diff --git a/.kitchen.docker.yml b/.kitchen.docker.yml index 7904f3e..b0994f7 100644 --- a/.kitchen.docker.yml +++ b/.kitchen.docker.yml @@ -6,6 +6,9 @@ driver: # privileged is required otherwise the container doesn't boot right privileged: true +verifier: + name: inspec + platforms: - name: centos-6 driver: @@ -59,16 +62,15 @@ platforms: - /usr/bin/apt-get install apt-transport-https net-tools -y suites: -- name: default - run_list: ["recipe[ossec]"] - attributes: {} -- name: wui - driver_config: - network: - - ["private_network", {ip: "192.168.33.33"}] +- name: client + run_list: + - recipe[ossec::client] + data_bags_path: 'test/fixtures/data_bags' +- name: local + run_list: + - recipe[ossec::local] + data_bags_path: 'test/fixtures/data_bags' +- name: server run_list: - - "recipe[ossec::server]" - - "recipe[ossec::wui]" - attributes: - dev_mode: true - data_bags_path: 'test/integration/default/data_bags' + - recipe[ossec::server] + data_bags_path: 'test/fixtures/data_bags' diff --git a/.kitchen.yml b/.kitchen.yml index 4d74b42..4d81fed 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -4,6 +4,9 @@ driver: provisioner: name: chef_zero +verifier: + name: inspec + platforms: - name: centos-5.11 - name: centos-6.7 @@ -22,13 +25,15 @@ platforms: run_list: apt::default suites: -- name: default - run_list: - - recipe[ossec] - name: client run_list: - recipe[ossec::client] + data_bags_path: 'test/fixtures/data_bags' +- name: local + run_list: + - recipe[ossec::local] + data_bags_path: 'test/fixtures/data_bags' - name: server run_list: - recipe[ossec::server] - data_bags_path: 'test/integration/default/data_bags' + data_bags_path: 'test/fixtures/data_bags' diff --git a/.travis.yml b/.travis.yml index 7c69aa6..09cd519 100644 --- a/.travis.yml +++ b/.travis.yml @@ -12,12 +12,24 @@ services: docker env: matrix: - - INSTANCE=default-ubuntu-1204 - - INSTANCE=default-ubuntu-1404 - - INSTANCE=default-centos-6 - - INSTANCE=default-centos-7 - - INSTANCE=default-debian-7 - - INSTANCE=default-debian-8 + - INSTANCE=local-ubuntu-1204 + - INSTANCE=local-ubuntu-1404 + - INSTANCE=local-centos-6 + - INSTANCE=local-centos-7 + - INSTANCE=local-debian-7 + - INSTANCE=local-debian-8 + - INSTANCE=server-ubuntu-1204 + - INSTANCE=server-ubuntu-1404 + - INSTANCE=server-centos-6 + - INSTANCE=server-centos-7 + - INSTANCE=server-debian-7 + - INSTANCE=server-debian-8 + - INSTANCE=client-ubuntu-1204 + - INSTANCE=client-ubuntu-1404 + - INSTANCE=client-centos-6 + - INSTANCE=client-centos-7 + - INSTANCE=client-debian-7 + - INSTANCE=client-debian-8 # Don't `bundle install` install: echo "skip bundle install" diff --git a/CHANGELOG.md b/CHANGELOG.md index ee04890..4aa8256 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,28 @@ +# v2.0.0 (2016-03-28) + +## BREAKING CHANGES + +- Completely refactored how configs are handled. Attributes in node['ossec']['conf'] are converted to XML for the ossec.conf file. See the Readme for details and examples. +- The WUI recipe has been removed as the WUI project is abandoned +- Removed arch as a supported platform +- The default recipe has been renamed local.rb for local type installs + +## Other Changes + +- Added scientific, oracle, and amazon as supported platforms in the metadata +- Added Chefspec +- Fixed ossec server search query; It now finds ossec_client nodes in chef +- Removed OSSEC wiki link from the readme +- Added .foodcritic file to disable FC003 +- Updated Kitchen config to include additional platforms and the latest Test Kitchen format +- Added Rubocop config and resolved warnings +- Updated Berskfile to the latest format and added yum/apt deps +- Removed old Opscode contributing doc +- Added Gemfile with testing dependencies +- Updated the testing doc to match the current process +- Added chefignore file to limit the files that are uploaded to the Chef server +- Added source_url and issues_url to the metadata + # v1.0.5 ## Bug diff --git a/Gemfile b/Gemfile index d4a223e..65d9322 100644 --- a/Gemfile +++ b/Gemfile @@ -17,3 +17,7 @@ end group :kitchen_vagrant do gem 'kitchen-vagrant', '~> 0.19' end + +group :kitchen_inspec do + gem 'kitchen-inspec' +end diff --git a/README.md b/README.md index 984eaaf..9d44baf 100644 --- a/README.md +++ b/README.md @@ -101,25 +101,7 @@ This produces: ## Recipes -### repository - -Adds the OSSEC repository to the package manager. This recipe is included by others and should not be used directly. For highly customised setups, you should use `ossec::install_agent` or `ossec::install_server` instead. - -### install_agent - -Installs the agent packages but performs no explicit configuation. - -### install_server - -Install the server packages but performs no explicit configuation. - -### common - -Puts the configuration file in place and starts the (agent or server) service. This recipe is included by other recipes and generally should not be used directly. - -Note that the service will not be started if the client.keys file is missing or empty. For agents, this results in an error. For servers, this prevents ossec-remoted from starting, resulting in agents being unable to connect. Once client.keys does exist with content, simply perform another chef-client run to start the service. - -### default +### local Runs `ossec::install_server` and then configures for local-only use. Do not mix this recipe with the others below. @@ -164,6 +146,24 @@ To manage additional agents on the server that don't run chef, or for agentless Enable agentless monitoring in OSSEC and register the hosts on the server. Automated configuration of agentless nodes is not yet supported by this cookbook. For more information on the commands and configuration directives required in `ossec.conf`, see the [OSSEC Documentation](http://www.ossec.net/doc/manual/agent/agentless-monitoring.html) +### _repository + +Adds the OSSEC repository to the package manager. This recipe is included by others and should not be used directly. For highly customized setups, you should use `ossec::install_agent` or `ossec::install_server` instead. + +### _install_agent + +Installs the agent packages but performs no explicit configuration. + +### _install_server + +Install the server packages but performs no explicit configuration. + +### _common + +Puts the configuration file in place and starts the (agent or server) service. This recipe is included by other recipes and generally should not be used directly. + +Note that the service will not be started if the client.keys file is missing or empty. For agents, this results in an error. For servers, this prevents ossec-remoted from starting, resulting in agents being unable to connect. Once client.keys does exist with content, simply perform another chef-client run to start the service. + ## Usage The cookbook can be used to install OSSEC in one of the three types: diff --git a/metadata.rb b/metadata.rb index ac90172..466dbeb 100644 --- a/metadata.rb +++ b/metadata.rb @@ -4,7 +4,7 @@ license 'Apache 2.0' description 'Installs and onfigures ossec' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '1.0.5' +version '2.0.0' %w( apt yum-atomic ).each do |pkg| depends pkg diff --git a/recipes/common.rb b/recipes/_common.rb similarity index 86% rename from recipes/common.rb rename to recipes/_common.rb index 86914d2..ae6f408 100644 --- a/recipes/common.rb +++ b/recipes/_common.rb @@ -1,8 +1,8 @@ # # Cookbook Name:: ossec -# Recipe:: common +# Recipe:: _common # -# Copyright 2010, Opscode, Inc. +# Copyright 2010-2016, Chef Software, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,10 +17,12 @@ # limitations under the License. # -ruby_block 'ossec install_type' do +ruby_block 'set ossec install_type' do block do - if node.recipes.include?('ossec::default') + if node.recipes.include?('ossec::local') type = 'local' + elsif node.recipes.include?('ossec::server') + type = 'server' else type = nil @@ -90,19 +92,11 @@ service 'stop ossec' do service_name platform_family?('debian') ? 'ossec' : 'ossec-hids' action :nothing - - %w( disable stop ).each do |action| - subscribes action, 'package[ossec]', :immediately - end + subscribes :stop, 'package[ossec]', :immediately end service 'ossec' do service_name platform_family?('debian') ? 'ossec' : 'ossec-hids' supports status: true, restart: true action [:enable, :start] - - not_if do - (node['ossec']['install_type'] != 'local' && !File.size?("#{node['ossec']['dir']}/etc/client.keys")) || - (node['ossec']['install_type'] == 'agent' && node['ossec']['agent_server_ip'].nil?) - end end diff --git a/recipes/install_agent.rb b/recipes/_install_agent.rb similarity index 92% rename from recipes/install_agent.rb rename to recipes/_install_agent.rb index f016446..c95fa1a 100644 --- a/recipes/install_agent.rb +++ b/recipes/_install_agent.rb @@ -1,6 +1,6 @@ # # Cookbook Name:: ossec -# Recipe:: install_agent +# Recipe:: _install_agent # # Copyright 2015-2016, Chef Software, Inc. # @@ -17,7 +17,7 @@ # limitations under the License. # -include_recipe 'ossec::repository' +include_recipe 'ossec::_repository' package 'ossec' do package_name value_for_platform_family('debian' => 'ossec-hids-agent', 'default' => 'ossec-hids-client') diff --git a/recipes/install_server.rb b/recipes/_install_server.rb similarity index 92% rename from recipes/install_server.rb rename to recipes/_install_server.rb index beb29f5..5a2b4f3 100644 --- a/recipes/install_server.rb +++ b/recipes/_install_server.rb @@ -1,6 +1,6 @@ # # Cookbook Name:: ossec -# Recipe:: install_server +# Recipe:: _install_server # # Copyright 2015-2016, Chef Software, Inc. # @@ -17,7 +17,7 @@ # limitations under the License. # -include_recipe 'ossec::repository' +include_recipe 'ossec::_repository' package 'ossec' do package_name value_for_platform_family('debian' => 'ossec-hids', 'default' => 'ossec-hids-server') diff --git a/recipes/repository.rb b/recipes/_repository.rb similarity index 97% rename from recipes/repository.rb rename to recipes/_repository.rb index 925f845..38a74a9 100644 --- a/recipes/repository.rb +++ b/recipes/_repository.rb @@ -1,6 +1,6 @@ # # Cookbook Name:: ossec -# Recipe:: repository +# Recipe:: _repository # # Copyright 2015-2016, Chef Software, Inc. # diff --git a/recipes/client.rb b/recipes/client.rb index f48ec1f..db7dec9 100644 --- a/recipes/client.rb +++ b/recipes/client.rb @@ -32,7 +32,7 @@ node.set['ossec']['agent_server_ip'] = ossec_server.first -include_recipe 'ossec::install_agent' +include_recipe 'ossec::_install_agent' dbag_name = node['ossec']['data_bag']['name'] dbag_item = node['ossec']['data_bag']['ssh'] @@ -62,4 +62,4 @@ mode '0660' end -include_recipe 'ossec::common' +include_recipe 'ossec::_common' diff --git a/recipes/default.rb b/recipes/local.rb similarity index 89% rename from recipes/default.rb rename to recipes/local.rb index e79fcf4..7a9eca2 100644 --- a/recipes/default.rb +++ b/recipes/local.rb @@ -17,5 +17,5 @@ # limitations under the License. # -include_recipe 'ossec::install_server' -include_recipe 'ossec::common' +include_recipe 'ossec::_install_server' +include_recipe 'ossec::_common' diff --git a/recipes/server.rb b/recipes/server.rb index d0849dc..8b086db 100644 --- a/recipes/server.rb +++ b/recipes/server.rb @@ -17,7 +17,7 @@ # limitations under the License. # -include_recipe 'ossec::install_server' +include_recipe 'ossec::_install_server' ssh_hosts = [] @@ -64,7 +64,7 @@ variables(key: ossec_key['privkey']) end -include_recipe 'ossec::common' +include_recipe 'ossec::_common' cron 'distribute-ossec-keys' do minute '0' diff --git a/spec/unit/recipes/agent_spec.rb b/spec/unit/recipes/agent_spec.rb index f02069c..14135fa 100644 --- a/spec/unit/recipes/agent_spec.rb +++ b/spec/unit/recipes/agent_spec.rb @@ -2,7 +2,7 @@ require 'json' describe 'ossec::agent' do - let(:data_bags_path) { File.expand_path('../../../../test/integration/default/data_bags', __FILE__) } + let(:data_bags_path) { File.expand_path('../../../../test/fixtures/data_bags', __FILE__) } let(:data_bag_ossec_ssh) { JSON.parse(File.read("#{data_bags_path}/ossec/ssh.json")) } cached(:chef_run) do diff --git a/spec/unit/recipes/client_spec.rb b/spec/unit/recipes/client_spec.rb index 431bf33..4794857 100644 --- a/spec/unit/recipes/client_spec.rb +++ b/spec/unit/recipes/client_spec.rb @@ -2,7 +2,7 @@ require 'json' describe 'ossec::client' do - let(:data_bags_path) { File.expand_path('../../../../test/integration/default/data_bags', __FILE__) } + let(:data_bags_path) { File.expand_path('../../../../test/fixtures/data_bags', __FILE__) } let(:data_bag_ossec_ssh) { JSON.parse(File.read("#{data_bags_path}/ossec/ssh.json")) } cached(:chef_run) do diff --git a/spec/unit/recipes/server_spec.rb b/spec/unit/recipes/server_spec.rb index 2bb76ca..c8b18ed 100644 --- a/spec/unit/recipes/server_spec.rb +++ b/spec/unit/recipes/server_spec.rb @@ -2,7 +2,7 @@ require 'json' describe 'ossec::server' do - let(:data_bags_path) { File.expand_path('../../../../test/integration/default/data_bags', __FILE__) } + let(:data_bags_path) { File.expand_path('../../../../test/fixtures/data_bags', __FILE__) } let(:data_bag_ossec_ssh) { JSON.parse(File.read("#{data_bags_path}/ossec/ssh.json")) } cached(:chef_run) do diff --git a/test/integration/default/data_bags/ossec/ssh.json b/test/fixtures/data_bags/ossec/ssh.json similarity index 100% rename from test/integration/default/data_bags/ossec/ssh.json rename to test/fixtures/data_bags/ossec/ssh.json diff --git a/test/integration/server/default_spec.rb b/test/integration/server/default_spec.rb new file mode 100644 index 0000000..647d46e --- /dev/null +++ b/test/integration/server/default_spec.rb @@ -0,0 +1,11 @@ +service_name = case os[:family] + when 'ubuntu', 'debian' + 'ossec' + else + 'ossec-hids' + end + +describe service(service_name) do + it { should be_enabled } + # it { should be_running } # can't be enabled due to status command returning 1 +end