Closed davidcr01 closed 5 months ago
Puppet agent was installed on both Debian 10 (buster) and Debian 12 (bookworm).
For the Debian 10 configuration, I used the one that currently exists in the documentation, but for Debian 12 I had to add some additional parameters, which otherwise caused communication with Puppet Server not work. The error I was getting was the following:
root@ip-172-31-46-110:~# puppet agent -t
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for ip-172-31-46-110.
Info: Certificate Request fingerprint (SHA256): 66:08:07:EF:FC:3F:4E:F0:03:93:8B:AA:DD:59:EC:37:8C:9B:49:D1:87:C7:6A:6C:58:AD:48:14:17:BF:13:33
Info: Downloaded certificate for ip-172-31-46-110. from https://ip-172-31-45-133:8140/puppet-ca/v1
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Error 403 on SERVER: Forbidden request: /puppet/v3/node/ip-172-31-46-110. (method :get). Please see the server logs for details.
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Notice: Requesting catalog from ip-172-31-45-133:8140 (172.31.45.133)
Notice: Catalog compiled by ip-172-31-45-133.ec2.internal
Error: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: /puppet/v3/catalog/ip-172-31-46-110. (method :post). Please see the server logs for details.
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: Error 403 on SERVER: Forbidden request: /puppet/v3/report/ip-172-31-46-110. (method :put). Please see the server logs for details.
root@ip-172-31-46-110:~#
After searching for options I found that it was necessary to declare some additional parameters for Debian 12, thus allowing the correct connection with Puppet Server:
[main]
server = ip-172-31-45-133
certname=debian12.internal
[agent]
server = ip-172-31-45-133
ca_server = ip-172-31-45-133
After this change, I was able to correctly configure Puppet agent on Debian 12. To test how it worked, I installed Wazuh agent on both OSes (Debian 10 and 12).
root@ip-172-31-46-110:~# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
root@ip-172-31-46-110:~# puppet agent -t
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Notice: Requesting catalog from ip-172-31-45-133:8140 (172.31.45.133)
Notice: Catalog compiled by ip-172-31-45-133.ec2.internal
Info: Caching catalog for debian12.internal
Info: Applying configuration version '1715872102'
Notice: /Stage[main]/Wazuh::Repo/Apt::Key[wazuh]/Package[gnupg]/ensure: created
Notice: /Stage[main]/Apt/File[preferences]/ensure: created
Info: /Stage[main]/Apt/File[preferences]: Scheduling refresh of Class[Apt::Update]
Notice: /Stage[main]/Apt/Apt::Setting[conf-update-stamp]/File[/etc/apt/apt.conf.d/15update-stamp]/ensure: defined content as '{sha256}2e6eb1f5f20262bfc6b7dfb26a302f00b4ab5fee803abd9e07ad8378cce067d5'
Info: /Stage[main]/Apt/Apt::Setting[conf-update-stamp]/File[/etc/apt/apt.conf.d/15update-stamp]: Scheduling refresh of Class[Apt::Update]
Notice: /Stage[main]/Wazuh::Repo/Apt::Source[wazuh]/Apt::Setting[list-wazuh]/File[/etc/apt/sources.list.d/wazuh.list]/ensure: defined content as '{sha256}ec8cbfc030648abca503f423c2d8488776f7bba8c9ccd1fa1d213a9f8159fe4c'
Info: /Stage[main]/Wazuh::Repo/Apt::Source[wazuh]/Apt::Setting[list-wazuh]/File[/etc/apt/sources.list.d/wazuh.list]: Scheduling refresh of Class[Apt::Update]
Notice: /Stage[main]/Wazuh::Repo/Apt::Key[wazuh]/Apt_key[wazuh]/ensure: created
Info: Class[Apt::Update]: Scheduling refresh of Exec[apt_update]
Notice: /Stage[main]/Apt::Update/Exec[apt_update]: Triggered 'refresh' from 1 event
Notice: /Stage[main]/Wazuh::Agent/Package[wazuh-agent]/ensure: created
Notice: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]/content:
--- /var/ossec/etc/ossec.conf 2024-05-16 15:08:45.126876016 +0000
+++ /tmp/puppet-file20240516-1318-sx11zg 2024-05-16 15:08:46.494888456 +0000
@@ -1,23 +1,22 @@
-<!--
- Wazuh - Agent - Default configuration for debian 12
- More info at: https://documentation.wazuh.com
- Mailing list: https://groups.google.com/forum/#!forum/wazuh
--->
-
<ossec_config>
<client>
- <server>
- <address>MANAGER_IP</address>
- <port>1514</port>
- <protocol>tcp</protocol>
- </server>
- <config-profile>debian, debian12</config-profile>
+ <server>
+ <address>172.31.45.133</address>
+ <protocol>tcp</protocol>
+ <port>1514</port>
+ <max_retries>5</max_retries>
+ <retry_interval>5</retry_interval>
+ </server>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
- <auto_restart>yes</auto_restart>
<crypto_method>aes</crypto_method>
+ <auto_restart>yes</auto_restart>
</client>
+ <logging>
+ <log_format>plain</log_format>
+ </logging>
+
<client_buffer>
<!-- Agent buffer options -->
<disabled>no</disabled>
@@ -25,8 +24,9 @@
<events_per_second>500</events_per_second>
</client_buffer>
- <!-- Policy monitoring -->
- <rootcheck>
+
+
+<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
@@ -35,155 +35,141 @@
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
-
- <!-- Frequency that rootcheck is executed - every 12 hours -->
- <frequency>43200</frequency>
-
- <rootkit_files>etc/shared/rootkit_files.txt</rootkit_files>
- <rootkit_trojans>etc/shared/rootkit_trojans.txt</rootkit_trojans>
-
+ <frequency>36000</frequency>
+ <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
+ <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
- </rootcheck>
+</rootcheck>
- <wodle name="cis-cat">
+<wodle name="open-scap">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
+</wodle>
+<wodle name="cis-cat">
+ <disabled>yes</disabled>
+ <timeout>1800</timeout>
+ <interval>1d</interval>
+ <scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
- </wodle>
+</wodle>
- <!-- Osquery integration -->
- <wodle name="osquery">
+
+<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
+ <bin_path>/usr/bin/osqueryd</bin_path>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
- </wodle>
+</wodle>
- <!-- System inventory -->
- <wodle name="syscollector">
- <disabled>no</disabled>
- <interval>1h</interval>
- <scan_on_start>yes</scan_on_start>
- <hardware>yes</hardware>
- <os>yes</os>
- <network>yes</network>
- <packages>yes</packages>
- <ports all="no">yes</ports>
- <processes>yes</processes>
-
- <!-- Database synchronization settings -->
- <synchronization>
- <max_eps>10</max_eps>
- </synchronization>
- </wodle>
+
+<wodle name="syscollector">
+ <disabled>no</disabled>
+ <interval>1h</interval>
+ <scan_on_start>yes</scan_on_start>
+ <hardware>yes</hardware>
+ <os>yes</os>
+ <network>yes</network>
+ <packages>yes</packages>
+ <ports all="no">yes</ports>
+ <processes>yes</processes>
+</wodle>
- <sca>
+<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
+
</sca>
+
+
+<syscheck>
+ <disabled>no</disabled>
+ <frequency>43200</frequency>
+ <scan_on_start>yes</scan_on_start>
+ <process_priority>10</process_priority>
+ <synchronization>
+ <enabled>yes</enabled>
+ <interval>5m</interval>
+ <max_interval>1h</max_interval>
+ <max_eps>10</max_eps>
+ </synchronization>
+
+ <directories check_all="yes" >/etc,/usr/bin,/usr/sbin</directories>
+ <directories check_all="yes" >/bin,/sbin,/boot</directories>
+ <ignore>/etc/mtab</ignore>
+ <ignore>/etc/hosts.deny</ignore>
+ <ignore>/etc/mail/statistics</ignore>
+ <ignore>/etc/random-seed</ignore>
+ <ignore>/etc/random.seed</ignore>
+ <ignore>/etc/adjtime</ignore>
+ <ignore>/etc/httpd/logs</ignore>
+ <ignore>/etc/utmpx</ignore>
+ <ignore>/etc/wtmpx</ignore>
+ <ignore>/etc/cups/certs</ignore>
+ <ignore>/etc/dumpdates</ignore>
+ <ignore>/etc/svc/volatile</ignore>
+ <ignore>/sys/kernel/security</ignore>
+ <ignore>/sys/kernel/debug</ignore>
+ <ignore>/dev/core</ignore>
+ <ignore type="sregex">^/proc</ignore>
+ <ignore type="sregex">.log$|.swp$</ignore>
+ <nodiff>/etc/ssl/private.key</nodiff>
+ <skip_nfs>yes</skip_nfs>
+</syscheck>
- <!-- File integrity monitoring -->
- <syscheck>
- <disabled>no</disabled>
-
- <!-- Frequency that syscheck is executed default every 12 hours -->
- <frequency>43200</frequency>
-
- <scan_on_start>yes</scan_on_start>
- <!-- Directories to check (perform all possible verifications) -->
- <directories>/etc,/usr/bin,/usr/sbin</directories>
- <directories>/bin,/sbin,/boot</directories>
-
- <!-- Files/directories to ignore -->
- <ignore>/etc/mtab</ignore>
- <ignore>/etc/hosts.deny</ignore>
- <ignore>/etc/mail/statistics</ignore>
- <ignore>/etc/random-seed</ignore>
- <ignore>/etc/random.seed</ignore>
- <ignore>/etc/adjtime</ignore>
- <ignore>/etc/httpd/logs</ignore>
- <ignore>/etc/utmpx</ignore>
- <ignore>/etc/wtmpx</ignore>
- <ignore>/etc/cups/certs</ignore>
- <ignore>/etc/dumpdates</ignore>
- <ignore>/etc/svc/volatile</ignore>
- <!-- File types to ignore -->
- <ignore type="sregex">.log$|.swp$</ignore>
- <!-- Check the file, but never compute the diff -->
- <nodiff>/etc/ssl/private.key</nodiff>
- <skip_nfs>yes</skip_nfs>
- <skip_dev>yes</skip_dev>
- <skip_proc>yes</skip_proc>
- <skip_sys>yes</skip_sys>
-
- <!-- Nice value for Syscheck process -->
- <process_priority>10</process_priority>
-
- <!-- Maximum output throughput -->
- <max_eps>50</max_eps>
-
- <!-- Database synchronization settings -->
- <synchronization>
- <enabled>yes</enabled>
- <interval>5m</interval>
- <max_eps>10</max_eps>
- </synchronization>
- </syscheck>
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/syslog</location>
+ </localfile>
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/kern.log</location>
+ </localfile>
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/auth.log</location>
+ </localfile>
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/dpkg.log</location>
+ </localfile>
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/ossec/logs/active-responses.log</location>
+ </localfile>
- <!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
-
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
-
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
- <!-- Active response -->
+
<active-response>
<disabled>no</disabled>
- <ca_store>etc/wpk_root.pem</ca_store>
+ <ca_store>/var/ossec/etc/wpk_root.pem</ca_store>
<ca_verification>yes</ca_verification>
</active-response>
-
- <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
- <logging>
- <log_format>plain</log_format>
- </logging>
-
-</ossec_config>
-
-<ossec_config>
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/ossec/logs/active-responses.log</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/dpkg.log</location>
- </localfile>
-
-</ossec_config>
+</ossec_config>
\ No newline at end of file
Info: Computing checksum on file /var/ossec/etc/ossec.conf
Info: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]: Filebucketed /var/ossec/etc/ossec.conf to puppet with sum 445c7b19281f1077d3ba050f652b7278114c449541af71b1ae6c27ffabb0aea3
Notice: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: content changed '{sha256}445c7b19281f1077d3ba050f652b7278114c449541af71b1ae6c27ffabb0aea3' to '{sha256}b00a38e0f4a2cfd9a4f7a588227d3eb4aaca97e281de4dd8e4133a2d3dc5f45b'
Notice: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]/mode: mode changed '0660' to '0640'
Info: Concat[agent_ossec.conf]: Scheduling refresh of Service[wazuh-agent]
Notice: /Stage[main]/Wazuh::Agent/Exec[agent-auth-linux]/returns: executed successfully
Info: /Stage[main]/Wazuh::Agent/Exec[agent-auth-linux]: Scheduling refresh of Service[wazuh-agent]
Notice: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: Unscheduling refresh on Service[wazuh-agent]
Notice: Applied catalog in 29.57 seconds
root@ip-172-31-46-110:~#
root@ip-172-31-32-137:~# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
root@ip-172-31-32-137:~# puppet agent -t
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Notice: Requesting catalog from ip-172-31-45-133:8140 (172.31.45.133)
Notice: Catalog compiled by ip-172-31-45-133.ec2.internal
Info: Caching catalog for ip-172-31-32-137.ec2.internal
Info: Applying configuration version '1715872105'
Notice: /Stage[main]/Wazuh::Repo/Apt::Key[wazuh]/Package[gnupg]/ensure: created
Notice: /Stage[main]/Apt/File[preferences]/ensure: created
Info: /Stage[main]/Apt/File[preferences]: Scheduling refresh of Class[Apt::Update]
Notice: /Stage[main]/Apt/Apt::Setting[conf-update-stamp]/File[/etc/apt/apt.conf.d/15update-stamp]/ensure: defined content as '{sha256}2e6eb1f5f20262bfc6b7dfb26a302f00b4ab5fee803abd9e07ad8378cce067d5'
Info: /Stage[main]/Apt/Apt::Setting[conf-update-stamp]/File[/etc/apt/apt.conf.d/15update-stamp]: Scheduling refresh of Class[Apt::Update]
Notice: /Stage[main]/Wazuh::Repo/Apt::Source[wazuh]/Apt::Setting[list-wazuh]/File[/etc/apt/sources.list.d/wazuh.list]/ensure: defined content as '{sha256}ec8cbfc030648abca503f423c2d8488776f7bba8c9ccd1fa1d213a9f8159fe4c'
Info: /Stage[main]/Wazuh::Repo/Apt::Source[wazuh]/Apt::Setting[list-wazuh]/File[/etc/apt/sources.list.d/wazuh.list]: Scheduling refresh of Class[Apt::Update]
Notice: /Stage[main]/Wazuh::Repo/Apt::Key[wazuh]/Apt_key[wazuh]/ensure: created
Info: Class[Apt::Update]: Scheduling refresh of Exec[apt_update]
Notice: /Stage[main]/Apt::Update/Exec[apt_update]: Triggered 'refresh' from 1 event
Notice: /Stage[main]/Wazuh::Agent/Package[wazuh-agent]/ensure: created
Notice: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]/content:
--- /var/ossec/etc/ossec.conf 2024-05-16 15:09:08.800462003 +0000
+++ /tmp/puppet-file20240516-2624-12zz2oz 2024-05-16 15:09:09.928479998 +0000
@@ -1,23 +1,22 @@
-<!--
- Wazuh - Agent - Default configuration for debian 10
- More info at: https://documentation.wazuh.com
- Mailing list: https://groups.google.com/forum/#!forum/wazuh
--->
-
<ossec_config>
<client>
- <server>
- <address>MANAGER_IP</address>
- <port>1514</port>
- <protocol>tcp</protocol>
- </server>
- <config-profile>debian, debian10</config-profile>
+ <server>
+ <address>172.31.45.133</address>
+ <protocol>tcp</protocol>
+ <port>1514</port>
+ <max_retries>5</max_retries>
+ <retry_interval>5</retry_interval>
+ </server>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
- <auto_restart>yes</auto_restart>
<crypto_method>aes</crypto_method>
+ <auto_restart>yes</auto_restart>
</client>
+ <logging>
+ <log_format>plain</log_format>
+ </logging>
+
<client_buffer>
<!-- Agent buffer options -->
<disabled>no</disabled>
@@ -25,8 +24,9 @@
<events_per_second>500</events_per_second>
</client_buffer>
- <!-- Policy monitoring -->
- <rootcheck>
+
+
+<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
@@ -35,175 +35,141 @@
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
-
- <!-- Frequency that rootcheck is executed - every 12 hours -->
- <frequency>43200</frequency>
-
- <rootkit_files>etc/shared/rootkit_files.txt</rootkit_files>
- <rootkit_trojans>etc/shared/rootkit_trojans.txt</rootkit_trojans>
-
+ <frequency>36000</frequency>
+ <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
+ <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
- </rootcheck>
+</rootcheck>
- <wodle name="cis-cat">
+<wodle name="open-scap">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
+</wodle>
+<wodle name="cis-cat">
+ <disabled>yes</disabled>
+ <timeout>1800</timeout>
+ <interval>1d</interval>
+ <scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
- </wodle>
+</wodle>
- <!-- Osquery integration -->
- <wodle name="osquery">
+
+<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
+ <bin_path>/usr/bin/osqueryd</bin_path>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
- </wodle>
+</wodle>
- <!-- System inventory -->
- <wodle name="syscollector">
- <disabled>no</disabled>
- <interval>1h</interval>
- <scan_on_start>yes</scan_on_start>
- <hardware>yes</hardware>
- <os>yes</os>
- <network>yes</network>
- <packages>yes</packages>
- <ports all="no">yes</ports>
- <processes>yes</processes>
-
- <!-- Database synchronization settings -->
- <synchronization>
- <max_eps>10</max_eps>
- </synchronization>
- </wodle>
+
+<wodle name="syscollector">
+ <disabled>no</disabled>
+ <interval>1h</interval>
+ <scan_on_start>yes</scan_on_start>
+ <hardware>yes</hardware>
+ <os>yes</os>
+ <network>yes</network>
+ <packages>yes</packages>
+ <ports all="no">yes</ports>
+ <processes>yes</processes>
+</wodle>
- <sca>
+<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
+
</sca>
+
+
+<syscheck>
+ <disabled>no</disabled>
+ <frequency>43200</frequency>
+ <scan_on_start>yes</scan_on_start>
+ <process_priority>10</process_priority>
+ <synchronization>
+ <enabled>yes</enabled>
+ <interval>5m</interval>
+ <max_interval>1h</max_interval>
+ <max_eps>10</max_eps>
+ </synchronization>
+
+ <directories check_all="yes" >/etc,/usr/bin,/usr/sbin</directories>
+ <directories check_all="yes" >/bin,/sbin,/boot</directories>
+ <ignore>/etc/mtab</ignore>
+ <ignore>/etc/hosts.deny</ignore>
+ <ignore>/etc/mail/statistics</ignore>
+ <ignore>/etc/random-seed</ignore>
+ <ignore>/etc/random.seed</ignore>
+ <ignore>/etc/adjtime</ignore>
+ <ignore>/etc/httpd/logs</ignore>
+ <ignore>/etc/utmpx</ignore>
+ <ignore>/etc/wtmpx</ignore>
+ <ignore>/etc/cups/certs</ignore>
+ <ignore>/etc/dumpdates</ignore>
+ <ignore>/etc/svc/volatile</ignore>
+ <ignore>/sys/kernel/security</ignore>
+ <ignore>/sys/kernel/debug</ignore>
+ <ignore>/dev/core</ignore>
+ <ignore type="sregex">^/proc</ignore>
+ <ignore type="sregex">.log$|.swp$</ignore>
+ <nodiff>/etc/ssl/private.key</nodiff>
+ <skip_nfs>yes</skip_nfs>
+</syscheck>
- <!-- File integrity monitoring -->
- <syscheck>
- <disabled>no</disabled>
-
- <!-- Frequency that syscheck is executed default every 12 hours -->
- <frequency>43200</frequency>
-
- <scan_on_start>yes</scan_on_start>
- <!-- Directories to check (perform all possible verifications) -->
- <directories>/etc,/usr/bin,/usr/sbin</directories>
- <directories>/bin,/sbin,/boot</directories>
-
- <!-- Files/directories to ignore -->
- <ignore>/etc/mtab</ignore>
- <ignore>/etc/hosts.deny</ignore>
- <ignore>/etc/mail/statistics</ignore>
- <ignore>/etc/random-seed</ignore>
- <ignore>/etc/random.seed</ignore>
- <ignore>/etc/adjtime</ignore>
- <ignore>/etc/httpd/logs</ignore>
- <ignore>/etc/utmpx</ignore>
- <ignore>/etc/wtmpx</ignore>
- <ignore>/etc/cups/certs</ignore>
- <ignore>/etc/dumpdates</ignore>
- <ignore>/etc/svc/volatile</ignore>
- <!-- File types to ignore -->
- <ignore type="sregex">.log$|.swp$</ignore>
- <!-- Check the file, but never compute the diff -->
- <nodiff>/etc/ssl/private.key</nodiff>
- <skip_nfs>yes</skip_nfs>
- <skip_dev>yes</skip_dev>
- <skip_proc>yes</skip_proc>
- <skip_sys>yes</skip_sys>
-
- <!-- Nice value for Syscheck process -->
- <process_priority>10</process_priority>
-
- <!-- Maximum output throughput -->
- <max_eps>50</max_eps>
-
- <!-- Database synchronization settings -->
- <synchronization>
- <enabled>yes</enabled>
- <interval>5m</interval>
- <max_eps>10</max_eps>
- </synchronization>
- </syscheck>
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/syslog</location>
+ </localfile>
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/kern.log</location>
+ </localfile>
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/auth.log</location>
+ </localfile>
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/dpkg.log</location>
+ </localfile>
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/ossec/logs/active-responses.log</location>
+ </localfile>
- <!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
-
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
-
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
- <!-- Active response -->
+
<active-response>
<disabled>no</disabled>
- <ca_store>etc/wpk_root.pem</ca_store>
+ <ca_store>/var/ossec/etc/wpk_root.pem</ca_store>
<ca_verification>yes</ca_verification>
</active-response>
-
- <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
- <logging>
- <log_format>plain</log_format>
- </logging>
-
-</ossec_config>
-
-<ossec_config>
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/ossec/logs/active-responses.log</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/messages</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/auth.log</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/syslog</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/dpkg.log</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/kern.log</location>
- </localfile>
-
-</ossec_config>
+</ossec_config>
\ No newline at end of file
Info: Computing checksum on file /var/ossec/etc/ossec.conf
Info: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]: Filebucketed /var/ossec/etc/ossec.conf to puppet with sum 09b39ab8cc3f0d18f979fef1385f507d6d6ab5e5825f596c3ccbf559f03bd062
Notice: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: content changed '{sha256}09b39ab8cc3f0d18f979fef1385f507d6d6ab5e5825f596c3ccbf559f03bd062' to '{sha256}b00a38e0f4a2cfd9a4f7a588227d3eb4aaca97e281de4dd8e4133a2d3dc5f45b'
Notice: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]/mode: mode changed '0660' to '0640'
Info: Concat[agent_ossec.conf]: Scheduling refresh of Service[wazuh-agent]
Notice: /Stage[main]/Wazuh::Agent/Exec[agent-auth-linux]/returns: executed successfully
Info: /Stage[main]/Wazuh::Agent/Exec[agent-auth-linux]: Scheduling refresh of Service[wazuh-agent]
Notice: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: Unscheduling refresh on Service[wazuh-agent]
Notice: Applied catalog in 49.10 seconds
root@ip-172-31-32-137:~#
I performed a test installation of a Puppet agent on Debian 12 on Vagrant and had no problems, apparently the errors originated due to EC2 deployment problems and not the operating system itself:
root@server:~# cat /etc/puppetlabs/puppet/puppet.conf
# This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - https://puppet.com/docs/puppet/latest/config_important_settings.html
# - https://puppet.com/docs/puppet/latest/config_about_settings.html
# - https://puppet.com/docs/puppet/latest/config_file_main.html
# - https://puppet.com/docs/puppet/latest/configuration.html
[main]
server = ip-172-31-34-117
root@server:~# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
root@server:~# puppet agent -t
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Notice: Requesting catalog from ip-172-31-34-117:8140 (100.24.69.245)
Notice: Catalog compiled by ip-172-31-34-117.ec2.internal
Info: Caching catalog for server
Info: Applying configuration version '1715949365'
Notice: /Stage[main]/Wazuh::Repo/Apt::Key[wazuh]/Apt_key[wazuh]/ensure: created
Notice: /Stage[main]/Apt/File[preferences]/ensure: created
Info: /Stage[main]/Apt/File[preferences]: Scheduling refresh of Class[Apt::Update]
Notice: /Stage[main]/Apt/Apt::Setting[conf-update-stamp]/File[/etc/apt/apt.conf.d/15update-stamp]/ensure: defined content as '{sha256}2e6eb1f5f20262bfc6b7dfb26a302f00b4ab5fee803abd9e07ad8378cce067d5'
Info: /Stage[main]/Apt/Apt::Setting[conf-update-stamp]/File[/etc/apt/apt.conf.d/15update-stamp]: Scheduling refresh of Class[Apt::Update]
Notice: /Stage[main]/Wazuh::Repo/Apt::Source[wazuh]/Apt::Setting[list-wazuh]/File[/etc/apt/sources.list.d/wazuh.list]/ensure: defined content as '{sha256}ec8cbfc030648abca503f423c2d8488776f7bba8c9ccd1fa1d213a9f8159fe4c'
Info: /Stage[main]/Wazuh::Repo/Apt::Source[wazuh]/Apt::Setting[list-wazuh]/File[/etc/apt/sources.list.d/wazuh.list]: Scheduling refresh of Class[Apt::Update]
Info: Class[Apt::Update]: Scheduling refresh of Exec[apt_update]
Notice: /Stage[main]/Apt::Update/Exec[apt_update]: Triggered 'refresh' from 1 event
Notice: /Stage[main]/Wazuh::Agent/Package[wazuh-agent]/ensure: created
Notice: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]/content:
--- /var/ossec/etc/ossec.conf 2024-05-17 12:36:26.199493952 +0000
+++ /tmp/puppet-file20240517-3309-19qvg1q 2024-05-17 12:36:27.220003942 +0000
@@ -1,23 +1,22 @@
-<!--
- Wazuh - Agent - Default configuration for debian 12
- More info at: https://documentation.wazuh.com
- Mailing list: https://groups.google.com/forum/#!forum/wazuh
--->
-
<ossec_config>
<client>
- <server>
- <address>MANAGER_IP</address>
- <port>1514</port>
- <protocol>tcp</protocol>
- </server>
- <config-profile>debian, debian12</config-profile>
+ <server>
+ <address>100.24.69.245</address>
+ <protocol>tcp</protocol>
+ <port>1514</port>
+ <max_retries>5</max_retries>
+ <retry_interval>5</retry_interval>
+ </server>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
- <auto_restart>yes</auto_restart>
<crypto_method>aes</crypto_method>
+ <auto_restart>yes</auto_restart>
</client>
+ <logging>
+ <log_format>plain</log_format>
+ </logging>
+
<client_buffer>
<!-- Agent buffer options -->
<disabled>no</disabled>
@@ -25,8 +24,9 @@
<events_per_second>500</events_per_second>
</client_buffer>
- <!-- Policy monitoring -->
- <rootcheck>
+
+
+<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
@@ -35,155 +35,141 @@
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
-
- <!-- Frequency that rootcheck is executed - every 12 hours -->
- <frequency>43200</frequency>
-
- <rootkit_files>etc/shared/rootkit_files.txt</rootkit_files>
- <rootkit_trojans>etc/shared/rootkit_trojans.txt</rootkit_trojans>
-
+ <frequency>36000</frequency>
+ <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
+ <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
- </rootcheck>
+</rootcheck>
- <wodle name="cis-cat">
+<wodle name="open-scap">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
+</wodle>
+<wodle name="cis-cat">
+ <disabled>yes</disabled>
+ <timeout>1800</timeout>
+ <interval>1d</interval>
+ <scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
- </wodle>
+</wodle>
- <!-- Osquery integration -->
- <wodle name="osquery">
+
+<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
+ <bin_path>/usr/bin/osqueryd</bin_path>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
- </wodle>
+</wodle>
- <!-- System inventory -->
- <wodle name="syscollector">
- <disabled>no</disabled>
- <interval>1h</interval>
- <scan_on_start>yes</scan_on_start>
- <hardware>yes</hardware>
- <os>yes</os>
- <network>yes</network>
- <packages>yes</packages>
- <ports all="no">yes</ports>
- <processes>yes</processes>
-
- <!-- Database synchronization settings -->
- <synchronization>
- <max_eps>10</max_eps>
- </synchronization>
- </wodle>
+
+<wodle name="syscollector">
+ <disabled>no</disabled>
+ <interval>1h</interval>
+ <scan_on_start>yes</scan_on_start>
+ <hardware>yes</hardware>
+ <os>yes</os>
+ <network>yes</network>
+ <packages>yes</packages>
+ <ports all="no">yes</ports>
+ <processes>yes</processes>
+</wodle>
- <sca>
+<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
+
</sca>
+
+
+<syscheck>
+ <disabled>no</disabled>
+ <frequency>43200</frequency>
+ <scan_on_start>yes</scan_on_start>
+ <process_priority>10</process_priority>
+ <synchronization>
+ <enabled>yes</enabled>
+ <interval>5m</interval>
+ <max_interval>1h</max_interval>
+ <max_eps>10</max_eps>
+ </synchronization>
+
+ <directories check_all="yes" >/etc,/usr/bin,/usr/sbin</directories>
+ <directories check_all="yes" >/bin,/sbin,/boot</directories>
+ <ignore>/etc/mtab</ignore>
+ <ignore>/etc/hosts.deny</ignore>
+ <ignore>/etc/mail/statistics</ignore>
+ <ignore>/etc/random-seed</ignore>
+ <ignore>/etc/random.seed</ignore>
+ <ignore>/etc/adjtime</ignore>
+ <ignore>/etc/httpd/logs</ignore>
+ <ignore>/etc/utmpx</ignore>
+ <ignore>/etc/wtmpx</ignore>
+ <ignore>/etc/cups/certs</ignore>
+ <ignore>/etc/dumpdates</ignore>
+ <ignore>/etc/svc/volatile</ignore>
+ <ignore>/sys/kernel/security</ignore>
+ <ignore>/sys/kernel/debug</ignore>
+ <ignore>/dev/core</ignore>
+ <ignore type="sregex">^/proc</ignore>
+ <ignore type="sregex">.log$|.swp$</ignore>
+ <nodiff>/etc/ssl/private.key</nodiff>
+ <skip_nfs>yes</skip_nfs>
+</syscheck>
- <!-- File integrity monitoring -->
- <syscheck>
- <disabled>no</disabled>
-
- <!-- Frequency that syscheck is executed default every 12 hours -->
- <frequency>43200</frequency>
-
- <scan_on_start>yes</scan_on_start>
- <!-- Directories to check (perform all possible verifications) -->
- <directories>/etc,/usr/bin,/usr/sbin</directories>
- <directories>/bin,/sbin,/boot</directories>
-
- <!-- Files/directories to ignore -->
- <ignore>/etc/mtab</ignore>
- <ignore>/etc/hosts.deny</ignore>
- <ignore>/etc/mail/statistics</ignore>
- <ignore>/etc/random-seed</ignore>
- <ignore>/etc/random.seed</ignore>
- <ignore>/etc/adjtime</ignore>
- <ignore>/etc/httpd/logs</ignore>
- <ignore>/etc/utmpx</ignore>
- <ignore>/etc/wtmpx</ignore>
- <ignore>/etc/cups/certs</ignore>
- <ignore>/etc/dumpdates</ignore>
- <ignore>/etc/svc/volatile</ignore>
- <!-- File types to ignore -->
- <ignore type="sregex">.log$|.swp$</ignore>
- <!-- Check the file, but never compute the diff -->
- <nodiff>/etc/ssl/private.key</nodiff>
- <skip_nfs>yes</skip_nfs>
- <skip_dev>yes</skip_dev>
- <skip_proc>yes</skip_proc>
- <skip_sys>yes</skip_sys>
-
- <!-- Nice value for Syscheck process -->
- <process_priority>10</process_priority>
-
- <!-- Maximum output throughput -->
- <max_eps>50</max_eps>
-
- <!-- Database synchronization settings -->
- <synchronization>
- <enabled>yes</enabled>
- <interval>5m</interval>
- <max_eps>10</max_eps>
- </synchronization>
- </syscheck>
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/syslog</location>
+ </localfile>
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/kern.log</location>
+ </localfile>
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/auth.log</location>
+ </localfile>
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/dpkg.log</location>
+ </localfile>
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/ossec/logs/active-responses.log</location>
+ </localfile>
- <!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
-
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
-
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
- <!-- Active response -->
+
<active-response>
<disabled>no</disabled>
- <ca_store>etc/wpk_root.pem</ca_store>
+ <ca_store>/var/ossec/etc/wpk_root.pem</ca_store>
<ca_verification>yes</ca_verification>
</active-response>
-
- <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
- <logging>
- <log_format>plain</log_format>
- </logging>
-
-</ossec_config>
-
-<ossec_config>
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/ossec/logs/active-responses.log</location>
- </localfile>
-
- <localfile>
- <log_format>syslog</log_format>
- <location>/var/log/dpkg.log</location>
- </localfile>
-
-</ossec_config>
+</ossec_config>
\ No newline at end of file
Info: Computing checksum on file /var/ossec/etc/ossec.conf
Info: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]: Filebucketed /var/ossec/etc/ossec.conf to puppet with sum 445c7b19281f1077d3ba050f652b7278114c449541af71b1ae6c27ffabb0aea3
Notice: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: content changed '{sha256}445c7b19281f1077d3ba050f652b7278114c449541af71b1ae6c27ffabb0aea3' to '{sha256}c16d6b558f040b0a994be3905b63587bcec4a9dee7f5fa69298be196e1d85fa8'
Notice: /Stage[main]/Wazuh::Agent/Concat[agent_ossec.conf]/File[/var/ossec/etc/ossec.conf]/mode: mode changed '0660' to '0640'
Info: Concat[agent_ossec.conf]: Scheduling refresh of Service[wazuh-agent] '
Notice: /Stage[main]/Wazuh::Agent/Exec[agent-auth-linux]/returns: executed successfully
Info: /Stage[main]/Wazuh::Agent/Exec[agent-auth-linux]: Scheduling refresh of Service[wazuh-agent]
Notice: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]/ensure: ensure changed 'stopped' to 'running'
Info: /Service[wazuh-agent]: Unscheduling refresh on Service[wazuh-agent]
Notice: Applied catalog in 27.91 seconds
root@server:~#
Change in documentation
Description
It would be necessary to expand the Debian systems where the Wazuh puppet deployment (agent) can be performed. Currently, we support until Debian Stretch (Debian 9). Currently, the most recent version of Debian is Debian Bookworm (Debian 12).
https://documentation.wazuh.com/current/deployment-options/deploying-with-puppet/setup-puppet/install-puppet-agent.html#installation-on-debian-ubuntu
Tasks