Commit bd20a816 authored by James Le Cuirot's avatar James Le Cuirot
Browse files

Remove WUI recipe

WUI is apparently unmaintained, unsupported and somewhat buggy. It
also lacks up-to-date packages, probably for that reason. Alternatives
such as LightSIEM have been suggested.
parent b0de2452
......@@ -21,13 +21,3 @@ suites:
- name: default
run_list: ["recipe[ossec]"]
attributes: {}
- name: wui
driver_config:
network:
- ["private_network", {ip: "192.168.33.33"}]
run_list:
- "recipe[ossec::server]"
- "recipe[ossec::wui]"
attributes:
dev_mode: true
data_bags_path: 'test/integration/default/data_bags'
......@@ -63,14 +63,6 @@ The `user` attributes are used to populate the config file (ossec.conf) and prel
* `node['ossec']['user']['pf_table']` - The PF table to use on BSD. Default is false, set this to the desired table if enabling `pf`.
* `node['ossec']['user']['white_list']` - Array of additional IP addresses to white list. Default is empty.
These attributes are used to setup the OSSEC Web UI.
* `node['ossec']['wui']['checksum']` - Defaults to "142febadfd4b0de5a13ebd93c13eedfbee5f1899b6ee71c248054c14f47b8089"
* `node['ossec']['wui']['version']` - Defaults to "0.3"
* `node['ossec']['wui']['url']` - Defaults to "http://www.ossec.net/files/ossec-wui-0.3.tar.gz"
* `node['ossec']['users_databag']` - Defaults to 'users'
* `node['ossec']['users_databag_group']` - Defaults to 'sysadmins'
Recipes
-------
......@@ -117,10 +109,6 @@ To manage additional agents on the server that don't run chef, or for agentless
Enable agentless monitoring in OSSEC and register the hosts on the server. Automated configuration of agentless nodes is not yet supported by this cookbook. For more information on the commands and configuration directives required in `ossec.conf`, see the [OSSEC Documentation](http://www.ossec.net/doc/manual/agent/agentless-monitoring.html)
###wui
Installs and configures OSSEC Web UI. Requires users to be setup in a data bag (see __Data Bags__ section below).
Usage
-----
......@@ -180,30 +168,6 @@ For OSSEC agents, create a role, `ossec_client`.
}
)
DATA BAGS
---------
### Users
Create a `users` data bag that will contain the users that will be able to log into the OSSEC webui. Each user can use htauth with a specified password. Users that should be able to log in should be in the sysadmin group. Example user data bag item:
```javascript
{
"id": "osssecadmin",
"groups": "sysadmin",
"htpasswd": "hashed_htpassword"
}
```
The htpasswd must be the hashed value. Get this value with htpasswd:
% htpasswd -n -s ossec
New password:
Re-type new password:
ossec:{SHA}oCagzV4lMZyS7jl2Z0WlmLxEkt4=
For example use the `{SHA}oCagzV4lMZyS7jl2Z0WlmLxEkt4=` value in the data bag.
Customization
----
......
......@@ -13,5 +13,3 @@ Once the above are installed, you should be able to run Test Kitchen:
kitchen list
kitchen test
For testing the wui recipe, run the wui suite. The test data bag uses a password of 'pass'.
......@@ -55,10 +55,3 @@ default['ossec']['user']['firewall_response'] = true
default['ossec']['user']['pf'] = false
default['ossec']['user']['pf_table'] = false
default['ossec']['user']['white_list'] = []
# web-ui only
default['ossec']['wui']['checksum'] = '142febadfd4b0de5a13ebd93c13eedfbee5f1899b6ee71c248054c14f47b8089'
default['ossec']['wui']['version'] = '0.3'
default['ossec']['wui']['url'] = "http://www.ossec.net/files/ossec-wui-#{node['ossec']['wui']['version']}.tar.gz"
default['ossec']['users_databag'] = 'users'
default['ossec']['users_databag_group'] = 'sysadmin'
......@@ -6,7 +6,7 @@ description 'Installs and onfigures ossec'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '1.0.5'
%w( build-essential apt apache2 ).each do |pkg|
%w( build-essential apt ).each do |pkg|
depends pkg
end
......
#
# Cookbook Name:: ossec
# Recipe:: default
#
# Copyright 2010-2015, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
include_recipe 'apt' if platform?('ubuntu')
include_recipe 'apache2'
include_recipe 'apache2::mod_php5'
include_recipe 'ossec::server'
user_databag = node['ossec']['users_databag'].to_sym
group = node['ossec']['users_databag_group']
begin
sysadmins = search(user_databag, "groups:#{group} NOT action:remove")
rescue Net::HTTPServerException
Chef::Log.fatal("Could not find appropriate items in the \"#{node['ossec']['users_databag']}\" databag. Check to make sure the databag exists and if you have set the \"users_databag_group\" that users in that group exist")
raise 'Could not find appropriate items in the "users" databag. Check to make sure there is a users databag and if you have set the "users_databag_group" that users in that group exist'
end
group 'ossec' do
members node['apache']['group']
end
apache_dir = node['apache']['dir']
apache_doc_root = "#{apache_dir}/htdocs"
directory apache_doc_root do
action :create
end
ossec_wui_dir = "ossec-wui-#{node['ossec']['wui']['version']}"
remote_file "#{Chef::Config[:file_cache_path]}/#{ossec_wui_dir}.tar.gz" do
source node['ossec']['wui']['url']
checksum node['ossec']['wui']['checksum']
end
bash 'unpackage-ossec-wui' do
code <<-EOH
tar zxvf #{Chef::Config[:file_cache_path]}/#{ossec_wui_dir}.tar.gz
mv #{ossec_wui_dir} ossec-wui
EOH
cwd apache_doc_root
creates "#{apache_doc_root}/ossec-wui"
end
directory "#{apache_dir}/ossec" do
action :create
end
template "#{apache_doc_root}/ossec-wui/.htaccess" do
source 'htaccess.erb'
owner node['apache']['user']
group node['apache']['group']
variables(htpasswd: "#{apache_dir}/ossec/.htpasswd")
notifies :restart, 'service[apache2]'
end
template "#{apache_dir}/ossec/.htpasswd" do
source 'htpasswd.erb'
owner node['apache']['user']
group node['apache']['group']
variables(sysadmins: sysadmins)
notifies :restart, 'service[apache2]'
end
require 'spec_helper'
require 'json'
describe 'ossec::wui' do
let(:ossec_wui_dir) { "ossec-wui-#{chef_run.node['ossec']['wui']['version']}" }
let(:data_bags_path) { File.expand_path('../../../../test/integration/default/data_bags', __FILE__) }
let(:data_bag_users_ossec) { JSON.parse(File.read("#{data_bags_path}/users/ossec.json")) }
let(:data_bag_ossec_ssh) { JSON.parse(File.read("#{data_bags_path}/ossec/ssh.json")) }
cached(:chef_run) do
www_node = stub_node(platform: 'ubuntu', version: '14.04') do |node|
node.set['ipaddress'] = '33.33.33.33'
node.set['fqdn'] = 'chefspec_client.local'
end
ChefSpec::ServerRunner.new do |_node, server|
server.create_node(www_node, run_list: ['ossec'])
server.create_data_bag('users', 'ossec' => data_bag_users_ossec)
server.create_data_bag('ossec', 'ssh' => data_bag_users_ossec)
end.converge('ossec::wui')
end
before(:each) do
stub_command('/usr/sbin/apache2 -t').and_return(true)
stub_command("grep 'chefspec.local 127.0.0.1' /var/ossec/etc/client.keys").and_return(true)
stub_command("grep 'fauxhai.local 10.0.0.2' /var/ossec/etc/client.keys").and_return(true)
end
it 'includes apache2 recipe' do
expect(chef_run).to include_recipe('apache2')
end
it 'includes apache2::mod_php5 recipe' do
expect(chef_run).to include_recipe('apache2::mod_php5')
end
it 'includes ossec::client recipe' do
expect(chef_run).to include_recipe('ossec::server')
end
it 'creates ossec group' do
expect(chef_run).to create_group('ossec').with(members: [chef_run.node['apache']['group']])
end
it 'creates apache_doc_root directory' do
expect(chef_run).to create_directory("#{chef_run.node['apache']['dir']}/htdocs")
end
it 'creates ossec_wui remotefile' do
expect(chef_run).to create_remote_file("#{Chef::Config[:file_cache_path]}/#{ossec_wui_dir}.tar.gz")
end
it 'runs bash unpackage-ossec-wui' do
expect(chef_run).to run_bash('unpackage-ossec-wui')
end
it 'creates ossec apache dir' do
expect(chef_run).to create_directory("#{chef_run.node['apache']['dir']}/ossec")
end
describe 'ossec-wui htaccess template' do
let(:wui_htaccess_template) { "#{chef_run.node['apache']['dir']}/htdocs/ossec-wui/.htaccess" }
it 'creates ossec-wui htaccess template' do
expect(chef_run).to create_template(wui_htaccess_template).with(
source: 'htaccess.erb',
owner: chef_run.node['apache']['user'],
group: chef_run.node['apache']['group']
)
end
it 'sends restart notification to apache2' do
expect(chef_run.template(wui_htaccess_template)).to notify('service[apache2]').to(:restart)
end
end
describe 'ossec htpasswd template' do
let(:ossec_htpasswd_template) { "#{chef_run.node['apache']['dir']}/ossec/.htpasswd" }
it 'creates ossec htpasswd template' do
expect(chef_run).to create_template(ossec_htpasswd_template).with(
source: 'htpasswd.erb',
owner: chef_run.node['apache']['user'],
group: chef_run.node['apache']['group']
)
end
it 'sends restart notification to apache2' do
expect(chef_run.template(ossec_htpasswd_template)).to notify('service[apache2]').to(:restart)
end
end
end
AuthUserFile <%= @htpasswd %>
AuthName "Restricted Access"
Require valid-user
AuthType Basic
<Files *.sh>
deny from all
</Files>
<Files ossec_conf.php>
deny from all
</Files>
<Files .*>
deny from all
</Files>
# Autogenerated by Chef.
<% @sysadmins.each do |sa| -%>
<% if sa["htpasswd"] and sa["htpasswd"].length > 0 -%>
<%= sa["id"] %>:<%= sa["htpasswd"] %>
<% end -%>
<% end -%>
{
"id": "ossec",
"groups": [ "sysadmin" ],
"htpasswd": "{SHA}nU4eI71bcnBGqeO0t9tXvY1u5oQ="
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment