Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Support for audispd-plugins Installation in Wazuh Puppet Module for Enhanced whodata Monitoring #896

Open
vaskosmihaylov opened this issue Jan 12, 2024 · 0 comments
Open

Add Support for audispd-plugins Installation in Wazuh Puppet Module for Enhanced whodata Monitoring #896

vaskosmihaylov opened this issue Jan 12, 2024 · 0 comments

Comments

@vaskosmihaylov
Copy link

vaskosmihaylov commented Jan 12, 2024
edited

Issue Description

During troubleshooting in a Wazuh deployment using this Puppet module, I observed that systems with audit version 3.1.2 were defaulting to realtime monitoring due to the absence of audispd-plugins. Manual installation and configuration of the plugin resolved the issue, underscoring the need for its inclusion in the module. Since the audispd-plugins was missing also the audit rules for monitoring were missing as well:

Audit package version check

dnf list installed | grep audit
audit.x86_64                                3.1.2-1.el8                             @baseos
audit-libs.x86_64                           3.1.2-1.el8                             @baseos

OSSEC LOGS:

2024/01/11 19:18:15 wazuh-syscheckd: WARNING: (6913): Who-data engine could not start. Switching who-data to real-time.

Check of the audit FIM rules

auditctl -l | grep wazuh_fim

Summary

The current Wazuh Puppet module (audit.pp manifest) effectively manages the installation and configuration of auditd across various Linux distributions. However, it lacks support for installing the audispd-plugins package, which is crucial for the optimal functioning of whodata monitoring in Wazuh, especially with audit versions 3.1.1 and later according to the Wazuh docs

Details

The current audit.pp manifest in the Wazuh Puppet module includes provisions for:

  • Installing the auditd package
  • Managing the auditd service
  • Configuring audit rules if $audit_manage_rules is set to true

However, there is no reference to or provision for the installation of audispd-plugins.

Suggested Enhancement

I propose adding functionality to the audit.pp manifest for the Wazuh Puppet module to handle the installation and configuration of the audispd-plugins package. This enhancement would ensure that environments requiring whodata monitoring with audit version 3.1.1 or later are fully supported and configured correctly through Puppet automation.

I created a pull request that incorporates the above changes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vaskosmihaylov