- Overview
- Module Description - What the module does and why it is useful
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
- Release notes
This module installs and configures OSSEC-HIDS client and server.
The server is configured by installing the ossec::server
class, and using optionally
ossec::command
: to define active/response command (likefirewall-drop.sh
)ossec::activeresponse
: to link rules to active/response commandossec:: email_alert
: to receive to other email adress specific group of rules informationossec::addlog
: to define additional log files to monitor
class { 'ossec::server':
mailserver_hostname => 'mailserver.mycompany.com',
ossec_emailto => 'nicolas.zin@mycompany.com',
}
ossec::command { 'firewallblock':
command_name => 'firewall-drop',
command_executable => 'firewall-drop.sh',
command_expect => 'srcip'
}
ossec::activeresponse { 'blockWebattack':
command_name => 'firewall-drop',
ar_level => 9,
ar_rules_id => [31153,31151]
}
ossec::addlog { 'monitorLogFile':
logfile => '/var/log/secure',
logtype => 'syslog'
}
class { "ossec::client":
ossec_server_hostname => "10.10.130.66"
}
$mailserver_hostname
smtp mail server,$ossec_emailfrom
(default:ossec@${domain}
) email origin sent by ossec,$ossec_emailto
who will receive it,$ossec_active_response
(default:true
) if active response should be configure on the server (beware to configure it on clients also),$ossec_global_host_information_level
(default: 8) Alerting level for the events generated by the host change monitor (from 0 to 16)$ossec_global_stat_level
(default: 8) Alerting level for the events generated by the statistical analysis (from 0 to 16)$ossec_email_alert_level
(default: 7) It correspond to a threshold (from 0 to 156 to sort alert send by email. Some alerts circumvent this threshold (when they have alert_email option),$ossec_emailnotification
(default: yes) Whether to send email notifications
$alert_email
email to send to$alert_group
(default:false
) array of name of rules group
Caution: no email will be send below the global $ossec_email_alert_level
About active-response mechanism, check the documentation (and extends the function maybe :-) ): http://www.ossec.net/main/manual/manual-active-responses
$command_name
human readable name forossec::activeresponse
usage$command_executable
name of the executable. Ossec comes preloaded withdisable-account.sh
,host-deny.sh
,ipfw.sh
,pf.sh
,route-null.sh
,firewall-drop.sh
,ipfw_mac.sh
,ossec-tweeter.sh
,restart-ossec.sh
$command_expect
(default:srcip
)$timeout_allowed
(default:true
)
$command_name
,$ar_location
(default:local
) it can be "local","server","defined-agent","all"$ar_level
(default: 7) between 0 and 16$ar_rules_id
(default:[]
) list of rules id$ar_timeout
(default: 300) usually active reponse blocks for a certain amount of time.
$log_name
,$logfile
/path/to/log/file$logtype
(default: syslog) The ossec log_format of the file. Valid values can be found in the documentation.
$ossec_server_hostname
IP of the server$ossec_active_response
(default: true) allows active response on this host$ossec_emailnotification
(default: yes) Whether to send email notifications$selinux
(default: false) Whether to install an SELinux policy to allow rotation of OSSEC logs
On RedHat-like systems, this module depends on the Atomic repo
to provide the OSSEC packages, and on the EPEL repo to provide
a dependency, inotify-tools
.
On Debian-like systems, this module depends on the Alienvault repo to provide the OSSEC packages.
Enabling SELinux support requires jfryman/selinux
This module was forked from nzin/puppet-ossec
so I could package it for Puppet Forge. The
original author is not willing to maintain the code
so please contribute to this fork.
Author Nicolas Zin Maintained by Jonathan Gazeley