Unverified Commit 783a84f7 authored by Dan Webb's avatar Dan Webb
Browse files

Add in configure and install resources.

- Start moving recipes out to the integration cookbook
parent 80f69342
......@@ -13,25 +13,21 @@ platforms:
- name: centos-6.9
- name: centos-7.3
- name: debian-7.11
run_list: apt::default
- name: debian-8.7
run_list: apt::default
- name: fedora-25
- name: ubuntu-14.04
run_list: apt::default
- name: ubuntu-16.04
run_list: apt::default
suites:
- name: client
run_list:
- recipe[ossec::client]
- recipe[test::client]
- name: server
run_list:
- recipe[ossec::server]
- recipe[test::server]
- name: agent_auth
run_list:
- recipe[ossec::agent_auth]
- recipe[test::agent_auth]
attributes:
ossec:
agent_server_ip: 10.0.2.2
......
......@@ -20,18 +20,13 @@ Installs OSSEC from source in a server-agent installation. See:
### Cookbooks
- apt
- yum-atomic
## Attributes
- `node['ossec']['dir']` - Installation directory for OSSEC, default `/var/ossec`. All existing packages use this directory so you should not change this.
- `node['ossec']['server_role']` - When using server/agent setup, this role is used to search for the OSSEC server, default `ossec_server`.
- `node['ossec']['server_env']` - When using server/agent setup, this value will scope the role search to the specified environment, default nil.
- `node['ossec']['agent_server_ip']` - The IP of the OSSEC server. The client recipe will attempt to determine this value via search. Default is nil, only required for agent installations.
- `node['ossec']['data_bag']['encrypted']` - Boolean value which indicates whether or not the OSSEC data bag is encrypted
- `node['ossec']['data_bag']['name']` - The name of the data bag to use
- `node['ossec']['data_bag']['ssh']` - The name of the data bag item which contains the OSSEC keys
### ossec.conf
......@@ -39,6 +34,14 @@ OSSEC's configuration is mainly read from an XML file called `ossec.conf`. You c
Chef applies attributes from all attribute files regardless of which recipes were executed. In order to make wrapper cookbooks easier to write, `node['ossec']['conf']` is divided into the three installation types mentioned below, `local`, `server`, and `agent`. You can also set attributes under `all` to apply settings across all installation types. The typed attributes are automatically deep merged over the `all` attributes in the normal Chef manner.
`ossec_conf_local`
`ossec_conf_server`
`ossec_conf_agent`
`true` and `false` values are automatically mapped to `"yes"` and `"no"` as OSSEC expects the latter.
`ossec.conf` makes little use of XML attributes so you can generally construct nested hashes in the usual fashion. Where an attribute is required, you can do it like this:
......
......@@ -15,16 +15,13 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Chef
module OSSEC
module Helpers
# Gyoku looks for a symbol called :content! but Chef attributes
# are always stringified. We can't just call symbolize_keys
# because we need to recurse through the hash structure. Doing
# this also gives us the opportunity to convert true/false to
# yes/no, which is handy.
# because we need to recurse through the hash structure.
def self.object_to_ossec(object)
case object
when Hash
......@@ -40,10 +37,6 @@ class Chef
object.map! do |e|
object_to_ossec(e)
end
when TrueClass
'yes'
when FalseClass
'no'
when NilClass
''
else
......
......@@ -5,15 +5,12 @@ license 'Apache-2.0'
description 'Installs and configures ossec'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '1.0.5'
source_url 'https://github.com/sous-chefs/ossec'
issues_url 'https://github.com/sous-chefs/ossec/issues'
chef_version '>= 12.5' if respond_to?(:chef_version)
%w( apt yum-atomic ).each do |pkg|
depends pkg
end
depends 'yum-atomic'
%w( debian ubuntu redhat centos fedora scientific oracle amazon ).each do |os|
supports os
end
source_url 'https://github.com/sous-chefs/ossec'
issues_url 'https://github.com/sous-chefs/ossec'
chef_version '>= 12.5' if respond_to?(:chef_version)
......@@ -15,6 +15,5 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
include_recipe 'ossec::client'
......@@ -15,7 +15,6 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
include_recipe 'ossec::install_agent'
......
......@@ -17,7 +17,7 @@
# limitations under the License.
#
include_recipe 'ossec::install_server'
ossec_server_install 'server'
include_recipe 'ossec::common'
authd = node['ossec']['authd']
......
#
# Cookbook:: ossec
# Recipe:: client
#
# Copyright:: 2010-2017, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
ossec_server = []
search_string = "role:#{node['ossec']['server_role']}"
search_string << " AND chef_environment:#{node['ossec']['server_env']}" if node['ossec']['server_env']
if node.run_list.roles.include?(node['ossec']['server_role'])
ossec_server << node['ipaddress']
else
search(:node, search_string) do |n|
ossec_server << n['ipaddress']
end
end
node.normal['ossec']['agent_server_ip'] = ossec_server.first
include_recipe 'ossec::install_agent'
dbag_name = node['ossec']['data_bag']['name']
dbag_item = node['ossec']['data_bag']['ssh']
ossec_key = data_bag_item(dbag_name, dbag_item)
directory "#{node['ossec']['dir']}/.ssh" do
owner 'ossec'
group 'ossec'
mode '0750'
end
template "#{node['ossec']['dir']}/.ssh/authorized_keys" do
source 'ssh_key.erb'
owner 'ossec'
group 'ossec'
mode '0600'
variables(key: ossec_key['pubkey'])
end
file "#{node['ossec']['dir']}/etc/client.keys" do
owner 'ossec'
group 'ossec'
mode '0660'
end
include_recipe 'ossec::common'
......@@ -15,9 +15,9 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
ruby_block 'ossec install_type' do # ~FC014
# TODO: we don't want to do this anymore!
ruby_block 'ossec install_type' do
block do
if node['recipes'].include?('ossec::default')
type = 'local'
......
#
# Cookbook:: ossec
# Recipe:: default
#
# Copyright:: 2010-2017, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
include_recipe 'ossec::install_server'
include_recipe 'ossec::common'
......@@ -17,8 +17,4 @@
# limitations under the License.
#
include_recipe 'ossec::repository'
package 'ossec' do
package_name value_for_platform_family('debian' => 'ossec-hids-agent', 'default' => 'ossec-hids-client')
end
ossec_client_install 'client'
#
# Cookbook:: ossec
# Recipe:: install_server
#
# Copyright:: 2015-2017, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
include_recipe 'ossec::repository'
package 'ossec' do
package_name value_for_platform_family('debian' => 'ossec-hids', 'default' => 'ossec-hids-server')
end
#
# Cookbook:: ossec
# Recipe:: repository
#
# Copyright:: 2015-2017, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
case node['platform_family']
when %w(centos redhat scientific oracle fedora amazon)
include_recipe 'yum-atomic'
when 'debian'
package 'lsb-release'
ohai 'reload lsb' do
plugin 'lsb'
action :nothing
subscribes :reload, 'package[lsb-release]', :immediately
end
apt_repository 'ossec' do
uri 'http://ossec.wazuh.com/repos/apt/' + node['platform']
key 'http://ossec.wazuh.com/repos/apt/conf/ossec-key.gpg.key'
distribution lazy { node['lsb']['codename'] }
components ['main']
end
end
......@@ -17,7 +17,7 @@
# limitations under the License.
#
include_recipe 'ossec::install_server'
ossec_server_install 'server'
ssh_hosts = []
......
property :dir, String, default: '/var/ossec'
property :ossec_key, String, default: lazy { ossec_key['pubkey'] }
property :ossec_server, [String, Array]
action :config do
directory "#{new_resource.dir}/.ssh" do
owner 'ossec'
group 'ossec'
mode '0750'
end
template "#{new_resource.dir}/.ssh/authorized_keys" do
source 'ssh_key.erb'
owner 'ossec'
group 'ossec'
mode '0600'
variables(
key: new_resource.ossec_key
)
end
file "#{new_resource.dir}/etc/client.keys" do
owner 'ossec'
group 'ossec'
mode '0660'
end
end
property :name, String, name_property: true
property :package_name, String, default: lazy {
case node['platform_family']
when 'debian'
'ossec-hids-agent'
else
'ossec-hids-client'
end
}
action :install do
case node['platform_family']
when %w(centos redhat scientific oracle fedora amazon)
include_recipe 'yum-atomic'
when 'debian'
package 'lsb-release'
ohai 'reload lsb' do
plugin 'lsb'
action :nothing
subscribes :reload, 'package[lsb-release]', :immediately
end
apt_repository 'ossec' do
uri 'http://ossec.wazuh.com/repos/apt/' + node['platform']
key 'http://ossec.wazuh.com/repos/apt/conf/ossec-key.gpg.key'
distribution lazy { node['lsb']['codename'] }
components ['main']
end
end
package new_resource.package_name.to_s
end
property :name, String, name_property: true
action :configure do
end
property :name, String, name_property: true
action :configure do
end
property :name, String, name_property: true
action :configure do
end
property :name, String, name_property: true
property :package_name, String, default: lazy {
case node['platform_family']
when 'debian'
'ossec-hids'
else
'ossec-hids-server'
end
}
default_action :install
action :install do
case node['platform_family']
when %w(centos redhat scientific oracle fedora amazon)
include_recipe 'yum-atomic'
when 'debian'
package 'lsb-release'
ohai 'reload lsb' do
plugin 'lsb'
action :nothing
subscribes :reload, 'package[lsb-release]', :immediately
end
apt_repository 'ossec' do
uri 'http://ossec.wazuh.com/repos/apt/' + node['platform']
key 'http://ossec.wazuh.com/repos/apt/conf/ossec-key.gpg.key'
distribution new_resource.distribution
components ['main']
end
end
package new_resource.package_name
end
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment