Fixed foodcritic issues, added proper cookbook includes per platform
This commit is contained in:
parent
03cb22c10f
commit
6b18d206ed
4 changed files with 96 additions and 88 deletions
|
@ -4,7 +4,7 @@ maintainer_email "psi-jack@linux-help.org"
|
||||||
license "GPLv2"
|
license "GPLv2"
|
||||||
description "Installs/Configures ossec"
|
description "Installs/Configures ossec"
|
||||||
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
|
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
|
||||||
version "1.2.0"
|
version "1.2.1"
|
||||||
issues_url "http://git.linux-help.org/Linux-Help/ossec-ng/issues"
|
issues_url "http://git.linux-help.org/Linux-Help/ossec-ng/issues"
|
||||||
source_url "http://git.linux-help.org/Linux-Help/ossec-ng"
|
source_url "http://git.linux-help.org/Linux-Help/ossec-ng"
|
||||||
|
|
||||||
|
@ -26,7 +26,7 @@ end
|
||||||
|
|
||||||
depends 'yum-epel'
|
depends 'yum-epel'
|
||||||
depends 'yum-atomic', '~> 0.1.2'
|
depends 'yum-atomic', '~> 0.1.2'
|
||||||
depends 'apt-atomic', '~> 0.1.2'
|
depends 'apt-atomic', '~> 0.1.3'
|
||||||
|
|
||||||
suggests 'postfix'
|
suggests 'postfix'
|
||||||
suggests 'selinux_policy'
|
suggests 'selinux_policy'
|
||||||
|
|
|
@ -3,11 +3,11 @@
|
||||||
# and role specific configuration for the node
|
# and role specific configuration for the node
|
||||||
# get a key from the ossec-server if there's one
|
# get a key from the ossec-server if there's one
|
||||||
|
|
||||||
#if not node['lsb']['codename'].eql?('lucid')
|
if node['platform_family'] == "rhel"
|
||||||
# return true
|
include_recipe "yum-atomic"
|
||||||
#end
|
elsif node['platform_family'] == "debian"
|
||||||
|
include_recipe "apt-atomic"
|
||||||
include_recipe "yum-atomic"
|
end
|
||||||
|
|
||||||
class Chef::Recipe
|
class Chef::Recipe
|
||||||
include OssecCore
|
include OssecCore
|
||||||
|
@ -25,73 +25,76 @@ if not node["ossec"]["agent"]["enable"]
|
||||||
end
|
end
|
||||||
|
|
||||||
# Search for the ossec server, and do nothing if there's none
|
# Search for the ossec server, and do nothing if there's none
|
||||||
ossec_server = search(:node,
|
if Chef::Config[:solo]
|
||||||
|
Chef::Log.warn('This recipe uses search. Chef Solo does not support search')
|
||||||
|
else
|
||||||
|
ossec_server = search(:node,
|
||||||
"role:ossec-server " \
|
"role:ossec-server " \
|
||||||
"AND chef_environment:#{node.chef_environment}"
|
"AND chef_environment:#{node.chef_environment}"
|
||||||
).first
|
).first
|
||||||
if ossec_server.nil?
|
if ossec_server.nil?
|
||||||
Chef::Log.info("OSSEC: No ossec server available. Agent will not be provisionned")
|
Chef::Log.info("OSSEC: No ossec server available. Agent will not be provisionned")
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
|
|
||||||
# install the agent package
|
# install the agent package
|
||||||
package "ossec-hids-client"
|
package "ossec-hids-client"
|
||||||
|
|
||||||
# define the agent parameters
|
# define the agent parameters
|
||||||
agent_hash = ossec_agent_create_parameters(node, ossec_server)
|
agent_hash = ossec_agent_create_parameters(node, ossec_server)
|
||||||
|
|
||||||
# check for the agent configuration on the server. if the server has none, do
|
# check for the agent configuration on the server. if the server has none, do
|
||||||
# not continue the provisioning. If the server has a configuration for this
|
# not continue the provisioning. If the server has a configuration for this
|
||||||
# agent, store the parameters on the node and continue
|
# agent, store the parameters on the node and continue
|
||||||
if ossec_verify_agent(agent_hash, ossec_server)
|
if ossec_verify_agent(agent_hash, ossec_server)
|
||||||
node.normal["ossec"]["agents"][agent_hash[:id]] = ossec_server["ossec"]["agents"][agent_hash[:id]].to_hash
|
node.normal["ossec"]["agents"][agent_hash[:id]] = ossec_server["ossec"]["agents"][agent_hash[:id]].to_hash
|
||||||
else
|
else
|
||||||
Chef::Log.info("OSSEC: this agent is unknown on the ossec server")
|
Chef::Log.info("OSSEC: this agent is unknown on the ossec server")
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
|
|
||||||
# Make sure that the server prepared a key for us
|
# Make sure that the server prepared a key for us
|
||||||
unless ossec_agent_has_valid_key?(agent_hash, ossec_server)
|
unless ossec_agent_has_valid_key?(agent_hash, ossec_server)
|
||||||
Chef::Log.info("OSSEC: Server doesn't have a valid key for agent.")
|
Chef::Log.info("OSSEC: Server doesn't have a valid key for agent.")
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
|
|
||||||
service "ossec-agent" do
|
service "ossec-agent" do
|
||||||
#provider Chef::Provider::Service::Init
|
#provider Chef::Provider::Service::Init
|
||||||
service_name node["ossec"]["client"]["service_name"]
|
service_name node["ossec"]["client"]["service_name"]
|
||||||
supports :start => true, :stop => true, :restart => true, :status => true
|
supports :start => true, :stop => true, :restart => true, :status => true
|
||||||
action [ :start ]
|
action [ :start ]
|
||||||
only_if "test -e /var/ossec/etc/ossec.conf && test -e /var/ossec/etc/client.keys"
|
only_if "test -e /var/ossec/etc/ossec.conf && test -e /var/ossec/etc/client.keys"
|
||||||
end
|
end
|
||||||
|
|
||||||
# Get the IP of the ossec server
|
# Get the IP of the ossec server
|
||||||
ossec_server_ip = ossec_server[:network][:lanip] || ossec_server.ipaddress
|
ossec_server_ip = ossec_server[:network][:lanip] || ossec_server.ipaddress
|
||||||
|
|
||||||
# Expand the local flags from node attributes
|
# Expand the local flags from node attributes
|
||||||
ossec_set_filtered_flags!("command", "active-response", "syslog_files")
|
ossec_set_filtered_flags!("command", "active-response", "syslog_files")
|
||||||
ossec_set_syscheck_flags!("ignore")
|
ossec_set_syscheck_flags!("ignore")
|
||||||
|
|
||||||
template "/var/ossec/etc/ossec.conf" do
|
template "/var/ossec/etc/ossec.conf" do
|
||||||
source "ossec-agent.conf.erb"
|
source "ossec-agent.conf.erb"
|
||||||
owner "ossec"
|
owner "ossec"
|
||||||
group "ossec"
|
group "ossec"
|
||||||
variables("ossec_server_ip" => ossec_server_ip )
|
variables("ossec_server_ip" => ossec_server_ip )
|
||||||
manage_symlink_source true
|
manage_symlink_source true
|
||||||
notifies :restart, "service[ossec-agent]"
|
notifies :restart, "service[ossec-agent]"
|
||||||
end
|
end
|
||||||
|
|
||||||
# If client.keys is modified, ask for a queue rid on the server
|
# If client.keys is modified, ask for a queue rid on the server
|
||||||
template "/var/ossec/etc/client.keys" do
|
template "/var/ossec/etc/client.keys" do
|
||||||
mode 0440
|
mode 0440
|
||||||
owner "root"
|
owner "root"
|
||||||
group "ossec"
|
group "ossec"
|
||||||
notifies :create, "ruby_block[set-rid-flag]"
|
notifies :create, "ruby_block[set-rid-flag]"
|
||||||
notifies :restart, "service[ossec-agent]"
|
notifies :restart, "service[ossec-agent]"
|
||||||
end
|
end
|
||||||
|
|
||||||
# "set-rid-flag" is not run by default, but called when the agent's key
|
# "set-rid-flag" is not run by default, but called when the agent's key
|
||||||
# is modified (or created)
|
# is modified (or created)
|
||||||
ruby_block "set-rid-flag" do
|
ruby_block "set-rid-flag" do
|
||||||
block do
|
block do
|
||||||
# if the server side rid flag is not set to "done",
|
# if the server side rid flag is not set to "done",
|
||||||
# request a queue rid by setting the agent side flag to "todo"
|
# request a queue rid by setting the agent side flag to "todo"
|
||||||
|
@ -101,16 +104,16 @@ ruby_block "set-rid-flag" do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
action :nothing
|
action :nothing
|
||||||
end
|
end
|
||||||
|
|
||||||
# unset rid flag if necessary, check that at every run
|
# unset rid flag if necessary, check that at every run
|
||||||
if node["ossec"]["agents"][agent_hash[:id]]["rid"].eql?("todo") \
|
|
||||||
and ossec_server["ossec"]["agents"][agent_hash[:id]]["rid"].eql?("done")
|
|
||||||
ruby_block "unset rid flag" do
|
ruby_block "unset rid flag" do
|
||||||
block do
|
block do
|
||||||
node.normal["ossec"]["agents"][agent_hash[:id]]["rid"] = "none"
|
node.normal["ossec"]["agents"][agent_hash[:id]]["rid"] = "none"
|
||||||
Chef::Log.info "Setting Queue Rid Flag off"
|
Chef::Log.info "Setting Queue Rid Flag off"
|
||||||
end
|
end
|
||||||
notifies :restart, "service[ossec-agent]"
|
notifies :restart, "service[ossec-agent]"
|
||||||
|
only_if { node["ossec"]["agents"][agent_hash[:id]]["rid"].eql?("todo") \
|
||||||
|
and ossec_server["ossec"]["agents"][agent_hash[:id]]["rid"].eql?("done") }
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -2,5 +2,5 @@
|
||||||
# Cookbook Name:: ossec
|
# Cookbook Name:: ossec
|
||||||
# Recipe:: default
|
# Recipe:: default
|
||||||
#
|
#
|
||||||
include_recipe "ossec::agent"
|
include_recipe "ossec-ng::agent"
|
||||||
|
|
||||||
|
|
|
@ -2,7 +2,12 @@
|
||||||
# install the ossec-hids-server package and push the
|
# install the ossec-hids-server package and push the
|
||||||
# default configuration from the templates
|
# default configuration from the templates
|
||||||
|
|
||||||
include_recipe "yum-atomic"
|
if node['platform_family'] == "rhel"
|
||||||
|
include_recipe "yum-atomic"
|
||||||
|
elsif node['platform_family'] == "debian"
|
||||||
|
include_recipe "apt-atomic"
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
class Chef::Recipe
|
class Chef::Recipe
|
||||||
include OssecCore
|
include OssecCore
|
||||||
|
|
Loading…
Reference in a new issue