From 6b18d206ed373fef24915f0a116aaad7d6591a35 Mon Sep 17 00:00:00 2001 From: Eric Renfro Date: Sun, 24 Jul 2016 16:27:10 -0400 Subject: [PATCH] Fixed foodcritic issues, added proper cookbook includes per platform --- metadata.rb | 4 +- recipes/agent.rb | 171 +++++++++++++++++++++++---------------------- recipes/default.rb | 2 +- recipes/server.rb | 7 +- 4 files changed, 96 insertions(+), 88 deletions(-) diff --git a/metadata.rb b/metadata.rb index 73146b9..f9c6d09 100644 --- a/metadata.rb +++ b/metadata.rb @@ -4,7 +4,7 @@ maintainer_email "psi-jack@linux-help.org" license "GPLv2" description "Installs/Configures ossec" long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version "1.2.0" +version "1.2.1" issues_url "http://git.linux-help.org/Linux-Help/ossec-ng/issues" source_url "http://git.linux-help.org/Linux-Help/ossec-ng" @@ -26,7 +26,7 @@ end depends 'yum-epel' depends 'yum-atomic', '~> 0.1.2' -depends 'apt-atomic', '~> 0.1.2' +depends 'apt-atomic', '~> 0.1.3' suggests 'postfix' suggests 'selinux_policy' diff --git a/recipes/agent.rb b/recipes/agent.rb index ec4feae..9674f56 100644 --- a/recipes/agent.rb +++ b/recipes/agent.rb @@ -3,11 +3,11 @@ # and role specific configuration for the node # get a key from the ossec-server if there's one -#if not node['lsb']['codename'].eql?('lucid') -# return true -#end - -include_recipe "yum-atomic" +if node['platform_family'] == "rhel" + include_recipe "yum-atomic" +elsif node['platform_family'] == "debian" + include_recipe "apt-atomic" +end class Chef::Recipe include OssecCore @@ -25,92 +25,95 @@ if not node["ossec"]["agent"]["enable"] end # Search for the ossec server, and do nothing if there's none -ossec_server = search(:node, - "role:ossec-server " \ - "AND chef_environment:#{node.chef_environment}" - ).first -if ossec_server.nil? - Chef::Log.info("OSSEC: No ossec server available. Agent will not be provisionned") - return true -end - -# install the agent package -package "ossec-hids-client" - -# define the agent parameters -agent_hash = ossec_agent_create_parameters(node, ossec_server) - -# check for the agent configuration on the server. if the server has none, do -# not continue the provisioning. If the server has a configuration for this -# agent, store the parameters on the node and continue -if ossec_verify_agent(agent_hash, ossec_server) - node.normal["ossec"]["agents"][agent_hash[:id]] = ossec_server["ossec"]["agents"][agent_hash[:id]].to_hash +if Chef::Config[:solo] + Chef::Log.warn('This recipe uses search. Chef Solo does not support search') else - Chef::Log.info("OSSEC: this agent is unknown on the ossec server") - return true -end - -# Make sure that the server prepared a key for us -unless ossec_agent_has_valid_key?(agent_hash, ossec_server) - Chef::Log.info("OSSEC: Server doesn't have a valid key for agent.") - return true -end - -service "ossec-agent" do - #provider Chef::Provider::Service::Init - service_name node["ossec"]["client"]["service_name"] - supports :start => true, :stop => true, :restart => true, :status => true - action [ :start ] - only_if "test -e /var/ossec/etc/ossec.conf && test -e /var/ossec/etc/client.keys" -end - -# Get the IP of the ossec server -ossec_server_ip = ossec_server[:network][:lanip] || ossec_server.ipaddress - -# Expand the local flags from node attributes -ossec_set_filtered_flags!("command", "active-response", "syslog_files") -ossec_set_syscheck_flags!("ignore") - -template "/var/ossec/etc/ossec.conf" do - source "ossec-agent.conf.erb" - owner "ossec" - group "ossec" - variables("ossec_server_ip" => ossec_server_ip ) - manage_symlink_source true - notifies :restart, "service[ossec-agent]" -end - -# If client.keys is modified, ask for a queue rid on the server -template "/var/ossec/etc/client.keys" do - mode 0440 - owner "root" - group "ossec" - notifies :create, "ruby_block[set-rid-flag]" - notifies :restart, "service[ossec-agent]" -end - -# "set-rid-flag" is not run by default, but called when the agent's key -# is modified (or created) -ruby_block "set-rid-flag" do - block do - # if the server side rid flag is not set to "done", - # request a queue rid by setting the agent side flag to "todo" - if ossec_server["ossec"]["agents"][agent_hash[:id]]["rid"].eql?("none") - node.normal["ossec"]["agents"][agent_hash[:id]]["rid"] = "todo" - Chef::Log.info "Setting Queue Rid Flag on" - end + ossec_server = search(:node, + "role:ossec-server " \ + "AND chef_environment:#{node.chef_environment}" + ).first + if ossec_server.nil? + Chef::Log.info("OSSEC: No ossec server available. Agent will not be provisionned") + return true end - action :nothing -end - -# unset rid flag if necessary, check that at every run -if node["ossec"]["agents"][agent_hash[:id]]["rid"].eql?("todo") \ - and ossec_server["ossec"]["agents"][agent_hash[:id]]["rid"].eql?("done") + + # install the agent package + package "ossec-hids-client" + + # define the agent parameters + agent_hash = ossec_agent_create_parameters(node, ossec_server) + + # check for the agent configuration on the server. if the server has none, do + # not continue the provisioning. If the server has a configuration for this + # agent, store the parameters on the node and continue + if ossec_verify_agent(agent_hash, ossec_server) + node.normal["ossec"]["agents"][agent_hash[:id]] = ossec_server["ossec"]["agents"][agent_hash[:id]].to_hash + else + Chef::Log.info("OSSEC: this agent is unknown on the ossec server") + return true + end + + # Make sure that the server prepared a key for us + unless ossec_agent_has_valid_key?(agent_hash, ossec_server) + Chef::Log.info("OSSEC: Server doesn't have a valid key for agent.") + return true + end + + service "ossec-agent" do + #provider Chef::Provider::Service::Init + service_name node["ossec"]["client"]["service_name"] + supports :start => true, :stop => true, :restart => true, :status => true + action [ :start ] + only_if "test -e /var/ossec/etc/ossec.conf && test -e /var/ossec/etc/client.keys" + end + + # Get the IP of the ossec server + ossec_server_ip = ossec_server[:network][:lanip] || ossec_server.ipaddress + + # Expand the local flags from node attributes + ossec_set_filtered_flags!("command", "active-response", "syslog_files") + ossec_set_syscheck_flags!("ignore") + + template "/var/ossec/etc/ossec.conf" do + source "ossec-agent.conf.erb" + owner "ossec" + group "ossec" + variables("ossec_server_ip" => ossec_server_ip ) + manage_symlink_source true + notifies :restart, "service[ossec-agent]" + end + + # If client.keys is modified, ask for a queue rid on the server + template "/var/ossec/etc/client.keys" do + mode 0440 + owner "root" + group "ossec" + notifies :create, "ruby_block[set-rid-flag]" + notifies :restart, "service[ossec-agent]" + end + + # "set-rid-flag" is not run by default, but called when the agent's key + # is modified (or created) + ruby_block "set-rid-flag" do + block do + # if the server side rid flag is not set to "done", + # request a queue rid by setting the agent side flag to "todo" + if ossec_server["ossec"]["agents"][agent_hash[:id]]["rid"].eql?("none") + node.normal["ossec"]["agents"][agent_hash[:id]]["rid"] = "todo" + Chef::Log.info "Setting Queue Rid Flag on" + end + end + action :nothing + end + + # unset rid flag if necessary, check that at every run ruby_block "unset rid flag" do block do node.normal["ossec"]["agents"][agent_hash[:id]]["rid"] = "none" Chef::Log.info "Setting Queue Rid Flag off" end notifies :restart, "service[ossec-agent]" + only_if { node["ossec"]["agents"][agent_hash[:id]]["rid"].eql?("todo") \ + and ossec_server["ossec"]["agents"][agent_hash[:id]]["rid"].eql?("done") } end end diff --git a/recipes/default.rb b/recipes/default.rb index 8a8dae2..5200f76 100644 --- a/recipes/default.rb +++ b/recipes/default.rb @@ -2,5 +2,5 @@ # Cookbook Name:: ossec # Recipe:: default # -include_recipe "ossec::agent" +include_recipe "ossec-ng::agent" diff --git a/recipes/server.rb b/recipes/server.rb index d671ce8..9bcb783 100644 --- a/recipes/server.rb +++ b/recipes/server.rb @@ -2,7 +2,12 @@ # install the ossec-hids-server package and push the # default configuration from the templates -include_recipe "yum-atomic" +if node['platform_family'] == "rhel" + include_recipe "yum-atomic" +elsif node['platform_family'] == "debian" + include_recipe "apt-atomic" +end + class Chef::Recipe include OssecCore