Merge pull request #175 from wazuh/feature-164-define-whodata

Parameterize `whodata` and `realtime` and add related dependencies

Author: Manuel J. Bernal

manifests/agent.pp

@@ -127,6 +127,8 @@
   $ossec_syscheck_auto_ignore        = $wazuh::params_agent::ossec_syscheck_auto_ignore,
   $ossec_syscheck_directories_1      = $wazuh::params_agent::ossec_syscheck_directories_1,
   $ossec_syscheck_directories_2      = $wazuh::params_agent::ossec_syscheck_directories_2,
+  $ossec_syscheck_whodata            = $wazuh::params_agent::ossec_syscheck_whodata,
+  $ossec_syscheck_realtime           = $wazuh::params_agent::ossec_syscheck_realtime,
   $ossec_syscheck_ignore_list        = $wazuh::params_agent::ossec_syscheck_ignore_list,
   $ossec_syscheck_ignore_type_1      = $wazuh::params_agent::ossec_syscheck_ignore_type_1,
   $ossec_syscheck_ignore_type_2      = $wazuh::params_agent::ossec_syscheck_ignore_type_2,
@@ -151,6 +153,17 @@
   validate_string($agent_package_name)
   validate_string($agent_service_name)
 
+  if($ossec_syscheck_whodata == '"yes"') { # Install Audit if whodata is enabled
+    package { 'Installing Audit...':
+      name   => "audit",
+    }
+    service { auditd:
+      ensure    => running,
+      enable    => true,
+    }
+  }
+
+
   if $manage_client_keys == 'yes' {
     if $wazuh_register_endpoint == undef {
       fail('The $wazuh_register_endpoint parameter is needed in order to register the Agent.')

manifests/manager.pp

@@ -156,6 +156,8 @@
       $ossec_syscheck_auto_ignore           = $wazuh::params_manager::ossec_syscheck_auto_ignore,
       $ossec_syscheck_directories_1         = $wazuh::params_manager::ossec_syscheck_directories_1,
       $ossec_syscheck_directories_2         = $wazuh::params_manager::ossec_syscheck_directories_2,
+      $ossec_syscheck_whodata               = $wazuh::params_manager::ossec_syscheck_whodata,
+      $ossec_syscheck_realtime              = $wazuh::params_manager::ossec_syscheck_realtime,
       $ossec_syscheck_ignore_list           = $wazuh::params_manager::ossec_syscheck_ignore_list,
 
       $ossec_syscheck_ignore_type_1         = $wazuh::params_manager::ossec_syscheck_ignore_type_1,
@@ -220,6 +222,17 @@
     }
   }
 
+
+  if($ossec_syscheck_whodata == '"yes"') { # Install Audit if whodata is enabled
+    package { 'Installing Auditd...':
+      name   => "audit",
+    }
+    service { auditd:
+      ensure    => running,
+      enable    => true,
+    }
+  }
+
   # This allows arrays of integers, sadly
   # (commented due to stdlib version requirement)
   if ($ossec_emailnotification == true) {
@@ -513,4 +526,13 @@
         'ESTABLISHED'],
     }
   }
+
+  if($ossec_syscheck_whodata == '"yes"') {
+    exec { 'Ensure wazuh-fim rule is added to auditctl':
+      command => "/sbin/auditctl -l",
+      unless  => "/sbin/auditctl -l | grep wazuh_fim",
+      tries => 2
+    }
+  }
+
 }

manifests/params_agent.pp

@@ -150,6 +150,8 @@
       $ossec_syscheck_auto_ignore = undef
       $ossec_syscheck_directories_1 = '/etc,/usr/bin,/usr/sbin'
       $ossec_syscheck_directories_2 = '/bin,/sbin,/boot'
+      $ossec_syscheck_whodata = '"no"'
+      $ossec_syscheck_realtime = '"no"'
       $ossec_syscheck_ignore_list = ['/etc/mtab',
         '/etc/hosts.deny',
         '/etc/mail/statistics',

manifests/params_manager.pp

@@ -159,6 +159,8 @@
       $ossec_syscheck_auto_ignore                      = 'no'
       $ossec_syscheck_directories_1                    = '/etc,/usr/bin,/usr/sbin'
       $ossec_syscheck_directories_2                    = '/bin,/sbin,/boot'
+      $ossec_syscheck_whodata                          = '"no"'
+      $ossec_syscheck_realtime                         = '"no"'
       $ossec_syscheck_ignore_list                      = ['/etc/mtab',
                                               '/etc/hosts.deny',
                                               '/etc/mail/statistics',

templates/fragments/_syscheck.erb

@@ -1,128 +1,128 @@
-  <%- if @kernel == 'windows' -%>
-  <syscheck> <!-- Default files to be monitored - system32 only. -->
-    <directories check_all="yes">%WINDIR%/win.ini</directories>
-    <directories check_all="yes">%WINDIR%/system.ini</directories>
-    <directories check_all="yes">C:\autoexec.bat</directories>
-    <directories check_all="yes">C:\config.sys</directories>
-    <directories check_all="yes">C:\boot.ini</directories>
-    <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories>
-    <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories>
-    <directories check_all="yes">%WINDIR%/System32/at.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/attrib.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/cacls.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/debug.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/drwatson.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/edlin.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/eventcreate.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/ftp.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/net.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/net1.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/netsh.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/rcp.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/reg.exe</directories>
-    <directories check_all="yes">%WINDIR%/regedit.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/rexec.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/rsh.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/runas.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/sc.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/subst.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/telnet.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/tftp.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories>
-    <directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>
-    <directories check_all="yes" realtime="yes">C:\Documents and Settings/All Users/Start Menu/Programs/Startup</directories>
-    <directories check_all="yes" realtime="yes">C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup</directories>
-    <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
+<%- if @kernel == 'windows' -%>
+<syscheck> <!-- Default files to be monitored - system32 only. -->
+  <directories check_all="yes">%WINDIR%/win.ini</directories>
+  <directories check_all="yes">%WINDIR%/system.ini</directories>
+  <directories check_all="yes">C:\autoexec.bat</directories>
+  <directories check_all="yes">C:\config.sys</directories>
+  <directories check_all="yes">C:\boot.ini</directories>
+  <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories>
+  <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories>
+  <directories check_all="yes">%WINDIR%/System32/at.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/attrib.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/cacls.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/debug.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/drwatson.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/edlin.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/eventcreate.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/ftp.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/net.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/net1.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/netsh.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/rcp.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/reg.exe</directories>
+  <directories check_all="yes">%WINDIR%/regedit.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/rexec.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/rsh.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/runas.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/sc.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/subst.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/telnet.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/tftp.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories>
+  <directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>
+  <directories check_all="yes" realtime="yes">C:\Documents and Settings/All Users/Start Menu/Programs/Startup</directories>
+  <directories check_all="yes" realtime="yes">C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup</directories>
+  <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
 
-    <!-- Windows registry entries to monitor. -->
-    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
-    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
-    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
-    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
-    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
-    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
-    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
-    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
-    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
-    <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
-    <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
-    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
-    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
-    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
-    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
-    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
-    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
-    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
-    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
-    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
-    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
-    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
-    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
+  <!-- Windows registry entries to monitor. -->
+  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
+  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
+  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
+  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
+  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
+  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
+  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
+  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
+  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
+  <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
+  <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
+  <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
+  <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
+  <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
+  <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
+  <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
+  <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
+  <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
+  <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
+  <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
+  <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
+  <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
+  <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
 
-    <!-- Windows files to ignore (static) -->
-    <ignore>%WINDIR%/System32/LogFiles</ignore>
-    <ignore>%WINDIR%/Debug</ignore>
-    <ignore>%WINDIR%/WindowsUpdate.log</ignore>
-    <ignore>%WINDIR%/iis6.log</ignore>
-    <ignore>%WINDIR%/system32/wbem/Logs</ignore>
-    <ignore>%WINDIR%/system32/wbem/Repository</ignore>
-    <ignore>%WINDIR%/Prefetch</ignore>
-    <ignore>%WINDIR%/PCHEALTH/HELPCTR/DataColl</ignore>
-    <ignore>%WINDIR%/SoftwareDistribution</ignore>
-    <ignore>%WINDIR%/Temp</ignore>
-    <ignore>%WINDIR%/system32/config</ignore>
-    <ignore>%WINDIR%/system32/spool</ignore>
-    <ignore>%WINDIR%/system32/CatRoot</ignore>
+  <!-- Windows files to ignore (static) -->
+  <ignore>%WINDIR%/System32/LogFiles</ignore>
+  <ignore>%WINDIR%/Debug</ignore>
+  <ignore>%WINDIR%/WindowsUpdate.log</ignore>
+  <ignore>%WINDIR%/iis6.log</ignore>
+  <ignore>%WINDIR%/system32/wbem/Logs</ignore>
+  <ignore>%WINDIR%/system32/wbem/Repository</ignore>
+  <ignore>%WINDIR%/Prefetch</ignore>
+  <ignore>%WINDIR%/PCHEALTH/HELPCTR/DataColl</ignore>
+  <ignore>%WINDIR%/SoftwareDistribution</ignore>
+  <ignore>%WINDIR%/Temp</ignore>
+  <ignore>%WINDIR%/system32/config</ignore>
+  <ignore>%WINDIR%/system32/spool</ignore>
+  <ignore>%WINDIR%/system32/CatRoot</ignore>
 
-    <!-- Windows registry entries to ignore. -->
-    <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
-    <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
-    <registry_ignore type="sregex">\Enum$</registry_ignore>
-  </syscheck>
+  <!-- Windows registry entries to ignore. -->
+  <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
+  <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
+  <registry_ignore type="sregex">\Enum$</registry_ignore>
+</syscheck>
 
-  <%- else -%>
-  <syscheck>
-    <%- if @ossec_syscheck_disabled -%>
-    <disabled><%= @ossec_syscheck_disabled %></disabled>
-    <%- end -%>
-    <%- if @ossec_syscheck_frequency -%>
-    <frequency><%=@ossec_syscheck_frequency%></frequency>
-    <%- end -%>
-    <%- if @ossec_syscheck_scan_on_start -%>
-    <scan_on_start><%=@ossec_syscheck_scan_on_start%></scan_on_start>
-    <%- end -%>
-    <%- if @ossec_syscheck_alert_new_files -%>
-    <alert_new_files><%=@ossec_syscheck_alert_new_files%></alert_new_files>
-    <%- end -%>
-    <%- if @ossec_syscheck_auto_ignore -%>
-    <auto_ignore frequency="10" timeframe="3600"><%=@ossec_syscheck_auto_ignore%></auto_ignore>
-    <%- end -%>
-    <%- if @ossec_syscheck_directories_1 -%>
-    <directories check_all="yes"><%=@ossec_syscheck_directories_1%></directories>
-    <%- end -%>
-    <%- if @ossec_syscheck_directories_2 -%>
-    <directories check_all="yes"><%=@ossec_syscheck_directories_2%></directories>
-    <%- end -%>
-    <%- if @ossec_syscheck_ignore_list -%>
-      <%- @ossec_syscheck_ignore_list.each do |ignore_element| -%>
-    <ignore><%= ignore_element %></ignore>
-      <%- end -%>  
-    <%- end -%>
-    <%- if @ossec_syscheck_ignore_type_1 -%>
-    <ignore type="sregex"><%=@ossec_syscheck_ignore_type_1%></ignore>
-    <%- end -%>
-    <%- if @ossec_syscheck_ignore_type_2 -%>
-    <ignore type="sregex"><%=@ossec_syscheck_ignore_type_2%></ignore>
-    <%- end -%>
-    <%- if @ossec_syscheck_nodiff -%>
-    <nodiff><%=@ossec_syscheck_nodiff%></nodiff>
-    <%- end -%>
-    <%- if @ossec_syscheck_skip_nfs -%>
-    <skip_nfs><%=@ossec_syscheck_skip_nfs%></skip_nfs>
-    <%- end -%>
-    </syscheck>
+<%- else -%>
+<syscheck>
+  <%- if @ossec_syscheck_disabled -%>
+  <disabled><%= @ossec_syscheck_disabled %></disabled>
+  <%- end -%>
+  <%- if @ossec_syscheck_frequency -%>
+  <frequency><%=@ossec_syscheck_frequency%></frequency>
+  <%- end -%>
+  <%- if @ossec_syscheck_scan_on_start -%>
+  <scan_on_start><%=@ossec_syscheck_scan_on_start%></scan_on_start>
+  <%- end -%>
+  <%- if @ossec_syscheck_alert_new_files -%>
+  <alert_new_files><%=@ossec_syscheck_alert_new_files%></alert_new_files>
+  <%- end -%>
+  <%- if @ossec_syscheck_auto_ignore -%>
+  <auto_ignore frequency="10" timeframe="3600"><%=@ossec_syscheck_auto_ignore%></auto_ignore>
+  <%- end -%>
+  <%- if @ossec_syscheck_directories_1 -%>
+  <directories check_all="yes" whodata=<%=@ossec_syscheck_whodata%> realtime=<%=@ossec_syscheck_realtime%>><%=@ossec_syscheck_directories_1%></directories>
+  <%- end -%>
+  <%- if @ossec_syscheck_directories_2 -%>
+  <directories check_all="yes" whodata=<%=@ossec_syscheck_whodata%> realtime=<%=@ossec_syscheck_realtime%>><%=@ossec_syscheck_directories_2%></directories>
   <%- end -%>
+  <%- if @ossec_syscheck_ignore_list -%>
+    <%- @ossec_syscheck_ignore_list.each do |ignore_element| -%>
+  <ignore><%= ignore_element %></ignore>
+    <%- end -%>  
+  <%- end -%>
+  <%- if @ossec_syscheck_ignore_type_1 -%>
+  <ignore type="sregex"><%=@ossec_syscheck_ignore_type_1%></ignore>
+  <%- end -%>
+  <%- if @ossec_syscheck_ignore_type_2 -%>
+  <ignore type="sregex"><%=@ossec_syscheck_ignore_type_2%></ignore>
+  <%- end -%>
+  <%- if @ossec_syscheck_nodiff -%>
+  <nodiff><%=@ossec_syscheck_nodiff%></nodiff>
+  <%- end -%>
+  <%- if @ossec_syscheck_skip_nfs -%>
+  <skip_nfs><%=@ossec_syscheck_skip_nfs%></skip_nfs>
+  <%- end -%>
+  </syscheck>
+<%- end -%>