bioiq / puppet-ossec Goto Github PK

= Requirements

- OS: ubuntu/debian, redhat/centos


= Overview

This module install and configure OSSec client/server.
It requires concat module (https://github.com/ripienaar/puppet-concat)

The server is configured by installing the ossec::server class, and using optionaly
- ossec::command        : to define active/response command (like firewall-drop.sh)
- ossec::activeresponse : to link rules to active/response command
- ossec:: email_alert   : to receive to other email adress specific group of rules information


Note: there is a "light" version, where agents are replaced by rsyslog configuration, but this is more difficult to put in place, gather less information, and thus has to be avoid

== Parameters

SERVER

class ossec::server
- $mailserver_ip	:  smtp mail server,
- $ossec_emailfrom (default: "ossec@${domain}") : email origin sent by ossec,
- $ossec_emailto    => who will receive it,
- $ossec_active_response (default: true) :  if active response should be configure on the server (beware to configure it on clients also),
- $ossec_global_host_information_level (default: 8) : Alerting level for the events generated by the host change monitor (from 0 to 16)
- $ossec_global_stat_level (default: 8) : Alerting level for the events generated by the statistical analysis (from 0 to 16)	
- $ossec_email_alert_level (default: 7) : It correspond to a threshold (from 0 to 156 to sort alert send by email. Some alerts circumvent this threshold (when they have alert_email option),



function ossec::email_alert
- $alert_email        : email to send to
- $alert_group (default: false) : array of name of rules group 

Caution: no email will be send below the global $ossec_email_alert_level


About active-response mechanism, check the documentation (and extends the function maybe :-) ): http://www.ossec.net/main/manual/manual-active-responses

function ossec::command
- $command_name        : human readable name for ossec::activeresponse usage
- $command_executable  : name of the executable. Ossec comes preloaded with 'disable-account.sh','host-deny.sh','ipfw.sh','pf.sh','route-null.sh','firewall-drop.sh','ipfw_mac.sh','ossec-tweeter.sh','restart-ossec.sh'
- $command_expect     (default: "srcip")
- $timeout_allowed    (default: true)

function ossec::activeresponse
- $command_name,
- $ar_location     (default: "local"): it can be "local","server","defined-agent","all"
- $ar_level        (default: 7)      : between 0 and 16
- $ar_rules_id     (default: [])     : list of rules id
- $ar_timeout      (default: 300)    : usually active reponse blocks for a certain amount of time.



CLIENT
- $ossec_server_ip => IP of the server
- $ossec_active_response (default: true) => allows active response on this host

= Usage

SERVER

  node "mynode" inherits ... {
    class { 'ossec::server':
		mailserver_ip=>"mailserver.mycompany.com",
        ossec_emailto=>"[email protected]",
    }
    ossec::command { 'firewallblock': command_name => 'firewall-drop', command_executable => 'firewall-drop.sh', command_expect => 'srcip' }
    ossec::activeresponse { 'blockWebattack': command_name => 'firewall-drop', ar_level => 9, ar_rules_id => [31153,31151] }
  }

CLIENT
  node "aclientnode" inherits ... {
	class { "ossec::client":
        ossec_server_ip => "10.10.130.66"
    }
  }


= License

 Copyright (C) 2011 Savoir-faire Linux
 Author Nicolas Zin <[email protected]>
 Licence: GPL v2