Giter VIP home page Giter VIP logo

indiana-university / puppet-aide Goto Github PK

View Code? Open in Web Editor NEW
1.0 5.0 10.0 135 KB

This puppet module manages the installation and configuration of AIDE (Advance Intrusion Detection Environment)

License: BSD 3-Clause "New" or "Revised" License

Ruby 53.19% Puppet 41.22% HTML 4.46% Shell 0.33% Dockerfile 0.80%
aide intrusion-detection security puppet puppet-module file-integrity auditing audit ids cis-benchmarks

puppet-aide's Introduction

puppet-aide (AIDE - Advanced Intrusion Detection Enviroment).

Build Status Maintenance License

Table of Contents

  1. Description
  2. Setup - The basics of getting started with aide
  3. Examples
  4. Cron Entry
  5. Reference - What the module is doing and how
  6. Assigning parameters using Hiera
  7. Limitations
  8. Contributing to the development of this module
  9. Credits

Description

This is a module for managing the installation, configuration and initial database creation of AIDE (Advanced Intrustion Detection Environment)package.

AIDE creates a database of files and their attributes from the rules that it finds in its configuration file. Once this database is initialized, it can be used to verify the integrity of the files contained within it. If the file attributes change according to the rules supplied, a summary of changes is logged and can be acted upon.

Refer to the AIDE manual for further details about configuration options.

This module will also add a cron job to periodically run the aide --check command to verify the integrity of the AIDE database. Results will be logged to the log file (defaults to /var/log/aide/aide.log) and to the AUTH log facility.

Setup Requirements

This module requires some additional modules, but it is highly likely that they are already installed on your puppet server. They are as follows:

  • puppetlabs/concat 9.0 - 10.0
  • puppetlabs/stdlib 9.0 - 10.0
  • puppet/cron 1.0 - 5.0

Examples

Include the aide class and set cron run time to 6am with mail to a user other than root.

class { 'aide':
  minute => 0,
  hour   => 6,
  day    => 3,
}

Include the aide class and exclude the ''--config /etc/aide.conf'' argument.

This is useful if you are using a 3rd-party security/scanning tool that fails to verify you're running AIDE via a CRON job due to a bad regex on the vendor side.

class { 'aide':
  minute                 => 0,
  hour                   => 17,
  day                    => 22,
  exclude_config_argment => true, 
}

This results in the cron job:

0 17 22 * *  root  nice ionice -c3 /usr/sbin/aide --check

instead of:

0 17 22 * *  root  nice ionice -c3 /usr/sbin/aide --config /etc/aide.conf --check

Watch permissions of all files on filesystem

The simplest use of iu/aide is to place a watch on the root directory, as follows.

aide::watch { 'example':
  path  => '/',
  rules => 'p'
}

This example adds the line / P which watches the permissions of all files on the operating system. Obviously, this is a simplistic non useful solution.

Note that the path parameter is optional with the default being the watch name, e.g.

aide::watch { '/etc':
  rules => 'p'
}

Watch permissions and md5sums of all files in /etc

aide::watch { 'watch etc':
  path  => '/etc',
  rules => 'p+md5'
}

This example adds the line /etc p+md5 which watches /etc with both permissions and md5sums. This could also be implemented as follows.

aide::watch { '/etc':
  rules => ['p', 'md5']
}

Create a common rule for watching multiple directories

Sometimes you wish to use the same rule to watch multiple directories and in keeping up with the Don't Repeat Yourself(DRY) viewpoint, we should create a common name for the rule. This can be done via the aide::rule stanza.

aide::rule { 'MyRule':
  name  => 'MyRule',
  rules => ['p', 'md5']
}
aide::watch { '/etc':
  rules => 'MyRule'
}
aide::watch { 'otherApp':
  path  => '/path/to/other/config/dir',
  rules => 'MyRule'
}

Here we are defining a rule called MyRule which will add the line MyRule = p+md5. The next two stanzas can reference that rule. They will show up as /etc MyRule and /path/to/other/config/dir MyRule.

Create a rule to exclude directories

aide::watch { 'Exclude /var/log':
  path => '/var/log',
  type => 'exclude'
}

This with ignore all files under /var/log. It adds the line !/var/log to the config file.

Create a rule to watch only specific files

aide::watch { '/var/log/messages':
  type => 'equals',
  rules => 'MyRule'
}

This will watch only the file /var/log/messages. It will ignore /var/log/messages/thingie. It adds the line =/var/log/messages MyRule to the config file.

Cron

A cron job is created during installation to run aide checks that use the minute, hour, day, month and weekday parameters to specify the run time.

This cron job can be disabled by setting the aide::nocheck parameter.

Reference

The following parameters are accepted by the ::aide class:

Installation Options

package

Data type: String.

AIDE package name.

Default value: aide.

version

Data type: String.

AIDE version for installation passed to Package::ensure

Default value: latest.

Configuration Options

conf_path

Data type: String.

Location of AIDE configuration file

Default value: /etc/aide.conf.

db_path

Data type: String.

Location of AIDE database file

Default value: /var/lib/aide/aide.db.

db_temp_path

Data type: String.

Location of update AIDE database file

Default value: /var/lib/aide/aide.db.new.

gzip_dbout

Data type: Boolean.

Gzip the AIDE database file (may affect performance)

Default value: false.

aide_path

Data type: String.

Location of aide binary.

Default value: /usr/sbin/aide.

mail_path

Data type: String.

Location of mail binary.

Default value: /usr/bin/mail.

config_template

Data type: String.

Template to use for aide configuration.

Default value: aide/aide.conf.erb.

report_ignore_e2fsattrs

Data type: String

List (no delimiter) of ext2 file attributes which are to be ignored in the final report.

Default value: undef

Logging Options

aide_log

Data type: String.

AIDE check output log.

Default value: /var/log/aide/aide.log.

syslogout

Data type: Boolean.

Enables logging to the system logging service AUTH facility and /var/log/messages.

Default value: true.

Cron scheduling Options

minute

Data type: Cron::Minute (Integer)

Minute of cron job to run

Default value: 0.

hour

Data type: Cron::Hour (Integer).

Hour of cron job to run

Default value: 0.

date

Data type: Cron::Date (Integer).

Date of cron job to run

Default value: *.

month

Data type: Cron::Month (Integer).

Month of cron job to run

Default value: *.

weekday

Data type: Cron::Weekday (Integer).

Day of week of cron job to run

Default value: *.

nocheck

Data type: Boolean.

Whether to enable or disable scheduled checks

Default value: true.

mailto

Data type: String

Set this vaule to send email of results from aide --check in cron.

Default value: undef

mail_only_on_changes

Data type: Boolean

Whether to only send emails when changes are detected.

Default value: false

max_mail_lines

Data type: Optional[Integer[1]]

If set to a positive integer, mail messages are truncated to the given number of lines. This can be used to prevent too large mail bodies for large changesets (which may be triggered by OS updates, and not be accepted by the mail server).

Default value: undef

init_timeout

Data type: Integer.

Timeout of "aide --init" run.

Default value: 300.

cat_path

Data type: String.

The cat command path. This is based on the system

Default value: /usr/bin/cat

rm_path

Data type: String.

The rm command path. This is based on the system

Default value: /usr/bin/rm

head_path

Data type: String.

The head command path. This is based on the system

Default value: /usr/bin/head

Hiera

Values can be set using hiera, for example:

aide::syslogout: false
aide::hour: 1

Tasks

The aide module has a task that allows a user to manually initialize aide and copy the database. This is paticular useful when multiple changes are detected on more than one server. The commands the task executes are below and has been tested on Ubuntu.

aideinit
cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Limitations

This module currently supports RedHat, CentOS, Debian and Ubuntu Linux but it has been fully tested on Ubuntu 18.04 and Ubuntu 20.04.

Contributing

Pull requests for new functionality or bug fixes are welcome but all code must meet the following requirements:

Credits

This module was adopted based on the initial refacter work of Warren Powell and Matt Lauber which uses parameter based classes rather than includes and also includes additional features for:

  • enabling gzip for database
  • allow for overrides of aide.conf and cron.d templates
  • aide logging options

puppet-aide's People

Contributors

bschonec avatar canihavethisone avatar jhoerr avatar kekogya avatar markaddonizio avatar olifre avatar rstuart-indue avatar

Stargazers

avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

icann-dns unibonn cheyngoodman neatnerdprime brentclark rstuart-indue canihavethisone skyler-v1dot0 dpvpro

puppet-aide's Issues

The file templates/aide.conf.erb has CR at end of lines, which breaks aide

Both 'puppet module install' and r10k result in a template with CR LF at end of lines, but downloading the tarball from forge.puppet.com or a git clone from github result in a good template with only LF at the end of line. Because of this, I only caught this error when the module was already deployed on the Puppet server...

Please remove all CR (^M) characters from all text files (or at least the template).

# aide
1:syntax error:
1:Error while reading configuration:
Configuration error

Tag v2.0.0

Is it possible you can add the v2.0.0 tag to this repository?

Thanks for your work on this module - I've been using it for a few years now.

mail command with "mail_only_on_changes"

when "mail_only_on_changes" is set, the -E flag is being used on the mail command but no command is being specified for execution. Resulting in error messages being produced.
The -E flag should be followed immediately with the command, it is then interpreting -s as the command to execute.


mail: Unknown command: -s
mail: Cannot parse address `localhost - AIDE Integrity Check' (while expanding `localhost - AIDE Integrity Check'): Malformed email address

cron.pp

        command => "AIDE_OUT=$(${settings} 2>&1) || echo \"\${AIDE_OUT}\" | ${cat_path} -v | ${mail_path} -E -s ${email_subject}",

Suggestion would be to use the same mail command as $mail_only_on_changes == false

        command => "AIDE_OUT=$(${settings} 2>&1) || echo \"\${AIDE_OUT}\" | ${cat_path} -v | ${mail_path} -s ${email_subject}",

Testing on Ubuntu 18.04

default config file generated seems incorrect for Debian 10 

Info: Computing checksum on file /etc/aide/aide.conf
Info: /Stage[main]/Aide::Config/Concat[aide.conf]/File[/etc/aide/aide.conf]: Filebucketed /etc/aide/aide.conf to puppet with sum c3e097015be5cb65a9c005285084a97e
Notice: /Stage[main]/Aide::Config/Concat[aide.conf]/File[/etc/aide/aide.conf]/content:
Notice: /Stage[main]/Aide::Config/Concat[aide.conf]/File[/etc/aide/aide.conf]/content: content changed '{md5}c3e097015be5cb65a9c005285084a97e' to '{md5}0d6a4b10d92e67583b752d4c05024781' (corrective)
Notice: /Stage[main]/Aide::Config/Concat[aide.conf]/File[/etc/aide/aide.conf]/mode: mode changed '0644' to '0600' (corrective)
Info: Concat[aide.conf]: Scheduling refresh of Exec[aide init]
Info: Class[Aide::Config]: Scheduling refresh of Class[Aide::Firstrun]
Info: Class[Aide::Firstrun]: Scheduling refresh of Exec[aide init]
Info: Class[Aide::Firstrun]: Scheduling refresh of Exec[install aide db]
Notice: /Stage[main]/Aide::Firstrun/Exec[aide init]: Triggered 'refresh' from 2 events
Info: /Stage[main]/Aide::Firstrun/Exec[aide init]: Scheduling refresh of Exec[install aide db]
Notice: /Stage[main]/Aide::Firstrun/Exec[install aide db]: Triggered 'refresh' from 2 events

cronjob and aideinit fails onwards

aide --config /etc/aide/aide.conf --check
Database does not have attr field.
Comparison may be incorrect
Generating attr-field from dbspec
It might be a good Idea to regenerate databases. Sorry.
db_char2line():Error while reading database


aideinit   -c /etc/aide/aide.conf
Running aide --init...
73:Error in expression:

Configuration error
error checking aide config, not running aide
AIDE --init return code 255

Package installed

aide-common:
Installed: 0.16.1-1

Optionally specify $conf_path and --config parameter in CRON job

I'm working with 3rd party vendors doing CIS and security checking. The current CRON job:

0 0 * * * root nice ionice -c3 /usr/sbin/aide --config /etc/aide.conf --check

Fails the regex tests that the vendors do for AIDE due to '--config /etc/aide.conf' being specified. I figure it's easier to update this module than to convince the vendors to update their regular expressions.

I propose an option to exclude the '--config /etc/aide' part of the CRON job and just let aide use its default of /etc/aide.conf.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.