- Overview
- Module Description - What the module does and why it is useful
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
- Release notes
This module installs and configures OSSEC-HIDS client and server. It requires concat module (https://github.com/ripienaar/puppet-concat)
The server is configured by installing the ossec::server
class, and using optionally
ossec::command
: to define active/response command (like firewall-drop.sh)ossec::activeresponse
: to link rules to active/response commandossec:: email_alert
: to receive to other email adress specific group of rules information
node "mynode" inherits ... {
class { 'ossec::server':
mailserver_ip=>"mailserver.mycompany.com",
ossec_emailto=>"[email protected]",
}
ossec::command { 'firewallblock':
command_name => 'firewall-drop',
command_executable => 'firewall-drop.sh',
command_expect => 'srcip'
}
ossec::activeresponse { 'blockWebattack':
command_name => 'firewall-drop',
ar_level => 9,
ar_rules_id => [31153,31151]
}
}
node "aclientnode" inherits ... {
class { "ossec::client":
ossec_server_ip => "10.10.130.66"
}
}
- $mailserver_ip : smtp mail server,
-
$ossec_emailfrom (default: "ossec@$ {domain}") : email origin sent by ossec, - $ossec_emailto => who will receive it,
- $ossec_active_response (default: true) : if active response should be configure on the server (beware to configure it on clients also),
- $ossec_global_host_information_level (default: 8) : Alerting level for the events generated by the host change monitor (from 0 to 16)
- $ossec_global_stat_level (default: 8) : Alerting level for the events generated by the statistical analysis (from 0 to 16)
- $ossec_email_alert_level (default: 7) : It correspond to a threshold (from 0 to 156 to sort alert send by email. Some alerts circumvent this threshold (when they have alert_email option),
- $alert_email : email to send to
- $alert_group (default: false) : array of name of rules group
Caution: no email will be send below the global $ossec_email_alert_level
About active-response mechanism, check the documentation (and extends the function maybe :-) ): http://www.ossec.net/main/manual/manual-active-responses
- $command_name : human readable name for ossec::activeresponse usage
- $command_executable : name of the executable. Ossec comes preloaded with 'disable-account.sh','host-deny.sh','ipfw.sh','pf.sh','route-null.sh','firewall-drop.sh','ipfw_mac.sh','ossec-tweeter.sh','restart-ossec.sh'
- $command_expect (default: "srcip")
- $timeout_allowed (default: true)
- $command_name,
- $ar_location (default: "local"): it can be "local","server","defined-agent","all"
- $ar_level (default: 7) : between 0 and 16
- $ar_rules_id (default: []) : list of rules id
- $ar_timeout (default: 300) : usually active reponse blocks for a certain amount of time.
- $ossec_server_ip => IP of the server
- $ossec_active_response (default: true) => allows active response on this host
This is where you list OS compatibility, version compatibility, etc.
This module was forked from nzin/puppet-ossec
so I could package it for Puppet Forge. There is
an outstanding issue on nzin/puppet-ossec
to
package it for the Forge. If this is implemented then I will tear down this fork.
- Tidy up formatting in this file
- Debian/Ubuntu support to use AlienVault repo rather than locally-packaged .debs
Copyright (C) 2011 Savoir-faire Linux Author Nicolas Zin [email protected] Licence: GPL v2