nzin / puppet-ossec Goto Github PK

I was looking at your module to manage our ossec infrastructure, and one aspect I am particularly concerned about is key management.

The default ossec-authd doesn't provide enrollment security: any server can contact the authd server and join the ossec infrastructure, which isn't great.

I was hoping that your module would provide a more secure way of dealing with keys. But it seems that you generate them by calculating two md5 strings from non-secret information. There is no random, except for a seed stored in manifests/agentkey.pp that is statically defined. My understanding of your module is that any intruder that has access to the seed can guess all the agent keys fairly easily.

I, unfortunately, do not have a proposal to fix this, other than extracting the key management outside of the module itself.

Please confirm. If I had missed something, and your module is in fact secure, then I'd love to use it in our environment.

I use this module in my environment. However it is one of the last few modules that is stored locally in my installation - all the other ones come from Puppet Forge. Would you consider packaging this module for publication on the Forge? I'm happy to help with packaging etc. Thanks.

I noticed you maintain a PPA that contains more up-to-date OSSEC packages than the ones included in this module. Would it make sense to change this module so that it uses your PPA?

I already hit this wall and you get a very unhelpful error message on the ossec server

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Duplicate declaration: Concat::Fragment[var_ossec_etc_client.keys_10.10.16.56_part] is already declared in file /etc/puppet/environments/prod/modules/ossec/manifests/agentkey.pp:17; cannot redeclare at /etc/puppet/environments/prod/modules/ossec/manifests/agentkey.pp:17 on node ossec-server.example.com

We reinstalled a system with the same IP but a different name and suddenly we had the dupe definition

If someone should come looking for that message the fix is to run
puppet node deactivate oldname.example.com
on the puppet master to clear out the entry in puppetdb

Looking over the Puppet docs for exported refs they recomend the following

To ensure uniqueness, every resource you export should include a substring unique to the node exporting it into its title and name/namevar. The most expedient way is to use the hostname or fqdn facts.

So unless there is some compelling reason to use agent_ip_adress it should probably be changed to agent_name.