From c35f2a4de5c596128911b23de7a9101b4dfe9c67 Mon Sep 17 00:00:00 2001 From: Eric Renfro Date: Sun, 24 Jul 2016 18:12:09 -0400 Subject: [PATCH 1/3] Added email_idsname, fixed email_alerts to not require location --- README.md | 1 + attributes/ossec.rb | 1 + libraries/core.rb | 2 +- metadata.rb | 2 +- templates/default/ossec-server.conf.erb | 24 +++++++++++++++++++++--- 5 files changed, 25 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index ab1237c..eec2b2e 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,7 @@ Default attributes from the ossec-server role: 'ossec@example.net', ], "email_from" => 'ossec-server@example.net', + "email_idsname" => 'ossec', "smtp_server" => 'localhost', "white_list" => [ '127.0.0.1', diff --git a/attributes/ossec.rb b/attributes/ossec.rb index ad91c1d..a034036 100644 --- a/attributes/ossec.rb +++ b/attributes/ossec.rb @@ -6,6 +6,7 @@ default["ossec"]["receiver_port"] = "1514" default["ossec"]["log_alert_level"] = "1" default["ossec"]["email_alert_level"] = "7" default["ossec"]["email_maxperhour"] = "9999" +default["ossec"]["email_idsname"] = "ossec" default["ossec"]["memory_size"] = "100000" default["ossec"]["remote"]["connection"] = "secure" default["ossec"]["agents"] = {} diff --git a/libraries/core.rb b/libraries/core.rb index c3b6865..39885f9 100644 --- a/libraries/core.rb +++ b/libraries/core.rb @@ -32,7 +32,7 @@ module OssecCore def ossec_event_location_search() # resolve the location search of an email_alert block to a hostname - node["ossec"]["email_alerts"].each do|recipient,params| + node["ossec"]["email_alerts"].each do |recipient, params| if params.has_key?('event_location_search') if Chef::Config[:solo] Chef::Log.warn('This recipe uses search. Chef Solo does not support search.') diff --git a/metadata.rb b/metadata.rb index f9c6d09..acdc301 100644 --- a/metadata.rb +++ b/metadata.rb @@ -4,7 +4,7 @@ maintainer_email "psi-jack@linux-help.org" license "GPLv2" description "Installs/Configures ossec" long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version "1.2.1" +version "1.2.2" issues_url "http://git.linux-help.org/Linux-Help/ossec-ng/issues" source_url "http://git.linux-help.org/Linux-Help/ossec-ng" diff --git a/templates/default/ossec-server.conf.erb b/templates/default/ossec-server.conf.erb index ff5c1f9..ee78c8a 100644 --- a/templates/default/ossec-server.conf.erb +++ b/templates/default/ossec-server.conf.erb @@ -6,8 +6,9 @@ <%= recipient %> <% end -%> <%= node["ossec"]["smtp_server"] %> - <%= node["ossec"]["email_from"]%> - <%=node["ossec"]["email_maxperhour"]%> + <%= node["ossec"]["email_from"] %> + <%= node["ossec"]["email_maxperhour"] %> + <%= node["ossec"]["email_idsname"] %> <%=node["ossec"]["memory_size"]%> <% node["ossec"]["white_list"].sort_by {|k| k}.each do |ip| -%> <%= ip %> @@ -93,10 +94,27 @@ elsif params.has_key?('resolved_search') locations = params[:resolved_search] end - locations.sort_by {|k| k}.each do |location| -%> + if locations.count > 0 + locations.sort_by {|k| k}.each do |location| -%> <%= recipient %> <%= location %> +<% params.sort_by {|k,v| k}.each do |key, value| + unless key =~ /event_location_tag|event_location_search|resolved_search/ + if key.eql?('tags') + value.sort_by {|k| k}.each do |tag| -%> + <<%= tag %> /> +<% end + else -%> + <<%= key %>><%= value %>> +<% end + end + end -%> + +<% end + else -%> + + <%= recipient %> <% params.sort_by {|k,v| k}.each do |key, value| unless key =~ /event_location_tag|event_location_search|resolved_search/ if key.eql?('tags') From e0f763c0df699fb6d9629414366f9c728303838d Mon Sep 17 00:00:00 2001 From: Eric Renfro Date: Sun, 24 Jul 2016 18:14:51 -0400 Subject: [PATCH 2/3] Moved email_alerts definitions --- templates/default/ossec-server.conf.erb | 94 ++++++++++++------------- 1 file changed, 47 insertions(+), 47 deletions(-) diff --git a/templates/default/ossec-server.conf.erb b/templates/default/ossec-server.conf.erb index ee78c8a..c49981e 100644 --- a/templates/default/ossec-server.conf.erb +++ b/templates/default/ossec-server.conf.erb @@ -15,6 +15,53 @@ <% end -%> +<% node["ossec"]["email_alerts"].sort_by {|k,v| k}.each do |recipient,params| + locations = [] + if params.has_key?('event_location_tag') + locations = @ossec_agents.select{ + |n| n[:tags].include?( + params[:event_location_tag] + ) + }.map {|n2| n2.network.lanip || '172.172.172.172'} + elsif params.has_key?('resolved_search') + locations = params[:resolved_search] + end + if locations.count > 0 + locations.sort_by {|k| k}.each do |location| -%> + + <%= recipient %> + <%= location %> +<% params.sort_by {|k,v| k}.each do |key, value| + unless key =~ /event_location_tag|event_location_search|resolved_search/ + if key.eql?('tags') + value.sort_by {|k| k}.each do |tag| -%> + <<%= tag %> /> +<% end + else -%> + <<%= key %>><%= value %>> +<% end + end + end -%> + +<% end + else -%> + + <%= recipient %> +<% params.sort_by {|k,v| k}.each do |key, value| + unless key =~ /event_location_tag|event_location_search|resolved_search/ + if key.eql?('tags') + value.sort_by {|k| k}.each do |tag| -%> + <<%= tag %> /> +<% end + else -%> + <<%= key %>><%= value %>> +<% end + end + end -%> + +<% end + end -%> + <% node["ossec"]["load_rules"].each_pair do |name, value| if value -%> @@ -83,53 +130,6 @@ <% end -%> -<% node["ossec"]["email_alerts"].sort_by {|k,v| k}.each do |recipient,params| - locations = [] - if params.has_key?('event_location_tag') - locations = @ossec_agents.select{ - |n| n[:tags].include?( - params[:event_location_tag] - ) - }.map {|n2| n2.network.lanip || '172.172.172.172'} - elsif params.has_key?('resolved_search') - locations = params[:resolved_search] - end - if locations.count > 0 - locations.sort_by {|k| k}.each do |location| -%> - - <%= recipient %> - <%= location %> -<% params.sort_by {|k,v| k}.each do |key, value| - unless key =~ /event_location_tag|event_location_search|resolved_search/ - if key.eql?('tags') - value.sort_by {|k| k}.each do |tag| -%> - <<%= tag %> /> -<% end - else -%> - <<%= key %>><%= value %>> -<% end - end - end -%> - -<% end - else -%> - - <%= recipient %> -<% params.sort_by {|k,v| k}.each do |key, value| - unless key =~ /event_location_tag|event_location_search|resolved_search/ - if key.eql?('tags') - value.sort_by {|k| k}.each do |tag| -%> - <<%= tag %> /> -<% end - else -%> - <<%= key %>><%= value %>> -<% end - end - end -%> - -<% end - end -%> - <%= node["ossec"]["syscheck"]["frequency"] %> From c532c0bcd0f5689a3d3760ff528ee964ce3247da Mon Sep 17 00:00:00 2001 From: Eric Renfro Date: Sun, 24 Jul 2016 18:41:14 -0400 Subject: [PATCH 3/3] Added hosts.deny to syscheck ignore list --- README.md | 1 + attributes/ossec.rb | 1 + 2 files changed, 2 insertions(+) diff --git a/README.md b/README.md index eec2b2e..b5b86d3 100644 --- a/README.md +++ b/README.md @@ -98,6 +98,7 @@ Default attributes from the ossec-server role: '/etc/mcollective/facts.yaml' => {}, '/etc/blkid.tab' => {}, '/etc/mtab' => {}, + '/etc/hosts.deny' => {}, '/etc/mail/statistics => {}', '/etc/random-seed' => {}, '/etc/adjtime' => {}, diff --git a/attributes/ossec.rb b/attributes/ossec.rb index a034036..cf35584 100644 --- a/attributes/ossec.rb +++ b/attributes/ossec.rb @@ -126,6 +126,7 @@ default["ossec"]["syscheck"]["ignore"]['/etc/openvpn/openvpn-status.log'] = {} default["ossec"]["syscheck"]["ignore"]['/etc/motd'] = {} default["ossec"]["syscheck"]["ignore"]['/etc/blkid.tab'] = {} default["ossec"]["syscheck"]["ignore"]['/etc/mtab'] = {} +default["ossec"]["syscheck"]["ignore"]['/etc/hosts.deny'] = {} default["ossec"]["syscheck"]["ignore"]['/etc/mail/statistics'] = {} default["ossec"]["syscheck"]["ignore"]['/etc/random-seed'] = {} default["ossec"]["syscheck"]["ignore"]['/etc/adjtime'] = {}