Code Monkey home page Code Monkey logo

ossec's Introduction

ossec cookbook

Cookbook Version Build Status OpenCollective OpenCollective License

Installs OSSEC from source in a server-agent installation. See:

http://www.ossec.net/docs/manual/installation/index.html

For managing Wazuh, consider using the Wazuh Chef Cookbook here: https://github.com/wazuh/wazuh-chef

Maintainers

This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If youโ€™d like to know more please visit sous-chefs.org or come chat with us on the Chef Community Slack in #sous-chefs.

Requirements

Platforms

  • Ubuntu / Debian
  • RHEL and derivatives

Chef

  • Chef 16.13+

Cookbooks

  • yum-atomic

Attributes

  • node['ossec']['dir'] - Installation directory for OSSEC, default /var/ossec. All existing packages use this directory so you should not change this.
  • node['ossec']['server_role'] - When using server/agent setup, this role is used to search for the OSSEC server, default ossec_server.
  • node['ossec']['server_env'] - When using server/agent setup, this value will scope the role search to the specified environment, default nil.
  • node['ossec']['agent_server_ip'] - The IP of the OSSEC server. The client recipe will attempt to determine this value via search. Default is nil, only required for agent installations.
  • node['ossec']['data_bag']['encrypted'] - Boolean value which indicates whether or not the OSSEC data bag is encrypted
  • node['ossec']['data_bag']['name'] - The name of the data bag to use
  • node['ossec']['data_bag']['ssh'] - The name of the data bag item which contains the OSSEC keys

ossec.conf

OSSEC's configuration is mainly read from an XML file called ossec.conf. You can directly control the contents of this file using node attributes under node['ossec']['conf']. These attributes are mapped to XML using Gyoku. See the Gyoku site for details on how this works.

Chef applies attributes from all attribute files regardless of which recipes were executed. In order to make wrapper cookbooks easier to write, node['ossec']['conf'] is divided into the three installation types mentioned below, local, server, and agent. You can also set attributes under all to apply settings across all installation types. The typed attributes are automatically deep merged over the all attributes in the normal Chef manner.

true and false values are automatically mapped to "yes" and "no" as OSSEC expects the latter.

ossec.conf makes little use of XML attributes so you can generally construct nested hashes in the usual fashion. Where an attribute is required, you can do it like this:

default['ossec']['conf']['all']['syscheck']['directories'] = [
  { '@check_all' => true, 'content!' => '/bin,/sbin' },
  '/etc,/usr/bin,/usr/sbin'
]

This produces:

<syscheck>
  <directories check_all="yes">/bin,/sbin</directories>
  <directories>/etc,/usr/bin,/usr/sbin</directories>
</syscheck>

The default values are based on those given in the OSSEC manual. They do not include any specific rules, checks, outputs, or alerts as everyone has different requirements.

agent.conf

OSSEC servers can also distribute configuration to agents through the centrally managed XM file called agent.conf. Since Chef is better at distributing configuration than OSSEC is, the cookbook leaves this file blank by default. Should you want to populate it, it is done in a similar manner to the above. Since this file is only used on servers, you can define the attributes directly under node['ossec']['agent_conf']. Unlike conventional XML files, agent.conf has multiple root nodes so node['ossec']['agent_conf'] must be treated as an array like so.

default['ossec']['agent_conf'] = [
  {
    'syscheck' => { 'frequency' => 4321 },
    'rootcheck' => { 'disabled' => true }
  },
  {
    '@os' => 'Windows',
    'content!' => {
      'syscheck' => { 'frequency' => 1234 }
    }
  }
]

This produces:

<agent_config>
  <syscheck>
    <frequency>4321</frequency>
  </syscheck>
  <rootcheck>
    <disabled>yes</disabled>
  </rootcheck>
</agent_config>

<agent_config os="Windows">
  <syscheck>
    <frequency>1234</frequency>
  </syscheck>
</agent_config>

Recipes

repository

Adds the OSSEC repository to the package manager. This recipe is included by others and should not be used directly. For highly customised setups, you should use ossec::install_agent or ossec::install_server instead.

install_agent

Installs the agent packages but performs no explicit configuration.

install_server

Install the server packages but performs no explicit configuration.

common

Puts the configuration file in place and starts the (agent or server) service. This recipe is included by other recipes and generally should not be used directly.

Note that the service will not be started if the client.keys file is missing or empty. For agents, this results in an error. For servers, this prevents ossec-remoted from starting, resulting in agents being unable to connect. Once client.keys does exist with content, simply perform another chef-client run to start the service.

default

Runs ossec::install_server and then configures for local-only use. Do not mix this recipe with the others below.

agent

OSSEC uses the term agent instead of client. The agent recipe includes the ossec::client recipe.

client

Configures the system as an OSSEC agent to the OSSEC server. This recipe will search for the server based on node['ossec']['server_role']. It will also set the agent_server_ip attribute. The ossec user will have an SSH key created so the server can distribute the agent key.

server

Sets up a system to be an OSSEC server. This recipe will search for all nodes that have an ossec attribute and add them as an agent.

To manage additional agents on the server that don't run chef, or for agentless OSSEC configuration (for example, routers), add a new node for them and create the node['ossec']['agentless'] attribute as true. For example if we have a router named gw01.example.com with the IP 192.168.100.1:

% knife node create gw01.example.com
{
  "name": "gw01.example.com",
  "json_class": "Chef::Node",
  "automatic": {
  },
  "normal": {
    "hostname": "gw01",
    "fqdn": "gw01.example.com",
    "ipaddress": "192.168.100.1",
    "ossec": {
      "agentless": true
    }
  },
  "chef_type": "node",
  "default": {
  },
  "override": {
  },
  "run_list": [
  ]
}

Enable agentless monitoring in OSSEC and register the hosts on the server. Automated configuration of agentless nodes is not yet supported by this cookbook. For more information on the commands and configuration directives required in ossec.conf, see the OSSEC Documentation

agent_auth

If you do not wish to distribute agent keys via SSH then the authd mechanism provides an alternative. Set the agent_server_ip attribute manually and this recipe will attempt to register with the given server running ossec-authd. To allow registration with a new server after changing agent_server_ip, delete the client.keys file and rerun the recipe.

authd

For a server to accept agent registrations, it needs to be running ossec-authd. This recipe installs an init script for it (systemd only for now) and will attempt to start it once the mandatory SSL certificate and key have been put in place. From OSSEC 2.9, you can also set a CA certificate to validate agents against.

Usage

The cookbook can be used to install OSSEC in one of the three types:

  • local - use the ossec::default recipe.
  • server - use the ossec::server recipe.
  • agent - use the ossec::client recipe

For local-only installations, add just recipe[ossec] to the node run list, or put it in a role (like a base role).

Server/Agent

This section describes how to use the cookbook for server/agent configurations.

The server will use SSH to distribute the OSSEC agent keys. Create a data bag ossec, with an item ssh. It should have the following structure:

{
  "id": "ssh",
  "pubkey": "",
  "privkey": ""
}

Generate an ssh keypair and get the privkey and pubkey values. The output of the two ruby commands should be used as the privkey and pubkey values respectively in the data bag.

ssh-keygen -t rsa -f /tmp/id_rsa
ruby -e 'puts IO.read("/tmp/id_rsa")'
ruby -e 'puts IO.read("/tmp/id_rsa.pub")'

For the OSSEC server, create a role, ossec_server. Add attributes per above as needed to customize the installation.

% cat roles/ossec_server.rb
name "ossec_server"
description "OSSEC Server"
run_list("recipe[ossec::server]")
override_attributes(
  "ossec" => {
    "conf" => {
      "server" => {
        "global" => {
          "email_to" => "[email protected]",
          "smtp_server" => "smtp.yourdomain.com"
        }
      }
    }
  }
)

For OSSEC agents, create a role, ossec_client.

% cat roles/ossec_client.rb
name "ossec_client"
description "OSSEC Client Agents"
run_list("recipe[ossec::client]")
override_attributes(
  "ossec" => {
    "conf" => {
      "agent" => {
        "syscheck" => {
          "frequency" => 321
        }
      }
    }
  }
)

Customization

The main configuration file is maintained by Chef as a template, ossec.conf.erb. It should just work on most installations, but can be customized for the local environment. Notably, the rules, ignores and commands may be modified.

Further reading:

Contributors

This project exists thanks to all the people who contribute.

Backers

Thank you to all our backers!

https://opencollective.com/sous-chefs#backers

Sponsors

Support this project by becoming a sponsor. Your logo will show up here with a link to your website.

https://opencollective.com/sous-chefs/sponsor/0/website https://opencollective.com/sous-chefs/sponsor/1/website https://opencollective.com/sous-chefs/sponsor/2/website https://opencollective.com/sous-chefs/sponsor/3/website https://opencollective.com/sous-chefs/sponsor/4/website https://opencollective.com/sous-chefs/sponsor/5/website https://opencollective.com/sous-chefs/sponsor/6/website https://opencollective.com/sous-chefs/sponsor/7/website https://opencollective.com/sous-chefs/sponsor/8/website https://opencollective.com/sous-chefs/sponsor/9/website

ossec's People

Contributors

axelrtgs avatar chewi avatar damacus avatar dje avatar evan2645 avatar hafrei avatar jblaine avatar johnroesler avatar josephholsten avatar kitchen-porter avatar logankoester avatar matthewcase avatar nathenharvey avatar phoolish avatar powerschill avatar pwelch avatar ramereth avatar ranjib avatar renovate[bot] avatar rshade avatar serjs avatar sliim avatar tas50 avatar x0nic avatar xorima avatar xorimabot avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

ossec's Issues

Server -> Client SCP key distribution fails because ossec user shell is /sbin/nologin

NOTE: I've thus far only tested this on CentOS 7. Will report results of other platforms when available.

Key distribution fails due to the ossec shell setting

ossec:x:995:992::/var/ossec:/sbin/nologin
[root@ossec1 todd]# scp -i /var/ossec/.ssh/id_rsa -B -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no foo [email protected]:/var/ossec/etc/foo
Warning: Permanently added '10.120.3.163' (ECDSA) to the list of known hosts.
...
This account is currently not available.

AFAIK, scp requires a valid shell. Perhaps manage the ossec user and install/set scponly shell. Seems safer than just using /bin/bash.

Derived Attribute Issue Preventing Proper Setting Of OSSEC Server IP

My agent ossec.conf file is not getting the server-ip discovered via search. It appears to be a derived attribute issue.... (unless it's just me).

In the attributes file we have this:

default['ossec']['agent_server_ip'] = nil
default['ossec']['conf']['agent']['client']['server-ip'] = node['ossec']['agent_server_ip']

Then in recipe space we have this:

node.set['ossec']['agent_server_ip'] = ossec_server.first

The end result of this is that node['ossec']['conf']['agent']['client']['server-ip'] gets computed as the default value of node['ossec']['agent_server_ip'] in attribute space (nil), not the value that it gets reassigned in recipe space. I confirmed this by printing out the value of both attributes in my wrapper cookbook.

There are a number of different ways to solve this. My first inclination here is to simply dump node['ossec']['agent_server_ip'] as it doesn't, at least at first glance, appear to be necessary. Just use node['ossec']['conf']['agent']['client']['server-ip'] and you avoid derived attributes.

Appreciate it if someone could confirm or disconfirm this finding. Once done, happy to submit a fix. Cheers.

Server/WUI installs without error, but no web , no VirtualHosts

Hello:
just installed on AWS/CentOS 6.5 without errors and can't seem to get the web to start.
Get this after converging & restarting httpd:

Starting httpd: [Thu Oct 15 10:09:51 2015] [warn] NameVirtualHost *:80 has no VirtualHosts

Runlist:
ossec_server
apache2 #3.1.0
apache2::mod_php5
ossec::wui

Any ideas what's up?

Revisit chef code to support 2.8.3

Currently, setting 2.8.3 won't work out of the box. Services fail to start since client.keys is not in place yet. Start/restart should happen in wrapper client/server recipes, among things.

Remove .rubocop.yml with Dangerfile

๐Ÿ—ฃ๏ธ Foreword

Thank for taking the time to fill this bug report fully. Without it we may not be able to fix the bug, and the issue may be closed without resolution.

๐Ÿ‘ป Brief Description

If the only thing in the .rubocop/yml is Dangerfile
Run the latest cookstyle
Remove .rubpopo.yml

Issue sprouted from sous-chefs/meta/issues/108. If not applicable then issue should be closed.

Fix Failing CI Builds

Cookbook version

v1.0.5/master

Chef-client version

14.4.7

Platform Details

Travis-CI

Steps to Reproduce:

Running master on Travis-CI

Expected Result:

CI builds show be passing.

Actual Result:

Builds are failing on Travis-CI

Add ChefSpec

We need to have adequate coverage from ChefSpec. There's a lot going on that we can test.

Update builds to be parallel

๐Ÿ—ฃ๏ธ Foreword

Thank for taking the time to fill this bug report fully. Without it we may not be able to fix the bug, and the issue may be closed without resolution.

๐Ÿ‘ป Brief Description

As part of our build process we should build each possible operating system separately

  1. Ensure you have dokken setup and working:
  2. dokken: aliased to KITCHEN_LOCAL_YAML=kitchen.dokken.yml kitchen
  3. run dokken list, you should see a list of builds with dokken as the provider
  4. download: https://github.com/sous-chefs/repo-management/blob/master/scripts/circleci_maker.rb and make this executable
  5. run: dokken list -j | ./circleci_maker.rb > .circleci/config.yml

Issue sprouted from sous-chefs/meta/issues/112. If not applicable then issue should be closed.

dist-ossec-keys.sh template not deployed due to empty ssh_hosts array

When I converge the server in my test environment, ossec agent hosts are detected and their keys are created, but the dist-ossec-keys.sh template resource doesn't fire because the ssh_hosts array is empty. Here's the relevant code block.

search(:node, search_string) do |n|
  ssh_hosts << n['ipaddress'] if n['keys']

  execute "#{node['ossec']['agent_manager']} -a --ip #{n['ipaddress']} -n #{n['fqdn'][0..31]}" do
    not_if "grep '#{n['fqdn'][0..31]} #{n['ipaddress']}' #{node['ossec']['dir']}/etc/client.keys"
  end
end

template '/usr/local/bin/dist-ossec-keys.sh' do
  source 'dist-ossec-keys.sh.erb'
  owner 'root'
  group 'root'
  mode 0755
  variables(ssh_hosts: ssh_hosts.sort)
  not_if { ssh_hosts.empty? }
end

I was able to get it to work by making the following change:

-  ssh_hosts << n['ipaddress'] if n['keys']
+  ssh_hosts << n['ipaddress'] if n.keys

I'm assuming here that the condition is the keys method, not a keys attribute as I wasn't able to find any keys attribute in the cookbook.

Run latest cookstyle

๐Ÿ—ฃ๏ธ Foreword

Thank for taking the time to fill this bug report fully. Without it we may not be able to fix the bug, and the issue may be closed without resolution.

๐Ÿ‘ป Brief Description

Chef have released updated cookstyle rules, we should therefore run the auto fix against the cookbook

  1. Ensure you are on the latest stable chef-workstation
  2. Run cookstyle -a

Issue sprouted from sous-chefs/meta/issues/111. If not applicable then issue should be closed.

Contributors wanted!

We need more contributors for this cookbook, if you would like to help maintain this cookbook please drop your name here!

Add Ubuntu 18.04 to Test Pipeline

Cookbook version

master

Scenario:

Add Ubuntu 18.04 LTS to test pipeline (Test-Kitchen/Travis)

Steps to Reproduce:

[If you are filing an issue what are the things we need to do in order to repro your problem? How are you using this cookbook or any resources it includes?]

Expected Result:

Cookbook and tests should converge on Ubuntu 18.04 LTS

Actual Result:

Ubuntu 18.04 LTS is not currently in the test pipeline

Problem to runt the role ossec_server

hello, first at all thanks for the this cookbook look amazing,

Im trying to runt the rolse ossec_server but i have this error

Net::HTTPServerException
------------------------
400 "Bad Request"

Cookbook Trace:
---------------
  /var/chef/cache/cookbooks/ossec/recipes/server.rb:28:in `from_file'

Relevant File Content:
----------------------
/var/chef/cache/cookbooks/ossec/recipes/server.rb:

 21:
 22:  ssh_hosts = []
 23:
 24:  search_string = 'ossec:[* TO *]'
 25:  search_string << " AND chef_environment:#{node['ossec']['server_env']}" if node['ossec']['server_env']
 26:  search_string << " AND NOT role:#{node['ossec']['server_role']} AND NOT fqdn:#{node['fqdn']}"
 27:
 28>> search(:node, search_string) do |n|
 29:    ssh_hosts << n['ipaddress'] if n['keys']
 30:
 31:    execute "#{node['ossec']['agent_manager']} -a --ip #{n['ipaddress']} -n #{n['fqdn'][0..31]}" do
 32:      not_if "grep '#{n['fqdn'][0..31]} #{n['ipaddress']}' #{node['ossec']['dir']}/etc/client.keys"
 33:    end
 34:  end
 35:
 36:  template '/usr/local/bin/dist-ossec-keys.sh' do
 37:    source 'dist-ossec-keys.sh.erb'

and the /var/chef/cache/chef-stacktrace.out say this

Generated at 2016-03-30 21:41:53 +0000
Net::HTTPServerException: 400 "Bad Request"
/opt/chef/embedded/lib/ruby/2.1.0/net/http/response.rb:119:in `error!'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/http.rb:145:in `request'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/http.rb:110:in `get'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/search/query.rb:158:in `call_rest_service'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/search/query.rb:87:in `search'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/dsl/data_query.rb:39:in `search'
/var/chef/cache/cookbooks/ossec/recipes/server.rb:28:in `from_file'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/mixin/from_file.rb:30:in `instance_eval'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/mixin/from_file.rb:30:in `from_file'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/cookbook_version.rb:233:in `load_recipe'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/run_context.rb:332:in `load_recipe'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/run_context/cookbook_compiler.rb:140:in `block in compile_recipes'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/run_context/cookbook_compiler.rb:138:in `each'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/run_context/cookbook_compiler.rb:138:in `compile_recipes'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/run_context/cookbook_compiler.rb:75:in `compile'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/run_context.rb:167:in `load'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/policy_builder/expand_node_object.rb:97:in `setup_run_context'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/client.rb:509:in `setup_run_context'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/client.rb:277:in `run'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/application.rb:270:in `block in fork_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/application.rb:258:in `fork'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/application.rb:258:in `fork_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/application.rb:223:in `block in run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/local_mode.rb:44:in `with_server_connectivity'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/application.rb:211:in `run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/application/client.rb:445:in `block in interval_run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/application/client.rb:435:in `loop'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/application/client.rb:435:in `interval_run_chef_client'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/application/client.rb:424:in `run_application'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/lib/chef/application.rb:58:in `run'
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/chef-12.8.1/bin/chef-client:26:in `<top (required)>'
/bin/chef-client:50:in `load'
/bin/chef-client:50:in `<main>'

Im using the same example than you have in your Readme

name "ossec_server"
description "OSSEC Server"
run_list("recipe[ossec::server]")
override_attributes(
  "ossec" => {
    "conf" => {
      "server" => {
        "global" => {
          "email_to" => "[email protected]",
          "smtp_server" => "smtp.yourdomain.com"
        }
      }
    }
  }
)

really im not sure what's im doing wrong, any help?

thanks.

Major Refactor

This cookbook needs a fairly major refactoring. Here are some of the things that need to be done.

  • Use upstream package repositories and install the latest version (2.8.2) (addresses #39, #38, #31, #44)
  • Use attribute-driven configuration (addresses my comment in #31)
  • Use Chef 12's partial search (addresses #34)
  • Add ChefSpec test coverage for platform differences in conditional branching (#35)
  • Add Serverspec test coverage for post-convergence verification (#36)

This will result in a major version update for this cookbook.

Feature: Support distro packages

OSSEC started to provide packages for various distros (RHEL, CentOS, Debian, Ubuntu):
http://www.ossec.net/?page_id=19

Those packages provide things like init-scripts/systemd units which currently are not provided by this cookbook (except for Arch).

It would be nice to support installation/configuration of those packages with this cookbook.

related: #43 #38

SELinux blocks server -> client scp

SCP wasn't working on CentOS 7. Tested SSH manually and got permission denied error. Further investigation revealed this to be our old favorite, SELinux.

Raw Message

type=AVC msg=audit(1473102373.556:2395): avc:  denied  { read } for  pid=393 comm="sshd" name="authorized_keys" dev="xvda1" ino=10561 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file

Translated

SELinux is preventing /usr/sbin/sshd from read access on the file /var/ossec/.ssh/authorized_keys.

The manual fix is to run the following on the client

sudo semanage fcontext -a -t ssh_home_t '/var/ossec/.ssh/authorized_keys'
sudo restorecon -v '/var/ossec/.ssh/authorized_keys' 

Will submit a cookbook fix momentarily.

Migrate to Chef Vault

Played with Chef Vault vs. data bags and prefer the former so I've refactored accordingly. Always lean toward sharing with others so let me know if there's interest and I'll submit the change I've made to my fork. It's not quite ready yet only because I've replaced the latter with the former (in the interest of time), rather than coding to support both options. Also need to update unit tests and, full disclosure, I'm not much of a unit test guy. Only really write integration tests. I'm willing to change though ;-)

Firewall Response Does Not Work

preloaded-vars.conf:51 is checking @ossec['pf'] instead of @ossec['firewall_response'] to determine whether to turn on this feature.

How is an agent configured once it's installed?

How is the agent supposed to be configured once it's installed? At this point, I have installed the agent and created the data bags but don't see how to configure it with the info that it needs for the service to start.

SSH Data Bag

Following the cookbook installation instructions, I created a databag called ossec and an ssh item inside of it. I cannot however get it to work correctly though after trying the following:

Copy output of ruby -e 'puts IO.read("/tmp/id_rsa")' directly between the "" for "privkey": "" which causes an error when I attempt to knife upload data bag.

Copy output of ruby -e 'puts IO.read("/tmp/id_rsa")' | tr -d '\n' allows the privkey section to be accepted during a knife upload but causes the clients to error with ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.9.8.210'. in the client and ossec-remoted(1403): ERROR: Incorrectly formated message from '10.9.8.20'. in the server which I believe indicates a bad SSH key.

Can someone show me an example of a working ssh data bag item or tell me what I'm doing wrong?

Typo in readme

Not really an issue, but in the recipe section configuration is misspelt as configuation.

This cookbook has years of updates which have not been pushed to the supermarket published version

Cookbook version

[Version of the cookbook where you are encountering the issue]

Chef-client version

[Version of chef-client in your environment]

Platform Details

[Operating system distribution and release version. Cloud provider if running in the cloud]

Scenario:

[What you are trying to achieve and you can't?]

Steps to Reproduce:

[If you are filing an issue what are the things we need to do in order to repro your problem? How are you using this cookbook or any resources it includes?]

Expected Result:

[What are you expecting to happen as the consequence of above reproduction steps?]

Actual Result:

[What actually happens after the reproduction steps? Include the error output or a link to a gist if possible.]

Contributor information seems to be out of date

From the commit history, as well as the opscode cookbook site, it appears that this cookbook is no longer maintained by opscode. The contributor guidelines, however, still indicate that an opscode COOK ticket should be raised, though this cookbook is no longer on the list of components in Jira. Therefor, I have submitted two PR's without any associated tickets (against the current contribution guidelines).

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Edited/Blocked

These updates have been manually edited so Renovate will no longer make changes. To discard all commits and start over, click on a checkbox.

  • Update sous-chefs/.github action to v3.1.1

Detected dependencies

github-actions
.github/workflows/ci.yml
  • sous-chefs/.github 3.0.0
  • actions/checkout v4
  • actionshub/chef-install 3.0.0
  • actionshub/test-kitchen 3.0.0
.github/workflows/stale.yml
  • actions/stale v9

  • Check this box to trigger a request for Renovate to run again on this repository

server dist-ossec-keys.sh script not working

hi @jtimberman ,
I have a question about the dist-ossec-keys.sh script.
here it is in my vm :

cat /usr/local/bin/dist-ossec-keys.sh
#!/bin/sh
#

for host in chef-production2-doctor-simulator01
do
  echo "host is $host"
  key=`mktemp`
  grep $host /var/ossec/etc/client.keys > $key
  scp -i /var/ossec/.ssh/id_rsa -B -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $key ossecd@$host:/var/ossec/etc/client.keys >/dev/null 2>/dev/null
  rm $key
done

I ran it and I don't quite understand what it's doing , if anything at all.

please help

Update Changelog

๐Ÿ—ฃ๏ธ Foreword

Thank for taking the time to fill this bug report fully. Without it we may not be able to fix the bug, and the issue may be closed without resolution.

๐Ÿ‘ป Brief Description

Update all CHANGELOGs to follow standard defined at https://keepachangelog.com/

Issue sprouted from sous-chefs/meta/issues/101. If not applicable then issue should be closed.

TemplateError when setting node['ossec']['user']['white_list'] in role definition

I added a single white_list entry to the client role and got the following error:

  • template[/var/chef/cache/ossec-hids-2.8.1/etc/preloaded-vars.conf] action create

    Error executing action create on resource 'template[/var/chef/cache/ossec-hids-2.8.1/etc/preloaded-vars.conf]'

    Chef::Mixin::Template::TemplateError

    undefined method `join' for "10.10.10.10":String

    Resource Declaration:

    In /var/chef/cache/cookbooks/ossec/recipes/default.rb

    34: template "#{Chef::Config[:file_cache_path]}/#{ossec_dir}/etc/preloaded-vars.conf" do
    35: source "preloaded-vars.conf.erb"
    36: variables :ossec => node['ossec']['user']
    37: end
    38:

.....

Template Context:

on line #61
 59: <% end -%>
 60: <% unless @ossec['white_list'].empty? -%>
 61: USER_WHITE_LIST="<%= @ossec['white_list'].join(' ') %>"
 62: <% else -%>
 63: USER_WHITE_LIST="<%= node['ipaddress'] %>"

Running handlers:
[2015-05-08T11:45:30-04:00] ERROR: Running exception handlers
Running handlers complete
[2015-05-08T11:45:30-04:00] ERROR: Exception handlers complete
[2015-05-08T11:45:30-04:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
Chef Client failed. 0 resources updated in 2.2194893 seconds
[2015-05-08T11:45:30-04:00] ERROR:

Chef::Mixin::Template::TemplateError (undefined method `join' for "10.10.10.10":String) on line #61:

59: <% end -%>
60: <% unless @ossec['white_list'].empty? -%>
61: USER_WHITE_LIST="<%= @ossec['white_list'].join(' ') %>"
62: <% else -%>
63: USER_WHITE_LIST="<%= node['ipaddress'] %>"

Run dist-ossec-keys script if content changes

The /usr/local/bin/dist-ossec-keys.sh script, used for SCPing keys to agents, is presently run as a cron that fires every hour. To speed up key distribution for new agents, propose firing that script during the Chef run if the content changes.

Server Search Syntax Yields 400 Bad Request

Got tripped up today when my seemingly functional wrapper cookbook failed to converge when I pushed to Chef Server (12.8). Here's the relevant search query from server.rb:

search_string = 'ossec:[* TO *]'
search_string << " AND chef_environment:#{node['ossec']['server_env']}" if node['ossec']['server_env']
search_string << " AND NOT role:#{node['ossec']['server_role']} AND NOT fqdn:#{node['fqdn']}"

This was working fine for me in my Test Kitchen environment using Chef Zero. When I run in client/server environment though, I get:

Net::HTTPServerException
------------------------
400 "Bad Request"

Cookbook Trace:
---------------
  /var/chef/cache/cookbooks/ossec/recipes/server.rb:28:in `from_file'
  /var/chef/cache/cookbooks/compat_resource/files/lib/chef_compat/monkeypatches/chef/run_context.rb:336:in `load_recipe'
  /var/chef/cache/cookbooks/compat_resource/files/lib/chef_compat/monkeypatches/chef/run_context.rb:292:in `block in include_recipe'
  /var/chef/cache/cookbooks/compat_resource/files/lib/chef_compat/monkeypatches/chef/run_context.rb:291:in `each'
  /var/chef/cache/cookbooks/compat_resource/files/lib/chef_compat/monkeypatches/chef/run_context.rb:291:in `include_recipe'
  /var/chef/cache/cookbooks/ossec-strata/recipes/server.rb:10:in `from_file'
  /var/chef/cache/cookbooks/compat_resource/files/lib/chef_compat/monkeypatches/chef/run_context.rb:336:in `load_recipe'

Relevant File Content:
----------------------
/var/chef/cache/cookbooks/ossec/recipes/server.rb:

 21:


 22:  ssh_hosts = []
 23:
 24:  search_string = 'ossec:[* TO *]'
 25:  search_string << " AND chef_environment:#{node['ossec']['server_env']}" if node['ossec']['server_env']
 26:  search_string << " AND NOT role:#{node['ossec']['server_role']} AND NOT fqdn:#{node['fqdn']}"
 27:
 28>> search(:node, search_string) do |n|
 29:    ssh_hosts << n['ipaddress'] if n['keys']
 30:
 31:    execute "#{node['ossec']['agent_manager']} -a --ip #{n['ipaddress']} -n #{n['fqdn'][0..31]}" do
 32:      not_if "grep '#{n['fqdn'][0..31]} #{n['ipaddress']}' #{node['ossec']['dir']}/etc/client.keys"
 33:    end
 34:  end
 35:
 36:  template '/usr/local/bin/dist-ossec-keys.sh' do
 37:    source 'dist-ossec-keys.sh.erb'

Platform:
---------
x86_64-linux

epic fail!

I was able to get it working by making the following change:

$ git diff recipes/server.rb
diff --git a/recipes/server.rb b/recipes/server.rb
index d0849dc..dc6cf08 100644
--- a/recipes/server.rb
+++ b/recipes/server.rb
@@ -23,7 +23,7 @@ ssh_hosts = []

 search_string = 'ossec:[* TO *]'
 search_string << " AND chef_environment:#{node['ossec']['server_env']}" if node['ossec']['server_env']
-search_string << " AND NOT role:#{node['ossec']['server_role']} AND NOT fqdn:#{node['fqdn']}"
+search_string << " AND NOT (role:#{node['ossec']['server_role']} OR fqdn:#{node['fqdn']})"

 search(:node, search_string) do |n|
   ssh_hosts << n['ipaddress'] if n['keys']

I'll submit a fix. Let me know if my logic is flawed.

can the server also be a client?

My guess is that the answer is no; etc/client.keys would get overwritten by /usr/local/bin/dist-ossec-keys.sh through cron daily. Did I miss something?

1.2.1 throws RuntimeError

๐Ÿ‘ป Brief Description

Chef run fails after an upgrade to 1.2.1 version of this cookbook.

๐Ÿฅž Cookbook version

1.2.1

๐Ÿ‘ฉโ€๐Ÿณ Chef-Infra Version

15.6.10

๐ŸŽฉ Platform details

    System Info:
    ------------
    chef_version=15.6.10
    platform=amazon
    platform_version=2
    ruby=ruby 2.6.5p114 (2019-10-01 revision 67812) [x86_64-linux]
    program_name=/usr/bin/chef-client
    executable=/opt/chef/bin/chef-client

โž• Additional context

Recipe: ossec::install_server
  * yum_package[ossec] action install (up to date)
Recipe: ossec::common
  * ruby_block[ossec install_type] action run
    - execute the ruby block ossec install_type
  * chef_gem[gyoku] action install (up to date)
  * file[/var/ossec/etc/ossec.conf] action create

    ================================================================================
    Error executing action `create` on resource 'file[/var/ossec/etc/ossec.conf]'
    ================================================================================

    RuntimeError
    ------------
    can't add a new key into hash during iteration

    Cookbook Trace:
    ---------------
    /var/chef/.chef/local-mode-cache/cache/cookbooks/ossec/libraries/helpers.rb:33:in `block in object_to_ossec'
    /var/chef/.chef/local-mode-cache/cache/cookbooks/ossec/libraries/helpers.rb:31:in `each_key'
    /var/chef/.chef/local-mode-cache/cache/cookbooks/ossec/libraries/helpers.rb:31:in `object_to_ossec'
    /var/chef/.chef/local-mode-cache/cache/cookbooks/ossec/libraries/helpers.rb:41:in `block in object_to_ossec'
    /var/chef/.chef/local-mode-cache/cache/cookbooks/ossec/libraries/helpers.rb:40:in `map!'
    /var/chef/.chef/local-mode-cache/cache/cookbooks/ossec/libraries/helpers.rb:40:in `object_to_ossec'
    /var/chef/.chef/local-mode-cache/cache/cookbooks/ossec/libraries/helpers.rb:35:in `block in object_to_ossec'
    /var/chef/.chef/local-mode-cache/cache/cookbooks/ossec/libraries/helpers.rb:31:in `each_key'
    /var/chef/.chef/local-mode-cache/cache/cookbooks/ossec/libraries/helpers.rb:31:in `object_to_ossec'
    /var/chef/.chef/local-mode-cache/cache/cookbooks/ossec/libraries/helpers.rb:35:in `block in object_to_ossec'
    /var/chef/.chef/local-mode-cache/cache/cookbooks/ossec/libraries/helpers.rb:31:in `each_key'
    /var/chef/.chef/local-mode-cache/cache/cookbooks/ossec/libraries/helpers.rb:31:in `object_to_ossec'
    /var/chef/.chef/local-mode-cache/cache/cookbooks/ossec/libraries/helpers.rb:35:in `block in object_to_ossec'
    /var/chef/.chef/local-mode-cache/cache/cookbooks/ossec/libraries/helpers.rb:31:in `each_key'
    /var/chef/.chef/local-mode-cache/cache/cookbooks/ossec/libraries/helpers.rb:31:in `object_to_ossec'
    /var/chef/.chef/local-mode-cache/cache/cookbooks/ossec/libraries/helpers.rb:56:in `ossec_to_xml'
    /var/chef/.chef/local-mode-cache/cache/cookbooks/ossec/recipes/common.rb:58:in `block (2 levels) in from_file'

    Resource Declaration:
    ---------------------
    # In /var/chef/.chef/local-mode-cache/cache/cookbooks/ossec/recipes/common.rb

     46: file "#{node['ossec']['dir']}/etc/ossec.conf" do
     47:   owner 'root'
     48:   group 'ossec'
     49:   mode '0440'
     50:   manage_symlink_source true
     51:   notifies :restart, 'service[ossec]'
     52:
     53:   content lazy {
     54:     # Merge the "typed" attributes over the "all" attributes.
     55:     all_conf = node['ossec']['conf']['all'].to_hash
     56:     type_conf = node['ossec']['conf'][node['ossec']['install_type']].to_hash
     57:     conf = Chef::Mixin::DeepMerge.deep_merge(type_conf, all_conf)
     58:     Chef::OSSEC::Helpers.ossec_to_xml('ossec_config' => conf)
     59:   }
     60: end
     61:

    Compiled Resource:
    ------------------
    # Declared in /var/chef/.chef/local-mode-cache/cache/cookbooks/ossec/recipes/common.rb:46:in `from_file'

    file("/var/ossec/etc/ossec.conf") do
      action [:create]
      default_guard_interpreter :default
      declared_type :file
      cookbook_name "ossec"
      recipe_name "common"
      content #<Chef::DelayedEvaluator:0x00000000059cfc20@/var/chef/.chef/local-mode-cache/cache/cookbooks/ossec/recipes/common.rb:53>
      owner "root"
      group "ossec"
      mode "0440"
      manage_symlink_source true
      path "/var/ossec/etc/ossec.conf"
      verifications []
    end

    System Info:
    ------------
    chef_version=15.6.10
    platform=amazon
    platform_version=2
    ruby=ruby 2.6.5p114 (2019-10-01 revision 67812) [x86_64-linux]
    program_name=/usr/bin/chef-client
    executable=/opt/chef/bin/chef-client

Init.d script missing

So after running the Server install for OSSEC, it reported that it couldn't start. Here the error from chef log. I checked and ossec didn't create a init.d script.

[2015-03-23T14:21:22+00:00] ERROR: service[ossec](ossec::default line 76) had an error: Chef::Exceptions::Service: service[ossec]: unable to locate the init.d script!

Looking at the OSSEC information, I found this in the install fill:

The script will create everything in /var/ossec and try to create the initialization script in your system (/etc/rc.local or /etc/rc.d/init.d/ossec). If the init script is not created, make sure to follow the instructions from the install.sh to make OSSEC HIDS start during the boot. To start it by hand, just run /var/ossec/bin/ossec-control start

ossec client needs to manage agents for client.keys

As reported on the mailing list:

http://lists.opscode.com/sympa/arc/chef/2011-11/msg00219.html

This code in server.rb:

agent_manager = "#{node['ossec']['user']['dir']}/bin/ossec-batch-manager.pl"

ssh_hosts = Array.new

search(:node, "ossec:[* TO *] NOT role:#{node['ossec']['server_role']}") do |n|

  ssh_hosts << n['ipaddress'] if n['keys']
  ssh_hosts.sort!

  execute "#{agent_manager} -a --ip #{n['ipaddress']} -n #{n['hostname']}" do
    not_if "grep '#{n['hostname']} #{n['ipaddress']}' #{node['ossec']['user']['dir']}/etc/client.keys"
  end

end

Should be in client.rb. Except DRY. Probably a separate recipe.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.