Release 2.0.0

.kitchen.docker.yml

@@ -6,6 +6,9 @@ driver:
   # privileged is required otherwise the container doesn't boot right
   privileged: true
 
+verifier:
+  name: inspec
+
 platforms:
 - name: centos-6
   driver:
@@ -59,16 +62,15 @@ platforms:
       - /usr/bin/apt-get install apt-transport-https net-tools -y
 
 suites:
-- name: default
-  run_list: ["recipe[ossec]"]
-  attributes: {}
-- name: wui
-  driver_config:
-    network:
-      - ["private_network", {ip: "192.168.33.33"}]
+- name: client
+  run_list:
+    - recipe[ossec::client]
+  data_bags_path: 'test/fixtures/data_bags'
+- name: local
+  run_list:
+    - recipe[ossec::local]
+  data_bags_path: 'test/fixtures/data_bags'
+- name: server
   run_list:
-    - "recipe[ossec::server]"
-    - "recipe[ossec::wui]"
-  attributes:
-    dev_mode: true
-  data_bags_path: 'test/integration/default/data_bags'
+    - recipe[ossec::server]
+  data_bags_path: 'test/fixtures/data_bags'

.kitchen.yml

@@ -4,6 +4,9 @@ driver:
 provisioner:
   name: chef_zero
 
+verifier:
+  name: inspec
+
 platforms:
   - name: centos-5.11
   - name: centos-6.7
@@ -22,13 +25,15 @@ platforms:
     run_list: apt::default
 
 suites:
-- name: default
-  run_list:
-    - recipe[ossec]
 - name: client
   run_list:
     - recipe[ossec::client]
+  data_bags_path: 'test/fixtures/data_bags'
+- name: local
+  run_list:
+    - recipe[ossec::local]
+  data_bags_path: 'test/fixtures/data_bags'
 - name: server
   run_list:
     - recipe[ossec::server]
-  data_bags_path: 'test/integration/default/data_bags'
+  data_bags_path: 'test/fixtures/data_bags'

.travis.yml

@@ -12,12 +12,24 @@ services: docker
 
 env:
   matrix:
-  - INSTANCE=default-ubuntu-1204
-  - INSTANCE=default-ubuntu-1404
-  - INSTANCE=default-centos-6
-  - INSTANCE=default-centos-7
-  - INSTANCE=default-debian-7
-  - INSTANCE=default-debian-8
+  - INSTANCE=local-ubuntu-1204
+  - INSTANCE=local-ubuntu-1404
+  - INSTANCE=local-centos-6
+  - INSTANCE=local-centos-7
+  - INSTANCE=local-debian-7
+  - INSTANCE=local-debian-8
+  - INSTANCE=server-ubuntu-1204
+  - INSTANCE=server-ubuntu-1404
+  - INSTANCE=server-centos-6
+  - INSTANCE=server-centos-7
+  - INSTANCE=server-debian-7
+  - INSTANCE=server-debian-8
+  - INSTANCE=client-ubuntu-1204
+  - INSTANCE=client-ubuntu-1404
+  - INSTANCE=client-centos-6
+  - INSTANCE=client-centos-7
+  - INSTANCE=client-debian-7
+  - INSTANCE=client-debian-8
 
 # Don't `bundle install`
 install: echo "skip bundle install"

CHANGELOG.md

@@ -1,3 +1,28 @@
+# v2.0.0 (2016-03-28)
+
+## BREAKING CHANGES
+
+- Completely refactored how configs are handled. Attributes in node['ossec']['conf'] are converted to XML for the ossec.conf file. See the Readme for details and examples.
+- The WUI recipe has been removed as the WUI project is abandoned
+- Removed arch as a supported platform
+- The default recipe has been renamed local.rb for local type installs
+
+## Other Changes
+
+- Added scientific, oracle, and amazon as supported platforms in the metadata
+- Added Chefspec
+- Fixed ossec server search query; It now finds ossec_client nodes in chef
+- Removed OSSEC wiki link from the readme
+- Added .foodcritic file to disable FC003
+- Updated Kitchen config to include additional platforms and the latest Test Kitchen format
+- Added Rubocop config and resolved warnings
+- Updated Berskfile to the latest format and added yum/apt deps
+- Removed old Opscode contributing doc
+- Added Gemfile with testing dependencies
+- Updated the testing doc to match the current process
+- Added chefignore file to limit the files that are uploaded to the Chef server
+- Added source_url and issues_url to the metadata
+
 # v1.0.5
 
 ## Bug

Gemfile

@@ -17,3 +17,7 @@ end
 group :kitchen_vagrant do
   gem 'kitchen-vagrant', '~> 0.19'
 end
+
+group :kitchen_inspec do
+  gem 'kitchen-inspec'
+end

README.md

@@ -101,25 +101,7 @@ This produces:
 
 ## Recipes
 
-### repository
-
-Adds the OSSEC repository to the package manager. This recipe is included by others and should not be used directly. For highly customised setups, you should use `ossec::install_agent` or `ossec::install_server` instead.
-
-### install_agent
-
-Installs the agent packages but performs no explicit configuation.
-
-### install_server
-
-Install the server packages but performs no explicit configuation.
-
-### common
-
-Puts the configuration file in place and starts the (agent or server) service. This recipe is included by other recipes and generally should not be used directly.
-
-Note that the service will not be started if the client.keys file is missing or empty. For agents, this results in an error. For servers, this prevents ossec-remoted from starting, resulting in agents being unable to connect. Once client.keys does exist with content, simply perform another chef-client run to start the service.
-
-### default
+### local
 
 Runs `ossec::install_server` and then configures for local-only use. Do not mix this recipe with the others below.
 
@@ -164,6 +146,24 @@ To manage additional agents on the server that don't run chef, or for agentless
 
 Enable agentless monitoring in OSSEC and register the hosts on the server. Automated configuration of agentless nodes is not yet supported by this cookbook. For more information on the commands and configuration directives required in `ossec.conf`, see the [OSSEC Documentation](http://www.ossec.net/doc/manual/agent/agentless-monitoring.html)
 
+### _repository
+
+Adds the OSSEC repository to the package manager. This recipe is included by others and should not be used directly. For highly customized setups, you should use `ossec::install_agent` or `ossec::install_server` instead.
+
+### _install_agent
+
+Installs the agent packages but performs no explicit configuration.
+
+### _install_server
+
+Install the server packages but performs no explicit configuration.
+
+### _common
+
+Puts the configuration file in place and starts the (agent or server) service. This recipe is included by other recipes and generally should not be used directly.
+
+Note that the service will not be started if the client.keys file is missing or empty. For agents, this results in an error. For servers, this prevents ossec-remoted from starting, resulting in agents being unable to connect. Once client.keys does exist with content, simply perform another chef-client run to start the service.
+
 ## Usage
 
 The cookbook can be used to install OSSEC in one of the three types:

metadata.rb

@@ -4,7 +4,7 @@
 license          'Apache 2.0'
 description      'Installs and onfigures ossec'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          '1.0.5'
+version          '2.0.0'
 
 %w( apt yum-atomic ).each do |pkg|
   depends pkg

recipes/common.rb → recipes/_common.rb

@@ -1,8 +1,8 @@
 #
 # Cookbook Name:: ossec
-# Recipe:: common
+# Recipe:: _common
 #
-# Copyright 2010, Opscode, Inc.
+# Copyright 2010-2016, Chef Software, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -17,10 +17,12 @@
 # limitations under the License.
 #
 
-ruby_block 'ossec install_type' do
+ruby_block 'set ossec install_type' do
   block do
-    if node.recipes.include?('ossec::default')
+    if node.recipes.include?('ossec::local')
       type = 'local'
+    elsif node.recipes.include?('ossec::server')
+      type = 'server'
     else
       type = nil
 
@@ -90,19 +92,11 @@
 service 'stop ossec' do
   service_name platform_family?('debian') ? 'ossec' : 'ossec-hids'
   action :nothing
-
-  %w( disable stop ).each do |action|
-    subscribes action, 'package[ossec]', :immediately
-  end
+  subscribes :stop, 'package[ossec]', :immediately
 end
 
 service 'ossec' do
   service_name platform_family?('debian') ? 'ossec' : 'ossec-hids'
   supports status: true, restart: true
   action [:enable, :start]
-
-  not_if do
-    (node['ossec']['install_type'] != 'local' && !File.size?("#{node['ossec']['dir']}/etc/client.keys")) ||
-      (node['ossec']['install_type'] == 'agent' && node['ossec']['agent_server_ip'].nil?)
-  end
 end

recipes/install_agent.rb → recipes/_install_agent.rb

@@ -1,6 +1,6 @@
 #
 # Cookbook Name:: ossec
-# Recipe:: install_agent
+# Recipe:: _install_agent
 #
 # Copyright 2015-2016, Chef Software, Inc.
 #
@@ -17,7 +17,7 @@
 # limitations under the License.
 #
 
-include_recipe 'ossec::repository'
+include_recipe 'ossec::_repository'
 
 package 'ossec' do
   package_name value_for_platform_family('debian' => 'ossec-hids-agent', 'default' => 'ossec-hids-client')

recipes/install_server.rb → recipes/_install_server.rb

@@ -1,6 +1,6 @@
 #
 # Cookbook Name:: ossec
-# Recipe:: install_server
+# Recipe:: _install_server
 #
 # Copyright 2015-2016, Chef Software, Inc.
 #
@@ -17,7 +17,7 @@
 # limitations under the License.
 #
 
-include_recipe 'ossec::repository'
+include_recipe 'ossec::_repository'
 
 package 'ossec' do
   package_name value_for_platform_family('debian' => 'ossec-hids', 'default' => 'ossec-hids-server')

recipes/repository.rb → recipes/_repository.rb

@@ -1,6 +1,6 @@
 #
 # Cookbook Name:: ossec
-# Recipe:: repository
+# Recipe:: _repository
 #
 # Copyright 2015-2016, Chef Software, Inc.
 #

recipes/client.rb

@@ -32,7 +32,7 @@
 
 node.set['ossec']['agent_server_ip'] = ossec_server.first
 
-include_recipe 'ossec::install_agent'
+include_recipe 'ossec::_install_agent'
 
 dbag_name = node['ossec']['data_bag']['name']
 dbag_item = node['ossec']['data_bag']['ssh']
@@ -62,4 +62,4 @@
   mode '0660'
 end
 
-include_recipe 'ossec::common'
+include_recipe 'ossec::_common'

recipes/default.rb → recipes/local.rb

@@ -17,5 +17,5 @@
 # limitations under the License.
 #
 
-include_recipe 'ossec::install_server'
-include_recipe 'ossec::common'
+include_recipe 'ossec::_install_server'
+include_recipe 'ossec::_common'

recipes/server.rb

@@ -17,7 +17,7 @@
 # limitations under the License.
 #
 
-include_recipe 'ossec::install_server'
+include_recipe 'ossec::_install_server'
 
 ssh_hosts = []
 
@@ -64,7 +64,7 @@
   variables(key: ossec_key['privkey'])
 end
 
-include_recipe 'ossec::common'
+include_recipe 'ossec::_common'
 
 cron 'distribute-ossec-keys' do
   minute '0'

spec/unit/recipes/agent_spec.rb

@@ -2,7 +2,7 @@
 require 'json'
 
 describe 'ossec::agent' do
-  let(:data_bags_path) { File.expand_path('../../../../test/integration/default/data_bags', __FILE__) }
+  let(:data_bags_path) { File.expand_path('../../../../test/fixtures/data_bags', __FILE__) }
   let(:data_bag_ossec_ssh) { JSON.parse(File.read("#{data_bags_path}/ossec/ssh.json")) }
 
   cached(:chef_run) do

spec/unit/recipes/client_spec.rb

@@ -2,7 +2,7 @@
 require 'json'
 
 describe 'ossec::client' do
-  let(:data_bags_path) { File.expand_path('../../../../test/integration/default/data_bags', __FILE__) }
+  let(:data_bags_path) { File.expand_path('../../../../test/fixtures/data_bags', __FILE__) }
   let(:data_bag_ossec_ssh) { JSON.parse(File.read("#{data_bags_path}/ossec/ssh.json")) }
 
   cached(:chef_run) do

spec/unit/recipes/server_spec.rb

@@ -2,7 +2,7 @@
 require 'json'
 
 describe 'ossec::server' do
-  let(:data_bags_path) { File.expand_path('../../../../test/integration/default/data_bags', __FILE__) }
+  let(:data_bags_path) { File.expand_path('../../../../test/fixtures/data_bags', __FILE__) }
   let(:data_bag_ossec_ssh) { JSON.parse(File.read("#{data_bags_path}/ossec/ssh.json")) }
 
   cached(:chef_run) do

test/integration/server/default_spec.rb

@@ -0,0 +1,11 @@
+service_name = case os[:family]
+               when 'ubuntu', 'debian'
+                 'ossec'
+               else
+                 'ossec-hids'
+               end
+
+describe service(service_name) do
+  it { should be_enabled }
+  # it { should be_running } # can't be enabled due to status command returning 1
+end