease =~ /^5.*/ ) {
-              $repotype = 'RedHat 5'
-              $baseurl  = 'https://packages.wazuh.com/yum/rhel/$releasever/$basearch'
-              $gpgkey   = 'https://packages.wazuh.com/key/RPM-GPG-KEY-OSSEC-RHEL5'
-            } else {
-              $repotype = 'RedHat > 5'
-              $baseurl  = 'https://packages.wazuh.com/yum/rhel/$releasever/$basearch'
-              $gpgkey   = 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
-            }
-          }
-          'Fedora': {
-              $repotype = 'Fedora'
-              $baseurl  = 'https://packages.wazuh.com/yum/fc/$releasever/$basearch'
-              $gpgkey   = 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
-          }
           default: { fail('This ossec module has not been tested on your distribution.') }
         }
-      }
       # Set up OSSEC repo
       yumrepo { 'wazuh':
-        descr    => "WAZUH OSSEC Repository - www.wazuh.com # ${repotype}",
+        descr    => "WAZUH OSSEC Repository - www.wazuh.com",
         enabled  => true,
         gpgcheck => 1,
         gpgkey   => $gpgkey,

manifests/reports.pp

@@ -1,3 +1,4 @@
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 #Define for a Reports section
 define wazuh::reports(
   Optional[String] $r_group               = undef,

manifests/server.pp

@@ -1,3 +1,4 @@
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 # Main ossec server config
 class wazuh::server (
   $smtp_server                         = undef,
@@ -27,13 +28,13 @@
   $api_service_provider                = $::wazuh::params::api_service_provider,
   $ossec_server_port                   = '1514',
   $ossec_server_protocol               = 'udp',
-  $ossec_authd_enabled                 = false,
+  $ossec_authd_enabled                 = true,
   $server_package_version              = 'installed',
   $api_package_version                 = 'installed',
   $api_config_params                   = $::wazuh::params::api_config_params,
   $manage_repos                        = true,
   $manage_epel_repo                    = true,
-  $manage_client_keys                  = 'export',
+  $manage_client_keys                  = 'authd',
   $install_wazuh_api                   = false,
   $wazuh_api_enable_https              = false,
   $wazuh_api_server_crt                = undef,

templates/fragments/_cluster.erb

@@ -0,0 +1,17 @@
+  <cluster>
+    <name><%= @cl_name %></name>
+    <node_name><%= @cl_node_name %></node_name>
+    <node_type><%= @cl_node_type %></node_type>
+	<% if @cl_key != '' -%>
+		<key><%= @cl_key %></key>
+	<% end -%>
+    <port><%= @cl_port %></port>
+    <bind_addr><%= @cl_bin_addr %></bind_addr>
+    <nodes>
+	<% @cl_node.each do |node| %>
+        <node><%= node %></node>
+	<% end %>
+    </nodes>
+    <hidden><%= @cl_hidden %></hidden>
+    <disabled><%= @cl_disabled %></disabled>
+  </cluster>

templates/fragments/_common.erb

@@ -64,7 +64,8 @@
 
   <localfile>
     <log_format>full_command</log_format>
-    <command>netstat -tln | grep -v 127.0.0.1 | sort</command>
+    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
+    <alias>netstat listening ports</alias>
     <frequency>360</frequency>
   </localfile>
 

templates/wazuh_agent.conf.erb

@@ -1,14 +1,19 @@
   <client>
+  <server>
   <%- if @ossec_server_ip then -%>
-    <server-ip><%= @ossec_server_ip %></server-ip>
+    <address><%= @ossec_server_ip %></address>
   <%- end -%>
   <%- if @ossec_server_hostname then -%>
-    <server-hostname><%= @ossec_server_hostname %></server-hostname>
+    <address><%= @ossec_server_hostname %></address>
+  <%- end -%>
+  <%- if @wazuh_manager_address then -%>
+    <address><%= @wazuh_manager_address %></address>
   <%- end -%>
   <%- if @ossec_server_protocol then -%>
     <protocol><%= @ossec_server_protocol %></protocol>
   <%- end -%>
     <port><%= @ossec_server_port %></port>
+  </server>
   <%- if @ossec_config_profiles then -%>
     <config-profile><%= @ossec_config_profiles.join(',') %></config-profile>
   <%- end -%>
@@ -18,8 +23,16 @@
   <%- if @ossec_server_time_reconnect then -%>
     <time-reconnect><%= @ossec_server_time_reconnect %></time-reconnect>
   <%- end -%>
+    <auto_restart><%= @agent_auto_restart %></auto_restart>
   </client>
 
+  <client_buffer>
+    <!-- Agent buffer options -->
+    <disabled>no</disabled>
+    <queue_size><%= @client_buffer_queue_size %></queue_size>
+    <events_per_second><%= @client_buffer_events_per_second %></events_per_second>
+  </client_buffer>
+
   <%= scope.function_template(["wazuh/fragments/_common.erb"]) -%>
 
   <%- if @enable_wodle_openscap and @wodle_openscap_content -%>