Unverified Commit 3d823600 authored by Xorima's avatar Xorima Committed by GitHub
Browse files

Merge branch 'master' into authd_update

parents 2950144f ef7bd8d7
version: 2.1
orbs:
kitchen: sous-chefs/kitchen@1.0.0
workflows:
kitchen:
jobs:
- kitchen/danger:
name: danger
context: Danger
- kitchen/lint:
name: lint
* sous-chefs/ossec
......@@ -14,14 +14,6 @@ verifier:
name: inspec
platforms:
- name: debian-7
driver:
image: debian:7
pid_one_command: /sbin/init
intermediate_instructions:
- RUN /usr/bin/apt-get update
- RUN /usr/bin/apt-get install apt-transport-https lsb-release procps net-tools -y
- name: debian-8
driver:
image: debian:8
......
......@@ -10,13 +10,11 @@ verifier:
name: inspec
platforms:
- name: centos-6.9
- name: centos-7.3
- name: debian-7.11
- name: centos-6
- name: centos-7
- name: debian-8
run_list: apt::default
- name: debian-8.7
run_list: apt::default
- name: fedora-25
- name: fedora-28
- name: ubuntu-14.04
run_list: apt::default
- name: ubuntu-16.04
......
AllCops:
Exclude:
- 'Dangerfile'
sudo: required
dist: trusty
addons:
apt:
sources:
- chef-current-trusty
packages:
- chefdk
# Don't `bundle install` which takes about 1.5 mins
install: echo "skip bundle install"
branches:
only:
- master
services: docker
env:
matrix:
- INSTANCE=client-ubuntu-1404
- INSTANCE=client-ubuntu-1604
- INSTANCE=client-ubuntu-1804
- INSTANCE=client-centos-6
- INSTANCE=client-centos-7
- INSTANCE=client-debian-7
- INSTANCE=client-debian-8
before_script:
- sudo iptables -L DOCKER || ( echo "DOCKER iptables chain missing" ; sudo iptables -N DOCKER )
- eval "$(/opt/chefdk/bin/chef shell-init bash)"
- /opt/chefdk/embedded/bin/chef --version
- /opt/chefdk/embedded/bin/cookstyle --version
- /opt/chefdk/embedded/bin/foodcritic --version
script: KITCHEN_LOCAL_YAML=.kitchen.dokken.yml /opt/chefdk/embedded/bin/kitchen verify ${INSTANCE}
matrix:
include:
- script:
- /opt/chefdk/bin/chef exec delivery local all
env: UNIT_AND_LINT=1
# v1.0.5
# OSSEC Cookbook CHANGELOG
## Bug
## v1.1.0 (13-08-2018)
- README Updates:
* Fix broken links
* Add reference to Wazzuh
- General updates to cookbook
* Remove EOL distros
* Update for current supported Chef version (13)
## v1.0.5
### Bug
- Avoid node.save to prevent incomplete attribute collections
- `dist-ossec-keys.sh` should be sorted for idempotency
## Improvement
### Improvement
- Ability to disable ossec configuration template
- Support for encrypted databags
- Support for environment-scoped searches
- Support for multiple email_to addresses
# v1.0.4
## v1.0.4
## Bug
### Bug
- [COOK-2740]: Use FQDN for a client name
## Improvement
### Improvement
- [COOK-2739]: Upgrade OSSEC to version 2.7
# v1.0.2:
## v1.0.2:
- [COOK-1394] - update ossec to version 2.6
# v1.0.0:
## v1.0.0:
- Initial/current release
# Reference: http://danger.systems/reference.html
# A pull request summary is required. Add a description of the pull request purpose.
# Changelog must be updated for each pull request that changes code.
# Warnings will be issued for:
# Pull request with more than 400 lines of code changed
# Pull reqest that change more than 5 lines without test changes
# Failures will be issued for:
# Pull request without summary
# Pull requests with code changes without changelog entry
def code_changes?
code = %w(libraries attributes recipes resources files templates)
code.each do |location|
return true unless git.modified_files.grep(/#{location}/).empty?
end
false
end
def test_changes?
tests = %w(spec test .kitchen.yml .kitchen.dokken.yml)
tests.each do |location|
return true unless git.modified_files.grep(/#{location}/).empty?
end
false
end
fail 'Please provide a summary of your Pull Request.' if github.pr_body.length < 10
warn 'This is a big Pull Request.' if git.lines_of_code > 400
# Require a CHANGELOG entry for non-test changes.
if !git.modified_files.include?('CHANGELOG.md') && code_changes?
fail 'Please include a CHANGELOG entry.'
end
# A sanity check for tests.
if git.lines_of_code > 5 && code_changes? && !test_changes?
warn 'This Pull Request is probably missing tests.'
end
# ossec cookbook
[![Cookbook Version](https://img.shields.io/cookbook/v/ossec.svg)](https://supermarket.chef.io/cookbooks/ossec) [![Build Status](https://travis-ci.org/sous-chefs/ossec.svg?branch=master)](https://travis-ci.org/sous-chefs/ossec)
[![Cookbook Version](https://img.shields.io/cookbook/v/ossec.svg)](https://supermarket.chef.io/cookbooks/ossec)
[![Build Status](https://img.shields.io/circleci/project/github/sous-chefs/ossec/master.svg)](https://circleci.com/gh/sous-chefs/ossec)
[![OpenCollective](https://opencollective.com/sous-chefs/backers/badge.svg)](#backers)
[![OpenCollective](https://opencollective.com/sous-chefs/sponsors/badge.svg)](#sponsors)
[![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](https://opensource.org/licenses/Apache-2.0)
Installs OSSEC from source in a server-agent installation. See:
<http://www.ossec.net/doc/manual/installation/index.html>
[http://www.ossec.net/docs/manual/installation/index.html](http://www.ossec.net/docs/manual/installation/index.html)
For managing Wazuh, consider using the Wazuh Chef Cookbook here: https://github.com/wazuh/wazuh-chef
For managing Wazuh, consider using the Wazuh Chef Cookbook here: [https://github.com/wazuh/wazuh-chef](https://github.com/wazuh/wazuh-chef)
## Requirements
......@@ -45,7 +49,7 @@ Chef applies attributes from all attribute files regardless of which recipes wer
`ossec.conf` makes little use of XML attributes so you can generally construct nested hashes in the usual fashion. Where an attribute is required, you can do it like this:
```
```ruby
default['ossec']['conf']['all']['syscheck']['directories'] = [
{ '@check_all' => true, 'content!' => '/bin,/sbin' },
'/etc,/usr/bin,/usr/sbin'
......@@ -139,7 +143,7 @@ Sets up a system to be an OSSEC server. This recipe will search for all nodes th
To manage additional agents on the server that don't run chef, or for agentless OSSEC configuration (for example, routers), add a new node for them and create the `node['ossec']['agentless']` attribute as true. For example if we have a router named gw01.example.com with the IP `192.168.100.1`:
```
```shell
% knife node create gw01.example.com
{
"name": "gw01.example.com",
......@@ -164,7 +168,7 @@ To manage additional agents on the server that don't run chef, or for agentless
}
```
Enable agentless monitoring in OSSEC and register the hosts on the server. Automated configuration of agentless nodes is not yet supported by this cookbook. For more information on the commands and configuration directives required in `ossec.conf`, see the [OSSEC Documentation](http://www.ossec.net/doc/manual/agent/agentless-monitoring.html)
Enable agentless monitoring in OSSEC and register the hosts on the server. Automated configuration of agentless nodes is not yet supported by this cookbook. For more information on the commands and configuration directives required in `ossec.conf`, see the [OSSEC Documentation](http://www.ossec.net/docs/manual/agent/agentless-monitoring.html)
### agent_auth
......@@ -190,7 +194,7 @@ This section describes how to use the cookbook for server/agent configurations.
The server will use SSH to distribute the OSSEC agent keys. Create a data bag `ossec`, with an item `ssh`. It should have the following structure:
```
```shell
{
"id": "ssh",
"pubkey": "",
......@@ -200,7 +204,7 @@ The server will use SSH to distribute the OSSEC agent keys. Create a data bag `o
Generate an ssh keypair and get the privkey and pubkey values. The output of the two ruby commands should be used as the privkey and pubkey values respectively in the data bag.
```
```shell
ssh-keygen -t rsa -f /tmp/id_rsa
ruby -e 'puts IO.read("/tmp/id_rsa")'
ruby -e 'puts IO.read("/tmp/id_rsa.pub")'
......@@ -208,7 +212,7 @@ ruby -e 'puts IO.read("/tmp/id_rsa.pub")'
For the OSSEC server, create a role, `ossec_server`. Add attributes per above as needed to customize the installation.
```
```shell
% cat roles/ossec_server.rb
name "ossec_server"
description "OSSEC Server"
......@@ -229,7 +233,7 @@ override_attributes(
For OSSEC agents, create a role, `ossec_client`.
```
```shell
% cat roles/ossec_client.rb
name "ossec_client"
description "OSSEC Client Agents"
......@@ -253,22 +257,29 @@ The main configuration file is maintained by Chef as a template, `ossec.conf.erb
Further reading:
- [OSSEC Documentation](http://www.ossec.net/doc/index.html)
- [OSSEC Documentation](http://www.ossec.net/docs/index.html)
## License and Author
## Contributors
Copyright 2010-2017, Chef Software, Inc ([legal@chef.io](mailto:legal@chef.io))
This project exists thanks to all the people who [contribute.](https://opencollective.com/sous-chefs/contributors.svg?width=890&button=false)
```
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
### Backers
http://www.apache.org/licenses/LICENSE-2.0
Thank you to all our backers!
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
```
![https://opencollective.com/sous-chefs#backers](https://opencollective.com/sous-chefs/backers.svg?width=600&avatarHeight=40)
### Sponsors
Support this project by becoming a sponsor. Your logo will show up here with a link to your website.
![https://opencollective.com/sous-chefs/sponsor/0/website](https://opencollective.com/sous-chefs/sponsor/0/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/1/website](https://opencollective.com/sous-chefs/sponsor/1/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/2/website](https://opencollective.com/sous-chefs/sponsor/2/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/3/website](https://opencollective.com/sous-chefs/sponsor/3/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/4/website](https://opencollective.com/sous-chefs/sponsor/4/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/5/website](https://opencollective.com/sous-chefs/sponsor/5/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/6/website](https://opencollective.com/sous-chefs/sponsor/6/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/7/website](https://opencollective.com/sous-chefs/sponsor/7/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/8/website](https://opencollective.com/sous-chefs/sponsor/8/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/9/website](https://opencollective.com/sous-chefs/sponsor/9/avatar.svg?avatarHeight=100)
......@@ -4,9 +4,9 @@ maintainer_email 'help@sous-chefs.org'
license 'Apache-2.0'
description 'Installs and configures ossec'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '1.0.5'
version '1.1.0'
chef_version '>= 13.0'
depends 'compat_resource', '>= 12.14.6'
depends 'yum-atomic'
%w( debian ubuntu redhat centos fedora scientific oracle amazon ).each do |os|
......@@ -15,4 +15,3 @@ end
source_url 'https://github.com/sous-chefs/ossec'
issues_url 'https://github.com/sous-chefs/ossec'
chef_version '>= 12.5' if respond_to?(:chef_version)
describe service('ossec') do
it { should be_enabled }
service_name = case os[:family]
when 'ubuntu', 'debian'
'ossec'
else
'ossec-hids'
end
describe service(service_name) do
it { should be_installed }
end
describe package('ossec-hids-agent') do
it { should be_installed }
end
......@@ -6,6 +6,9 @@ service_name = case os[:family]
end
describe service(service_name) do
it { should be_enabled }
# it { should be_running } # can't be enabled due to status command returning 1
it { should be_installed }
end
describe package('ossec-hids-server') do
it { should be_installed }
end
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment