-
Notifications
You must be signed in to change notification settings - Fork 27
ossec module for puppet
License
nzin/puppet-ossec
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
= Requirements - OS: ubuntu/debian, redhat/centos = Overview This module install and configure OSSec client/server. It requires concat module (https://github.com/ripienaar/puppet-concat) The server is configured by installing the ossec::server class, and using optionaly - ossec::command : to define active/response command (like firewall-drop.sh) - ossec::activeresponse : to link rules to active/response command - ossec:: email_alert : to receive to other email adress specific group of rules information Note: there is a "light" version, where agents are replaced by rsyslog configuration, but this is more difficult to put in place, gather less information, and thus has to be avoid == Parameters SERVER class ossec::server - $mailserver_ip : smtp mail server, - $ossec_emailfrom (default: "ossec@${domain}") : email origin sent by ossec, - $ossec_emailto => who will receive it, - $ossec_active_response (default: true) : if active response should be configure on the server (beware to configure it on clients also), - $ossec_global_host_information_level (default: 8) : Alerting level for the events generated by the host change monitor (from 0 to 16) - $ossec_global_stat_level (default: 8) : Alerting level for the events generated by the statistical analysis (from 0 to 16) - $ossec_email_alert_level (default: 7) : It correspond to a threshold (from 0 to 156 to sort alert send by email. Some alerts circumvent this threshold (when they have alert_email option), function ossec::email_alert - $alert_email : email to send to - $alert_group (default: false) : array of name of rules group Caution: no email will be send below the global $ossec_email_alert_level About active-response mechanism, check the documentation (and extends the function maybe :-) ): http://www.ossec.net/main/manual/manual-active-responses function ossec::command - $command_name : human readable name for ossec::activeresponse usage - $command_executable : name of the executable. Ossec comes preloaded with 'disable-account.sh','host-deny.sh','ipfw.sh','pf.sh','route-null.sh','firewall-drop.sh','ipfw_mac.sh','ossec-tweeter.sh','restart-ossec.sh' - $command_expect (default: "srcip") - $timeout_allowed (default: true) function ossec::activeresponse - $command_name, - $ar_location (default: "local"): it can be "local","server","defined-agent","all" - $ar_level (default: 7) : between 0 and 16 - $ar_rules_id (default: []) : list of rules id - $ar_timeout (default: 300) : usually active reponse blocks for a certain amount of time. CLIENT - $ossec_server_ip => IP of the server - $ossec_active_response (default: true) => allows active response on this host = Usage SERVER node "mynode" inherits ... { class { 'ossec::server': mailserver_ip=>"mailserver.mycompany.com", ossec_emailto=>"nicolas.zin@mycompany.com", } ossec::command { 'firewallblock': command_name => 'firewall-drop', command_executable => 'firewall-drop.sh', command_expect => 'srcip' } ossec::activeresponse { 'blockWebattack': command_name => 'firewall-drop', ar_level => 9, ar_rules_id => [31153,31151] } } CLIENT node "aclientnode" inherits ... { class { "ossec::client": ossec_server_ip => "10.10.130.66" } } = License Copyright (C) 2011 Savoir-faire Linux Author Nicolas Zin <nicolas.zin@savoirfairelinux.com> Licence: GPL v2
About
ossec module for puppet
Resources
License
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published