Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix for Puppet installation on Amazon Linux OS #197

Merged
merged 4 commits into from
Jan 14, 2020
Merged

Fix for Puppet installation on Amazon Linux OS #197

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1135805
Add condition to check if open-scap is defined
rshad Jan 9, 2020
5fef8be
Change os:family check to operating system check
rshad Jan 9, 2020
cfed5f3
Change rhel os and os-family name "letter case"
rshad Jan 10, 2020
b1a706f
Add kernel check for Windows agent case
rshad Jan 13, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 21 additions & 30 deletions manifests/agent.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -244,37 +244,28 @@
}

## ossec.conf generation concats
case $::kernel {
'Linux': {
case $::osfamily {
'Redhat', 'redhat', 'OracleLinux': {
$apply_template_os = 'rhel'
if ( $::operatingsystemrelease =~ /^7.*/ ) {
$rhel_version = '7'
} elsif ( $::operatingsystemrelease =~ /^6.*/ ) {
$rhel_version = '6'
} elsif ( $::operatingsystemrelease =~ /^5.*/ ) {
$rhel_version = '5'
} else {
fail('This ossec module has not been tested on your distribution')
}
}
'Debian', 'debian', 'Ubuntu', 'ubuntu': {
$apply_template_os = 'debian'
if ( $::lsbdistcodename == 'wheezy') or ($::lsbdistcodename == 'jessie') {
$debian_additional_templates = 'yes'
}
}
'Amazon': {
$apply_template_os = 'amazon'
}
'CentOS', 'Centos', 'centos': {
$apply_template_os = 'centos'
}
default: { fail('This ossec module has not been tested on your distribution') }
case $::operatingsystem{
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I prefer the case $::kernel { block, we use it multiple times in the file instead of just filtering by operatingssystem which raises few questions like:

  • All Windows do have the same operatingsystem? (Windows server, Windows 10, etc...)
  • Is windows and not Windows the proper operatingsystem?

Please review best practices and or other common manifests examples and let me know your conclusions and required changes.

Thanks!

Copy link
Contributor Author

@rshad rshad Jan 13, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @jm404

I agree with you; Dealing with Windows case by only checking the operating system could produce errors.

To solve such an issue, I added a higher layer of a conditional statement check, which checks the Kernel first, if It's Linux, then it proceeds to run the operating system case condition. If it's Windows then it's directly select the corresponding config.

Find the changes in b1a706f.

Kr,

Rshad

'Redhat', 'redhat', 'OracleLinux':{
Copy link

@jm404 jm404 Jan 9, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please check if redhat does actually exist in Puppet as a possible::operatingsystem. I suspect it may not be neccessary anymore. If doesn't exist please remove it in the Manager also

Copy link
Contributor Author

@rshad rshad Jan 9, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @jm404 !

After starting a RHEL7 virtual machine and install Puppet on it, when checking Puppet facts we get:

[root@rhel ~]# puppet facts find operatingsystem
{"name":"operatingsystem","values":{" ...

"dhcp_servers":"{
     \"system\"eratingsystem":"RedHat",

"os":"{\"name\"=>\"RedHat\", 
     \"family\"=>\"RedHat\",
     \"release\"=>{\"major\"=>\"7\", .... 

Corporation","boardproductname":"VirtualBox","boardserialnumbe[root@rhel ~]#

As you can see the operating system is called RedHat, so the case check would not match it:

case $::operatingsystem{
    'Redhat', 'redhat', 'OracleLinux':{

kr,

Rshad

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The puppet facts output seems to be truncated and bad formatted. Please paste the ::operatingsystem section without truncating it.

I assume that "dhcp_servers":"{ \"system\"eratingsystem":"RedHat", refers to the operating system, which in that case, would be RedHat.

So in our manifests we have:

case $::operatingsystem{
    'Redhat', 'redhat', 'OracleLinux':{

So, neither Redhat nor redhat will match it, please review it and test the installation on a RedHat host after fixing it.

Best regards,

Jose

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @jm404 !

After the changes made in cfed5f3, I tested the instsallation of a wazuh-manager and a wazuh-agent in RHEL operating system and both installations were done successfully.

My test Operating System characteristics:

[root@rhel ~]# cat /etc/os-release
NAME="Red Hat Enterprise Linux Server"
VERSION="7.7 (Maipo)"
ID="rhel"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.7"
PRETTY_NAME="Red Hat Enterprise Linux Server 7.7 (Maipo)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:7.7:GA:server"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 7"
REDHAT_BUGZILLA_PRODUCT_VERSION=7.7
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="7.7"
[root@rhel ~]#

Puppet Facts (puppet 6.11.1)

{
  architecture => "x86_64",
  family => "RedHat",
  hardware => "x86_64",
  name => "RedHat",
  release => {
    full => "7.7",
    major => "7",
    minor => "7"
  },
  selinux => {
    config_mode => "enforcing",
    config_policy => "targeted",
    current_mode => "enforcing",
    enabled => true,
    enforced => true,
    policy_version => "31"
  }
}

Kr,

Rshad

$apply_template_os = 'rhel'
if ( $::operatingsystemrelease =~ /^7.*/ ){
$rhel_version = '7'
}elsif ( $::operatingsystemrelease =~ /^6.*/ ){
$rhel_version = '6'
}elsif ( $::operatingsystemrelease =~ /^5.*/ ){
$rhel_version = '5'
}else{
fail('This ossec module has not been tested on your distribution')
}
}
'windows': {
}'Debian', 'debian', 'Ubuntu', 'ubuntu':{
$apply_template_os = 'debian'
if ( $::lsbdistcodename == 'wheezy') or ($::lsbdistcodename == 'jessie'){
$debian_additional_templates = 'yes'
}
}'Amazon':{
$apply_template_os = 'amazon'
}'CentOS','Centos','centos':{
$apply_template_os = 'centos'
}'windows': {
$apply_template_os = 'windows'
}
default: { fail('OS not supported') }
Expand Down
2 changes: 2 additions & 0 deletions templates/fragments/_wodle_openscap.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
<scan-on-start><%= @wodle_openscap_scan_on_start %></scan-on-start>
<%- end -%>

<%- if not @wodle_openscap_content.nil? -%>
<%- @wodle_openscap_content.each do |path, value| -%>
<content type="<%= value['type'] %>" path="<%= path %>">
<%- if value['profiles'] then -%>
Expand All @@ -22,6 +23,7 @@
<%- end -%>
</content>
<%- end -%>
%- end -%>
</wodle>