From 37834be463b234fc12f28336f4994ed707164a29 Mon Sep 17 00:00:00 2001 From: Anthony ARNAUD Date: Tue, 19 Sep 2017 23:29:15 -0400 Subject: [PATCH 01/23] Update atomic-release --- tasks/RedHat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/RedHat.yml b/tasks/RedHat.yml index 627e448..e1ef3db 100644 --- a/tasks/RedHat.yml +++ b/tasks/RedHat.yml @@ -8,7 +8,7 @@ - name: RedHat | Install atomicorp repo yum: > - name=https://www.atomicorp.com/channels/atomic/centos/{{ansible_distribution_major_version}}/x86_64/RPMS/atomic-release-1.0-19.el{{ansible_distribution_major_version}}.art.noarch.rpm + name=https://www.atomicorp.com/channels/atomic/centos/{{ansible_distribution_major_version}}/x86_64/RPMS/atomic-release-1.0-21.el{{ansible_distribution_major_version}}.art.noarch.rpm state=present - name: RedHat | Install epel repo From 3e967f72965274e5e9a67137bbe34d9bd1a34800 Mon Sep 17 00:00:00 2001 From: briankfitzwater Date: Tue, 2 Jan 2018 09:12:16 -0500 Subject: [PATCH 02/23] Set permisisons on client.keys file --- tasks/main.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 64577bd..418d9b8 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -70,6 +70,11 @@ - config - skip_ansible_lint +- name: Set permissions on client.keys file + file: + dest: /var/ossec/etc/client.keys + mode: 0640 + - name: "kill the auth-daemon on server {{ ossec_server_name }}" service: name=ossec-authd state=stopped delegate_to: "{{ ossec_server_name }}" @@ -96,4 +101,4 @@ pause: minutes: 2 prompt: 'Please execute the following command on your ossec-server: "/var/ossec/bin/ossec-control restart"' - when: not ossec_managed_server and not check_server_keys.stat.exists and ossec_server_name|default("") == "" \ No newline at end of file + when: not ossec_managed_server and not check_server_keys.stat.exists and ossec_server_name|default("") == "" From 997e6f17e767ec1600eaa6c9ea3d148f777dfb34 Mon Sep 17 00:00:00 2001 From: briankfitzwater Date: Tue, 2 Jan 2018 09:52:19 -0500 Subject: [PATCH 03/23] Add option to disable active-response in template --- README.md | 3 +++ templates/var-ossec-etc-ossec-agent.conf.j2 | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/README.md b/README.md index 3c88199..4e8ebe6 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,9 @@ This role needs 4 parameters: This role has 3 tasks with 'delagation_to' which needs the parameter `ossec_server_name`. When this parameter is not set, you'll need to run manually the `/var/ossec/bin/ossec-authd` on the server and `/var/ossec/bin/agent-auth` on the agent. When this is the case, it will show you an message with the exact command line. +The following role variable is optional: +* `ossec_active_response_disabled`: Disables active response if set to yes. If this is not defined active response is enabled. + Dependencies ------------ diff --git a/templates/var-ossec-etc-ossec-agent.conf.j2 b/templates/var-ossec-etc-ossec-agent.conf.j2 index 3dc1bb9..ed7edde 100644 --- a/templates/var-ossec-etc-ossec-agent.conf.j2 +++ b/templates/var-ossec-etc-ossec-agent.conf.j2 @@ -1,6 +1,11 @@ + {% if ossec_active_response_disabled is defined %} + + {{ ossec_active_response_disabled }} + + {% endif %} {% if ossec_server_ip is defined %} {{ ossec_server_ip }} From 729b57014bbfd029dab0b6b0773802c103ef96c3 Mon Sep 17 00:00:00 2001 From: Werner Dijkerman Date: Tue, 2 Jan 2018 18:03:19 +0100 Subject: [PATCH 04/23] Using Molecule V2 for CI test purposes --- .travis.yml | 13 ++-- defaults/main.yml | 3 +- handlers/main.yml | 7 +- meta/main.yml | 36 ++++------ molecule.yml | 100 -------------------------- molecule/default/Dockerfile.j2 | 7 ++ molecule/default/INSTALL.rst | 46 ++++++++++++ molecule/default/create.yml | 57 +++++++++++++++ molecule/default/destroy.yml | 25 +++++++ molecule/default/molecule.yml | 98 +++++++++++++++++++++++++ molecule/default/playbook.yml | 15 ++++ molecule/default/prepare.yml | 11 +++ molecule/default/requirements.yml | 2 + molecule/default/tests/test_agent.py | 40 +++++++++++ molecule/default/tests/test_server.py | 12 ++++ molecule/default/yaml-lint.yml | 9 +++ tasks/RedHat.yml | 27 +++---- tasks/main.yml | 36 +++++++--- vars/Debian.yml | 3 + vars/RedHat.yml | 3 + vars/main.yml | 2 - 21 files changed, 389 insertions(+), 163 deletions(-) delete mode 100644 molecule.yml create mode 100644 molecule/default/Dockerfile.j2 create mode 100644 molecule/default/INSTALL.rst create mode 100644 molecule/default/create.yml create mode 100644 molecule/default/destroy.yml create mode 100644 molecule/default/molecule.yml create mode 100644 molecule/default/playbook.yml create mode 100644 molecule/default/prepare.yml create mode 100644 molecule/default/requirements.yml create mode 100644 molecule/default/tests/test_agent.py create mode 100644 molecule/default/tests/test_server.py create mode 100644 molecule/default/yaml-lint.yml create mode 100644 vars/Debian.yml create mode 100644 vars/RedHat.yml delete mode 100644 vars/main.yml diff --git a/.travis.yml b/.travis.yml index b204c73..783ded3 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,17 +4,12 @@ language: python services: - docker -before_install: -- sudo apt-get -qq update -- sudo apt-get install -o Dpkg::Options::="--force-confold" --force-yes -y docker-engine - install: -- pip install molecule ansible docker-py + - pip install molecule ansible docker script: -- molecule --version -- ansible --version -- molecule test - + - molecule --version + - ansible --version + - molecule test notifications: webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/defaults/main.yml b/defaults/main.yml index 4f72c8e..3a7420c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,6 @@ --- # defaults file for ossec-agent -#ossec_server_fqdn: ossec-server.local -#ossec_server_ip: 127.0.0.1 ossec_server_name: "" ossec_managed_server: true +ossec_server_atomic_release: 1.0-21 diff --git a/handlers/main.yml b/handlers/main.yml index f072849..6e8d938 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -2,6 +2,7 @@ # handlers file for ossec-agent - name: restart ossec-agent - service: name={{ ossec_init_name }} - state=restarted - enabled=yes + service: + name: "{{ ossec_init_name }}" + state: restarted + enabled: yes diff --git a/meta/main.yml b/meta/main.yml index ee4542a..40a17f1 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -6,29 +6,17 @@ galaxy_info: license: license (GPLv3) min_ansible_version: 1.4 platforms: - - name: EL - versions: - - 5 - - 6 - - 7 - - name: Fedora - versions: - - all - #- name: Ubuntu - # versions: - # - all - # - lucid - # - maverick - # - natty - # - oneiric - # - precise - # - quantal - # - raring - # - saucy - # - trusty - - name: Debian - versions: - - all + - name: EL + versions: + - 5 + - 6 + - 7 + - name: Fedora + versions: + - all + - name: Debian + versions: + - all categories: - - monitoring + - monitoring dependencies: [] diff --git a/molecule.yml b/molecule.yml deleted file mode 100644 index fe9b7c1..0000000 --- a/molecule.yml +++ /dev/null @@ -1,100 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker - -ansible: - playbook: playbook.yml - group_vars: - ossec: - ossec_server_config: - mail_to: - - me@example.com - mail_smtp_server: localhost - mail_from: ossec@example.com - frequency_check: 72000 - ignore_files: - - /etc/mtab - - /etc/mnttab - - /etc/hosts.deny - directories: - - check_all: 'yes' - dirs: /etc,/usr/bin,/usr/sbin - - check_all: 'yes' - dirs: /bin,/sbin - localfiles: - - format: 'syslog' - location: '/var/log/messages' - - format: 'syslog' - location: '/var/log/secure' - globals: - - '127.0.0.1' - - '192.168.2.1' - connection: 'secure' - log_level: 1 - email_level: 7 - commands: - - name: 'host-deny' - executable: 'host-deny.sh' - expect: 'srcip' - timeout_allowed: 'yes' - active_responses: - - command: 'host-deny' - location: 'local' - level: 6 - timeout: 600 - localfiles: - - format: 'syslog' - location: '/var/log/messages' - ossec_agent_configs: - - type: os - type_value: linux - frequency_check: 79200 - ignore_files: - - /etc/mtab - - /etc/mnttab - directories: - - check_all: yes - dirs: /etc,/usr/bin,/usr/sbin - localfiles: - - format: 'syslog' - location: '/var/log/messages' - -dependency: - name: galaxy - requirements_file: requirements.yml - options: - ignore-certs: True - ignore-errors: True - -docker: - containers: - - name: ossec-server-centos - ansible_groups: - - ossec - image: milcom/centos7-systemd - image_version: latest - privileged: True - - name: ossec-agent-centos - ansible_groups: - - agent - image: milcom/centos7-systemd - image_version: latest - privileged: True - - name: ossec-agent-debian - ansible_groups: - - agent - image: maint/debian-systemd - image_version: latest - privileged: True - - name: ossec-agent-ubuntu - ansible_groups: - - agent - image: rastasheep/ubuntu-sshd - image_version: latest - privileged: True - - -verifier: - name: testinfra diff --git a/molecule/default/Dockerfile.j2 b/molecule/default/Dockerfile.j2 new file mode 100644 index 0000000..7ba209c --- /dev/null +++ b/molecule/default/Dockerfile.j2 @@ -0,0 +1,7 @@ +FROM {{ item.image }} + +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python python-devel python2-dnf bash && dnf clean all; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum update -y && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ + elif [ $(command -v zypper) ]; then zypper refresh && zypper update -y && zypper install -y python sudo bash python-xml && zypper clean -a; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; fi diff --git a/molecule/default/INSTALL.rst b/molecule/default/INSTALL.rst new file mode 100644 index 0000000..09e8735 --- /dev/null +++ b/molecule/default/INSTALL.rst @@ -0,0 +1,46 @@ +******* +Install +******* + +This set of playbooks have specific dependencies on Ansible due to the modules +being used. + +Requirements +============ + +* Ansible 2.2 +* Docker Engine +* docker-py + +Install OS dependencies on CentOS 7 + +.. code-block:: bash + + $ sudo yum install -y epel-release + $ sudo yum install -y gcc python-pip python-devel openssl-devel + # If installing Molecule from source. + $ sudo yum install libffi-devel git + +Install OS dependencies on Ubuntu 16.x + +.. code-block:: bash + + $ sudo apt-get update + $ sudo apt-get install -y python-pip libssl-dev docker-engine + # If installing Molecule from source. + $ sudo apt-get install -y libffi-dev git + +Install OS dependencies on Mac OS + +.. code-block:: bash + + $ brew install python + $ brew install git + +Install using pip: + +.. code-block:: bash + + $ sudo pip install ansible + $ sudo pip install docker-py + $ sudo pip install molecule --pre diff --git a/molecule/default/create.yml b/molecule/default/create.yml new file mode 100644 index 0000000..ede69fd --- /dev/null +++ b/molecule/default/create.yml @@ -0,0 +1,57 @@ +--- +- name: Create + hosts: localhost + connection: local + gather_facts: False + # no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}" + vars: + molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}" + molecule_ephemeral_directory: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}" + molecule_scenario_directory: "{{ lookup('env', 'MOLECULE_SCENARIO_DIRECTORY') }}" + molecule_yml: "{{ lookup('file', molecule_file) | from_yaml }}" + tasks: + - name: Create Dockerfiles from image names + template: + src: "{{ molecule_scenario_directory }}/Dockerfile.j2" + dest: "{{ molecule_ephemeral_directory }}/Dockerfile_{{ item.image | regex_replace('[^a-zA-Z0-9_]', '_') }}" + with_items: "{{ molecule_yml.platforms }}" + register: platforms + + - name: Discover local Docker images + docker_image_facts: + name: "molecule_local/{{ item.item.name }}" + with_items: "{{ platforms.results }}" + register: docker_images + + - name: Build an Ansible compatible image + docker_image: + path: "{{ molecule_ephemeral_directory }}" + name: "molecule_local/{{ item.item.image }}" + dockerfile: "{{ item.item.dockerfile | default(item.invocation.module_args.dest) }}" + force: "{{ item.item.force | default(True) }}" + with_items: "{{ platforms.results }}" + when: platforms.changed or docker_images.results | map(attribute='images') | select('equalto', []) | list | count >= 0 + + - name: Create a network + docker_network: + name: ossec + state: present + + - name: "Create a network" + shell: docker network create --ipv6 --subnet="2001:db8::/32" ossec6 + failed_when: False + + - name: Create molecule instance(s) + docker_container: + name: "{{ item.name }}" + hostname: "{{ item.name }}" + image: "molecule_local/{{ item.image }}" + state: started + recreate: False + log_driver: syslog + command: "{{ item.command | default('sleep infinity') }}" + privileged: "{{ item.privileged | default(omit) }}" + volumes: "{{ item.volumes | default(omit) }}" + capabilities: "{{ item.capabilities | default(omit) }}" + networks: "{{ item.networks | default(omit) }}" + with_items: "{{ molecule_yml.platforms }}" diff --git a/molecule/default/destroy.yml b/molecule/default/destroy.yml new file mode 100644 index 0000000..ffd27c1 --- /dev/null +++ b/molecule/default/destroy.yml @@ -0,0 +1,25 @@ +--- +- name: Destroy + hosts: localhost + connection: local + gather_facts: False + no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}" + vars: + molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}" + molecule_yml: "{{ lookup('file', molecule_file) | from_yaml }}" + tasks: + - name: Destroy molecule instance(s) + docker_container: + name: "{{ item.name }}" + state: absent + force_kill: "{{ item.force_kill | default(True) }}" + with_items: "{{ molecule_yml.platforms }}" + + - name: Delete a network + docker_network: + name: ossec + state: absent + + - name: "Delete a network" + shell: docker network rm ossec6 + failed_when: False diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml new file mode 100644 index 0000000..0c74e76 --- /dev/null +++ b/molecule/default/molecule.yml @@ -0,0 +1,98 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint + options: + config-file: molecule/default/yaml-lint.yml + +platforms: + - name: ossec-server-centos + hostname: ossec-server-centos + groups: + - server + image: milcom/centos7-systemd + privileged: True + networks: + - name: ossec + - name: ossec6 + - name: ossec-agent-centos + groups: + - agent + image: milcom/centos7-systemd + privileged: True + networks: + - name: ossec + - name: ossec-agent-debian + groups: + - agent + image: maint/debian-systemd + privileged: True + networks: + - name: ossec + +provisioner: + name: ansible + lint: + name: ansible-lint + inventory: + group_vars: + server: + ossec_server_config: + mail_to: + - me@example.com + mail_smtp_server: localhost + mail_from: ossec@example.com + frequency_check: 72000 + ignore_files: + - /etc/mtab + - /etc/mnttab + - /etc/hosts.deny + directories: + - check_all: 'yes' + dirs: /etc,/usr/bin,/usr/sbin + - check_all: 'yes' + dirs: /bin,/sbin + localfiles: + - format: 'syslog' + location: '/var/log/messages' + - format: 'syslog' + location: '/var/log/secure' + globals: + - '127.0.0.1' + - '192.168.2.1' + connection: 'secure' + log_level: 1 + email_level: 7 + commands: + - name: 'host-deny' + executable: 'host-deny.sh' + expect: 'srcip' + timeout_allowed: 'yes' + active_responses: + - command: 'host-deny' + location: 'local' + level: 6 + timeout: 600 + ossec_agent_configs: + - type: os + type_value: linux + frequency_check: 79200 + ignore_files: + - /etc/mtab + - /etc/mnttab + localfiles: + - format: 'syslog' + location: '/var/log/messages' + directories: + - check_all: yes + dirs: /etc,/usr/bin,/usr/sbin + +scenario: + name: default +verifier: + name: testinfra + lint: + name: flake8 diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml new file mode 100644 index 0000000..4cf5d0e --- /dev/null +++ b/molecule/default/playbook.yml @@ -0,0 +1,15 @@ +--- +- name: Converge + hosts: server + pre_tasks: + - name: "Get ip Ossec Server" + shell: grep $(hostname) /etc/hosts | awk '{print $1}' | sort | head -n 2 | tail -n 1 + register: ossec_server + changed_when: False + +- hosts: all:!server + roles: + - role: ansible-ossec-agent + ossec_server_name: ossec-server-centos + ossec_server_ip: "{{ hostvars['ossec-server-centos']['ossec_server']['stdout'] }}" + ossec_server_fqdn: "{{ hostvars['ossec-server-centos']['ossec_server']['stdout'] }}" diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml new file mode 100644 index 0000000..a9eb95c --- /dev/null +++ b/molecule/default/prepare.yml @@ -0,0 +1,11 @@ +--- +- name: Prepare + hosts: server + pre_tasks: + - name: "Installing dummy file" + file: + path: /etc/sysconfig/network + state: touch + + roles: + - role: dj-wasabi.ossec-server diff --git a/molecule/default/requirements.yml b/molecule/default/requirements.yml new file mode 100644 index 0000000..2064543 --- /dev/null +++ b/molecule/default/requirements.yml @@ -0,0 +1,2 @@ +--- +- src: dj-wasabi.ossec-server diff --git a/molecule/default/tests/test_agent.py b/molecule/default/tests/test_agent.py new file mode 100644 index 0000000..d607065 --- /dev/null +++ b/molecule/default/tests/test_agent.py @@ -0,0 +1,40 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('agent') + + +def test_ossec_package_installed(Package, SystemInfo): + if SystemInfo.distribution in ['debian', 'ubuntu']: + ossec = Package('ossec-hids-agent') + elif SystemInfo.distribution == 'centos': + ossec = Package('ossec-hids') + assert ossec.is_installed + + +def test_ossec_service_running_and_enabled(Service, SystemInfo): + if SystemInfo.distribution in ['debian', 'ubuntu']: + ossec = Service('ossec') + else: + ossec = Service('ossec-hids') + assert ossec.is_enabled + assert ossec.is_running + + +def test_client_keys(File): + zabbix_server_conf = File("/var/ossec/etc/client.keys") + assert zabbix_server_conf.user == "root" + assert zabbix_server_conf.group == "ossec" + assert zabbix_server_conf.mode == 0o644 + + +def test_ossec_agent(File, SystemInfo): + if SystemInfo.distribution in ['debian', 'ubuntu']: + ossec_file = File("/var/ossec/etc/ossec.conf") + else: + ossec_file = File("/var/ossec/etc/ossec-agent.conf") + assert ossec_file.user == "root" + assert ossec_file.group == "root" + assert ossec_file.mode == 0o644 diff --git a/molecule/default/tests/test_server.py b/molecule/default/tests/test_server.py new file mode 100644 index 0000000..db4c4a3 --- /dev/null +++ b/molecule/default/tests/test_server.py @@ -0,0 +1,12 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('server') + + +def test_ossec_package_installed(host): + cmd = host.run("/var/ossec/bin/list_agents -a") + assert 'ossec-agent-centos' in cmd.stdout + assert 'ossec-agent-debian' in cmd.stdout diff --git a/molecule/default/yaml-lint.yml b/molecule/default/yaml-lint.yml new file mode 100644 index 0000000..ab5cdeb --- /dev/null +++ b/molecule/default/yaml-lint.yml @@ -0,0 +1,9 @@ +--- + +extends: default + +rules: + line-length: + max: 120 + level: warning + truthy: disable diff --git a/tasks/RedHat.yml b/tasks/RedHat.yml index e1ef3db..e44a1bd 100644 --- a/tasks/RedHat.yml +++ b/tasks/RedHat.yml @@ -1,23 +1,24 @@ --- # Tasks specific for RedHat systems -- name: RedHat | Set some facts +- name: "RedHat | Set some facts" set_fact: - ansible_distribution: centos + ansible_distribution: centos when: ansible_distribution == "RedHat" -- name: RedHat | Install atomicorp repo - yum: > - name=https://www.atomicorp.com/channels/atomic/centos/{{ansible_distribution_major_version}}/x86_64/RPMS/atomic-release-1.0-21.el{{ansible_distribution_major_version}}.art.noarch.rpm - state=present +- name: "RedHat | Install atomicorp repo" + yum: + name: "https://www.atomicorp.com/channels/atomic/centos/{{ ansible_distribution_major_version }}/x86_64/RPMS/atomic-release-{{ ossec_server_atomic_release }}.el{{ ansible_distribution_major_version }}.art.noarch.rpm" + state: present -- name: RedHat | Install epel repo - yum: > - name=https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ansible_distribution_major_version}}.noarch.rpm - state=present +- name: "RedHat | Install epel repo" + yum: + name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm" + state: present -- name: RedHat | Install ossec-hids-client - yum: pkg=ossec-hids-client - state=present +- name: "RedHat | Install ossec-hids-client" + yum: + pkg: "{{ ossec_agent_package_name }}" + state: present tags: - init diff --git a/tasks/main.yml b/tasks/main.yml index 64577bd..761391b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,6 +1,9 @@ --- # tasks file for ossec-agent +- name: "Include OS-specific variables" + include_vars: "{{ ansible_os_family }}.yml" + - name: "Install the correct repository" include: "RedHat.yml" when: ansible_os_family == "RedHat" @@ -22,24 +25,27 @@ when: ansible_os_family == "Debian" - name: "Installing the ossec-agent.conf" - template: src=var-ossec-etc-ossec-agent.conf.j2 - dest=/var/ossec/etc/{{ ossec_agent_config_filename }} - owner=root - group=root - mode=0644 + template: + src: var-ossec-etc-ossec-agent.conf.j2 + dest: /var/ossec/etc/{{ ossec_agent_config_filename }} + owner: root + group: root + mode: 0644 notify: restart ossec-agent tags: - init - config - name: "Check if client.keys exists" - stat: path=/var/ossec/etc/client.keys + stat: + path: /var/ossec/etc/client.keys register: check_keys tags: - config - name: "Check if client.keys exists on ossec-server" - stat: path=/var/ossec/etc/client.keys + stat: + path: /var/ossec/etc/client.keys when: ossec_managed_server delegate_to: "{{ ossec_server_name }}" register: check_server_keys @@ -47,7 +53,9 @@ - config - name: "Starting auth daemon on server {{ ossec_server_name }}" - service: name=ossec-authd state=started + service: + name: ossec-authd + state: started when: ossec_managed_server and not check_keys.stat.exists and ossec_server_name|default("") != "" delegate_to: "{{ ossec_server_name }}" run_once: true @@ -71,7 +79,9 @@ - skip_ansible_lint - name: "kill the auth-daemon on server {{ ossec_server_name }}" - service: name=ossec-authd state=stopped + service: + name: ossec-authd + state: stopped delegate_to: "{{ ossec_server_name }}" when: ossec_managed_server and not check_keys.stat.exists and ossec_server_name|default("") != "" run_once: true @@ -96,4 +106,10 @@ pause: minutes: 2 prompt: 'Please execute the following command on your ossec-server: "/var/ossec/bin/ossec-control restart"' - when: not ossec_managed_server and not check_server_keys.stat.exists and ossec_server_name|default("") == "" \ No newline at end of file + when: not ossec_managed_server and not check_server_keys.stat.exists and ossec_server_name|default("") == "" + +- name: "Start ossec-agent if not already running" + service: + name: "{{ ossec_init_name }}" + state: started + enabled: yes diff --git a/vars/Debian.yml b/vars/Debian.yml new file mode 100644 index 0000000..0d8b62a --- /dev/null +++ b/vars/Debian.yml @@ -0,0 +1,3 @@ +--- + +ossec_agent_package_name: ossec-hids-client diff --git a/vars/RedHat.yml b/vars/RedHat.yml new file mode 100644 index 0000000..55b84cd --- /dev/null +++ b/vars/RedHat.yml @@ -0,0 +1,3 @@ +--- + +ossec_agent_package_name: ossec-hids-agent diff --git a/vars/main.yml b/vars/main.yml deleted file mode 100644 index 285e838..0000000 --- a/vars/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# vars file for ossec-agent From c72a08462077fdb7e3d9c6a0fbcc1707efbeefa7 Mon Sep 17 00:00:00 2001 From: Werner Dijkerman Date: Tue, 2 Jan 2018 18:14:00 +0100 Subject: [PATCH 05/23] Fix mode for client.keys --- molecule/default/tests/test_agent.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/molecule/default/tests/test_agent.py b/molecule/default/tests/test_agent.py index d607065..ccf6438 100644 --- a/molecule/default/tests/test_agent.py +++ b/molecule/default/tests/test_agent.py @@ -27,7 +27,7 @@ def test_client_keys(File): zabbix_server_conf = File("/var/ossec/etc/client.keys") assert zabbix_server_conf.user == "root" assert zabbix_server_conf.group == "ossec" - assert zabbix_server_conf.mode == 0o644 + assert zabbix_server_conf.mode == 0o640 def test_ossec_agent(File, SystemInfo): From e0703f5fb129b2975b899a939f8376995a79593c Mon Sep 17 00:00:00 2001 From: Werner Dijkerman Date: Tue, 2 Jan 2018 20:34:52 +0100 Subject: [PATCH 06/23] Added CHANGELOG --- CHANGELOG.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..acf5948 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,27 @@ +# ansible-ossec-agent Release + +Below an overview of all changes in the releases. + +Version (Release date) + +0.1.0 (2018-01-02) + + * Using Molecule V2 for CI test purposes #21 + * Add option to disable active-response in template #20 (By pull request: briankfitzwater (Thanks!)) + * Set permisisons on client.keys file #19 (By pull request: briankfitzwater (Thanks!)) + * Update atomic-release #17 (By pull request: aarnaud (Thanks!)) + * Fix new debian repository #15 (By pull request: aarnaud (Thanks!)) + * Added run_once: true to several delegate tasks #14 + * Added first working molecule tests #13 + * Fix agent registration in managed mode #10 (By pull request: aarnaud (Thanks!)) + * Add ossec-server fqdn config #9 (By pull request: aarnaud (Thanks!)) + * control ossec authd with service #5 (By pull request: jlruizmlg (Thanks!)) + * Allow for situations where the ossec server is not managed by ansible #4 (By pull request: zeroem (Thanks!)) + * include no dependencies #3 (By pull request: recunius (Thanks!)) + * Distribution Handling, Agent Profile, and Starting ossec-remoted #2 (By pull request: recunius (Thanks!)) + * EL7 fixes #1 (By pull request: andskli (Thanks!)) + +0.0.1 (2014-12-07) + + * Initial working version. + From 27a8f142984d234da8244a979ab773cae83783b6 Mon Sep 17 00:00:00 2001 From: briankfitzwater Date: Wed, 3 Jan 2018 13:44:23 -0500 Subject: [PATCH 07/23] Add an option to not install public repositories --- README.md | 6 ++++-- defaults/main.yml | 1 + tasks/Debian.yml | 4 ---- tasks/RedHat.yml | 7 ------- tasks/main.yml | 13 +++++-------- vars/Debian.yml | 3 --- vars/RedHat.yml | 3 --- 7 files changed, 10 insertions(+), 27 deletions(-) delete mode 100644 vars/Debian.yml delete mode 100644 vars/RedHat.yml diff --git a/README.md b/README.md index 4e8ebe6..98af19d 100644 --- a/README.md +++ b/README.md @@ -21,16 +21,18 @@ So, you'll need one of those operating systems.. :-) Role Variables -------------- -This role needs 4 parameters: +This role needs 5 parameters: * `ossec_server_ip`: This is the ip address of the server running the ossec-server. * `ossec_server_fqdn`: This is the fqdn of the server running the ossec-server. * `ossec_server_name`: This is the hostname of the server running the ossec-server used for delegate with ansible. * `ossec_managed_server`: When set to false, tasks that delegate to ossec server will be skipped +* `ossec_agent_package_name`: Default is "ossec-hids-agent". This role has 3 tasks with 'delagation_to' which needs the parameter `ossec_server_name`. When this parameter is not set, you'll need to run manually the `/var/ossec/bin/ossec-authd` on the server and `/var/ossec/bin/agent-auth` on the agent. When this is the case, it will show you an message with the exact command line. -The following role variable is optional: +The following role variables are optional: * `ossec_active_response_disabled`: Disables active response if set to yes. If this is not defined active response is enabled. +* `ossec_disable_public_repos`: Disables installation of public repositories if set to "yes". Dependencies ------------ diff --git a/defaults/main.yml b/defaults/main.yml index 3a7420c..18f3d8a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -4,3 +4,4 @@ ossec_server_name: "" ossec_managed_server: true ossec_server_atomic_release: 1.0-21 +ossec_agent_package_name: ossec-hids-agent diff --git a/tasks/Debian.yml b/tasks/Debian.yml index b05c7ce..36025c3 100644 --- a/tasks/Debian.yml +++ b/tasks/Debian.yml @@ -4,7 +4,3 @@ - name: Debian/Ubuntu | Installing repository apt_repository: repo="deb http://ossec.wazuh.com/repos/apt/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main" state=present - -- name: Debian/Ubuntu | Install ossec-hids-agent - apt: pkg=ossec-hids-agent - state=present diff --git a/tasks/RedHat.yml b/tasks/RedHat.yml index e44a1bd..a8e4e2d 100644 --- a/tasks/RedHat.yml +++ b/tasks/RedHat.yml @@ -15,10 +15,3 @@ yum: name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm" state: present - -- name: "RedHat | Install ossec-hids-client" - yum: - pkg: "{{ ossec_agent_package_name }}" - state: present - tags: - - init diff --git a/tasks/main.yml b/tasks/main.yml index d628a5b..790af8e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,16 +1,13 @@ --- # tasks file for ossec-agent -- name: "Include OS-specific variables" - include_vars: "{{ ansible_os_family }}.yml" - - name: "Install the correct repository" - include: "RedHat.yml" - when: ansible_os_family == "RedHat" + include_tasks: "{{ ansible_os_family }}.yml" + when: (ossec_disable_public_repos is not defined) or (ossec_disable_public_repos != 'yes') -- name: "Install the correct repository" - include: "Debian.yml" - when: ansible_os_family == "Debian" +- name: "Install {{ ossec_agent_package_name }}" + package: + name: "{{ ossec_agent_package_name }}" - name: Set ossec deploy facts for RedHat set_fact: diff --git a/vars/Debian.yml b/vars/Debian.yml deleted file mode 100644 index 0d8b62a..0000000 --- a/vars/Debian.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- - -ossec_agent_package_name: ossec-hids-client diff --git a/vars/RedHat.yml b/vars/RedHat.yml deleted file mode 100644 index 55b84cd..0000000 --- a/vars/RedHat.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- - -ossec_agent_package_name: ossec-hids-agent From 9e573a73c53a043e385e9dd8827a5c14058a82b9 Mon Sep 17 00:00:00 2001 From: briankfitzwater Date: Wed, 3 Jan 2018 14:32:00 -0500 Subject: [PATCH 08/23] More info on --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 98af19d..a3bbd86 100644 --- a/README.md +++ b/README.md @@ -21,18 +21,18 @@ So, you'll need one of those operating systems.. :-) Role Variables -------------- -This role needs 5 parameters: +This role needs 4 parameters: * `ossec_server_ip`: This is the ip address of the server running the ossec-server. * `ossec_server_fqdn`: This is the fqdn of the server running the ossec-server. * `ossec_server_name`: This is the hostname of the server running the ossec-server used for delegate with ansible. * `ossec_managed_server`: When set to false, tasks that delegate to ossec server will be skipped -* `ossec_agent_package_name`: Default is "ossec-hids-agent". This role has 3 tasks with 'delagation_to' which needs the parameter `ossec_server_name`. When this parameter is not set, you'll need to run manually the `/var/ossec/bin/ossec-authd` on the server and `/var/ossec/bin/agent-auth` on the agent. When this is the case, it will show you an message with the exact command line. The following role variables are optional: * `ossec_active_response_disabled`: Disables active response if set to yes. If this is not defined active response is enabled. * `ossec_disable_public_repos`: Disables installation of public repositories if set to "yes". +* `ossec_agent_package_name`: Default is "ossec-hids-agent". For RPM based systems (e.g. CentOS and RedHat), this can be a URL or path to a rpm file. Dependencies ------------ From ab22101ffa5b8778dce6c7aedbdedee59413cfac Mon Sep 17 00:00:00 2001 From: briankfitzwater Date: Wed, 3 Jan 2018 15:02:02 -0500 Subject: [PATCH 09/23] Add support for .deb packages --- README.md | 2 +- tasks/main.yml | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a3bbd86..3dd18e7 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ This role has 3 tasks with 'delagation_to' which needs the parameter `ossec_serv The following role variables are optional: * `ossec_active_response_disabled`: Disables active response if set to yes. If this is not defined active response is enabled. * `ossec_disable_public_repos`: Disables installation of public repositories if set to "yes". -* `ossec_agent_package_name`: Default is "ossec-hids-agent". For RPM based systems (e.g. CentOS and RedHat), this can be a URL or path to a rpm file. +* `ossec_agent_package_name`: Default is "ossec-hids-agent". This can be set to a URL or path to a .rpm file or path to a .deb file if the public repositories cannot be used. Dependencies ------------ diff --git a/tasks/main.yml b/tasks/main.yml index 790af8e..816ed20 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -8,6 +8,11 @@ - name: "Install {{ ossec_agent_package_name }}" package: name: "{{ ossec_agent_package_name }}" + when: "'.deb' not in ossec_agent_package_name" + +- name: Install OSSEC Agent from .deb package + apt: deb="{{ ossec_agent_package_name }}" + when: "'.deb' in ossec_agent_package_name" - name: Set ossec deploy facts for RedHat set_fact: From 820bf38297fe395049dccc0b62d3d2d0ba751a34 Mon Sep 17 00:00:00 2001 From: briankfitzwater Date: Mon, 8 Jan 2018 11:50:04 -0500 Subject: [PATCH 10/23] Option to set agent name --- README.md | 7 ++++--- tasks/main.yml | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 3dd18e7..e14c5ab 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ dj-wasabi.ossec-agent ========= -This role will install and configure an ossec-agent on the server. When there there is an parameter `ossec_server_name` configured, it will delagate an action for automatically authenticate the agent. +This role will install and configure an ossec-agent on the server. When there is a parameter, `ossec_server_name` configured, it will delagate an action to automatically authenticate the agent. Build Status: @@ -24,7 +24,7 @@ Role Variables This role needs 4 parameters: * `ossec_server_ip`: This is the ip address of the server running the ossec-server. * `ossec_server_fqdn`: This is the fqdn of the server running the ossec-server. -* `ossec_server_name`: This is the hostname of the server running the ossec-server used for delegate with ansible. +* `ossec_server_name`: This is the hostname of the server running the ossec-server used for delegate with ansible. * `ossec_managed_server`: When set to false, tasks that delegate to ossec server will be skipped This role has 3 tasks with 'delagation_to' which needs the parameter `ossec_server_name`. When this parameter is not set, you'll need to run manually the `/var/ossec/bin/ossec-authd` on the server and `/var/ossec/bin/agent-auth` on the agent. When this is the case, it will show you an message with the exact command line. @@ -33,6 +33,7 @@ The following role variables are optional: * `ossec_active_response_disabled`: Disables active response if set to yes. If this is not defined active response is enabled. * `ossec_disable_public_repos`: Disables installation of public repositories if set to "yes". * `ossec_agent_package_name`: Default is "ossec-hids-agent". This can be set to a URL or path to a .rpm file or path to a .deb file if the public repositories cannot be used. +* `ossec_agent_name`: Optional name for the OSSEC agent. Default is to use hostname. Dependencies ------------ @@ -67,7 +68,7 @@ GPLv3 Author Information ------------------ -Please send suggestion or pull requests to make this role better. +Please send suggestion or pull requests to make this role better. Github: https://github.com/dj-wasabi/ansible-ossec-agent diff --git a/tasks/main.yml b/tasks/main.yml index 816ed20..51ee4e4 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -73,7 +73,7 @@ - skip_ansible_lint - name: "register client" - shell: /var/ossec/bin/agent-auth -m {{ ossec_server_ip|default(ossec_server_fqdn) }} -p 1515 + shell: "/var/ossec/bin/agent-auth -m {{ ossec_server_ip|default(ossec_server_fqdn) }} -p 1515 -A '{{ ossec_agent_name|default(ansible_hostname) }}'" args: creates: /var/ossec/etc/client.keys tags: From 5d9b859c7a660fd63db1b3df49aab5c212af34eb Mon Sep 17 00:00:00 2001 From: Werner Dijkerman Date: Tue, 8 May 2018 20:27:12 +0200 Subject: [PATCH 11/23] Use specific version of libraries --- .travis.yml | 3 ++- meta/main.yml | 2 +- requirements.txt | 4 ++++ 3 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 requirements.txt diff --git a/.travis.yml b/.travis.yml index 783ded3..2635ebd 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,11 +5,12 @@ services: - docker install: - - pip install molecule ansible docker + - pip install -r requirements.txt script: - molecule --version - ansible --version - molecule test + notifications: webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/meta/main.yml b/meta/main.yml index 40a17f1..832dd40 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: Installing and maintaining the ossec-agent. company: myCompany.Dotcom license: license (GPLv3) - min_ansible_version: 1.4 + min_ansible_version: 2.4 platforms: - name: EL versions: diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..f3b2021 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,4 @@ +ansible==2.4.4.0 +docker==3.3.0 +molecule==2.13.1 +testinfra==1.12.0 From a7ce5ec63f5ddd7fc632fe725812cc2e2547f8e4 Mon Sep 17 00:00:00 2001 From: Werner Dijkerman Date: Sat, 26 May 2018 11:49:18 +0200 Subject: [PATCH 12/23] Added license;Added galaxy_tags --- .github/ISSUE_TEMPLATE/bug_report.md | 35 +++++++++ .github/ISSUE_TEMPLATE/feature_request.md | 14 ++++ CODE_OF_CONDUCT.md | 3 + CONTRIBUTING.md | 88 +++++++++++++++++++++++ LICENSE | 21 ++++++ PULL_REQUEST_TEMPLATE.md | 12 ++++ meta/main.yml | 7 +- molecule/default/create.yml | 2 +- 8 files changed, 180 insertions(+), 2 deletions(-) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md create mode 100644 CODE_OF_CONDUCT.md create mode 100644 CONTRIBUTING.md create mode 100644 LICENSE create mode 100644 PULL_REQUEST_TEMPLATE.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..0320127 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,35 @@ +--- +name: Bug report +about: Help to improve this Ansible role. + +--- + +**Describe the bug** + + +**Installation method/version** + + +* Github / latest +* Ansible Galaxy / 1.1.0 + +**Ansible Version** + +``` + +``` + +**Targetted hosts** +Concerns the following OS(es): + + +* Ubuntu +* Debian +* CentOS +* Mint + +**Expected behavior** + + +**Additional context** + diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000..08c8343 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,14 @@ +--- +name: Feature request +about: Suggest an idea for this Ansible role + +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Additional context** +Add any other context or screenshots about the feature request here. diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..e28ac17 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,3 @@ +# Code of Conduct + +The Code of Conduct from Ansible found [here](https://docs.ansible.com/ansible/devel/community/code_of_conduct.html) applies to this Ansible role as well. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..4b8af37 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,88 @@ +# Contributing to this role + +**Table of content** + +- [Contributing to this role](#contributing-to-this-role) + * [Contributing](#contributing) + * [(local) Development](#-local--development) + + [Requirements](#requirements) + + [Execution](#execution) +- [Other](#other) + * [Virtualenv](#virtualenv) + * [Links](#links) + +Thank you very much for making time to improve this Ansible role. + +## Contributing + +Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms. [Contributor Code of Conduct](https://docs.ansible.com/ansible/devel/community/code_of_conduct.html). + +1. Fork the repo + +2. Create a branch and apply your changes to this branch. + + a. Make sure you have updated the documentation when adding new variables; + + b. Don't forget to add/update tests so we can test the functionality during each Pull Request; + + c. Make sure the tests will succeed. + +3. Push the branch to your fork and submit a pull request. + +**Note** + +Pull Requests that fails during the tests will not be merged. + +## Coding Guidelines + +Style guides are important because they ensure consistency in the content, look, and feel of a book or a website. + +* [Ansible Style Guide](http://docs.ansible.com/ansible/latest/dev_guide/style_guide/) +* It's "Ansible" when referring to the product and ``ansible`` when referring to the command line tool, package, etc +* Playbooks should be written in multi-line YAML with ``key: value``. The form ``key=value`` is only for ``ansible`` ad-hoc, not for ``ansible-playbook``. +* Tasks should always have a ``name:`` + +## (local) Development + +This role make use of Molecule to test the execution of the role and verificate it. In the root of the repository, a file named `requirements.txt` exists and contains the versions used by the tests. + +### Requirements + +You can install them with the following command: + +``` +pip install -r requirements.txt +``` + +Once the dependencies are installed, please install Docker as Molecule is configured in this repository to create Docker containers. See [this](https://docs.docker.com/install/) link to install Docker on your system. + +### Execution + +Once everything is installed, you can validate your changes by executing: +``` +molecule test +``` + +It should run without any issues. + +# Other + +## Virtualenv + +Suggestion is to create a virtualenv so you won't have issues with other projects. + +Some web pages describing for virtual env: + +* http://thepythonguru.com/python-virtualenv-guide/ +* https://realpython.com/python-virtual-environments-a-primer/ +* https://www.dabapps.com/blog/introduction-to-pip-and-virtualenv-python/ + +## Links + +[Molecule](https://molecule.readthedocs.io/) + +[Ansible](https://www.ansible.com/) + +[Molecule V2 with your own role](https://werner-dijkerman.nl/2017/09/05/using-molecule-v2-to-test-ansible-roles/) + +**End note**: Have fun making changes. If a feature helps you, then others find it helpful too and I will happily have it merged. diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..6922fb3 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2018 Werner Dijkerman + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/PULL_REQUEST_TEMPLATE.md b/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..70c5ede --- /dev/null +++ b/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,12 @@ +**Description of PR** + + +**Type of change** + + +Feature Pull Request +Bugfix Pull Request +Docs Pull Request + +**Fixes an issue** + diff --git a/meta/main.yml b/meta/main.yml index 832dd40..aaf0bd6 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -3,7 +3,7 @@ galaxy_info: author: Werner Dijkerman description: Installing and maintaining the ossec-agent. company: myCompany.Dotcom - license: license (GPLv3) + license: MIT min_ansible_version: 2.4 platforms: - name: EL @@ -19,4 +19,9 @@ galaxy_info: - all categories: - monitoring + galaxy_tags: + - ossec + - ossec-agent + - hids + - monitoring dependencies: [] diff --git a/molecule/default/create.yml b/molecule/default/create.yml index ede69fd..4b4f649 100644 --- a/molecule/default/create.yml +++ b/molecule/default/create.yml @@ -48,7 +48,7 @@ image: "molecule_local/{{ item.image }}" state: started recreate: False - log_driver: syslog + log_driver: none command: "{{ item.command | default('sleep infinity') }}" privileged: "{{ item.privileged | default(omit) }}" volumes: "{{ item.volumes | default(omit) }}" From aa4daba9ce329c6a69716c2ce174a604a4befd42 Mon Sep 17 00:00:00 2001 From: Werner Dijkerman Date: Sat, 26 May 2018 15:45:34 +0200 Subject: [PATCH 13/23] Added Ubuntu to Molecule testing --- molecule/default/molecule.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 0c74e76..7344474 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -32,6 +32,14 @@ platforms: privileged: True networks: - name: ossec + - name: ossec-agent-ubuntu + image: solita/ubuntu-systemd + command: /sbin/init + groups: + - ossec + privileged: True + networks: + - name: ossec provisioner: name: ansible From 6c29671c64909b9e0feb0e202cd8a00258a81187 Mon Sep 17 00:00:00 2001 From: Werner Dijkerman Date: Fri, 31 Jul 2020 10:08:17 +0200 Subject: [PATCH 14/23] Create FUNDING.yml --- .github/FUNDING.yml | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 .github/FUNDING.yml diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 0000000..f0292c3 --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1,4 @@ +# These are supported funding model platforms + +github: dj-wasabi +patreon: wernerdijkerman From a507cf38f207c83d326014765ec817dc1f15a891 Mon Sep 17 00:00:00 2001 From: Emmet O'Grady Date: Fri, 14 Aug 2020 13:31:10 +0100 Subject: [PATCH 15/23] Switch repo to atomicorp --- tasks/Debian.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/Debian.yml b/tasks/Debian.yml index 36025c3..87ac28e 100644 --- a/tasks/Debian.yml +++ b/tasks/Debian.yml @@ -1,6 +1,6 @@ --- - name: Debian/Ubuntu | Installing repository key - apt_key: url=http://ossec.wazuh.com/repos/apt/conf/ossec-key.gpg.key + apt_key: url=https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt - name: Debian/Ubuntu | Installing repository - apt_repository: repo="deb http://ossec.wazuh.com/repos/apt/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main" state=present + apt_repository: repo="deb https://updates.atomicorp.com/channels/atomic/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main" state=present From 240ba30ce0efa44d1eb7cc5844b5ef7758982d7b Mon Sep 17 00:00:00 2001 From: Emmet O'Grady Date: Sat, 15 Aug 2020 22:18:28 +0100 Subject: [PATCH 16/23] Make debian repo url configurable --- defaults/main.yml | 4 ++++ tasks/Debian.yml | 8 ++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 18f3d8a..730971e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,3 +5,7 @@ ossec_server_name: "" ossec_managed_server: true ossec_server_atomic_release: 1.0-21 ossec_agent_package_name: ossec-hids-agent + +# Set to an empty string or null to disable adding a key +ossec_agent_debian_repository_key: "https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt" +ossec_agent_debian_repository_url: "https://updates.atomicorp.com/channels/atomic/{{ ansible_distribution | lower }}" diff --git a/tasks/Debian.yml b/tasks/Debian.yml index 87ac28e..673e12f 100644 --- a/tasks/Debian.yml +++ b/tasks/Debian.yml @@ -1,6 +1,10 @@ --- - name: Debian/Ubuntu | Installing repository key - apt_key: url=https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt + apt_key: + url: "{{ ossec_agent_debian_repository_key }}" + when: ossec_agent_debian_repository_key - name: Debian/Ubuntu | Installing repository - apt_repository: repo="deb https://updates.atomicorp.com/channels/atomic/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main" state=present + apt_repository: + repo: "deb {{ ossec_agent_debian_repository_url }} {{ ansible_distribution_release }} main" + state: present From ce425a2a98db2934f929f0f3159974e0ec32e4af Mon Sep 17 00:00:00 2001 From: Werner Dijkerman Date: Mon, 31 Aug 2020 18:10:35 +0200 Subject: [PATCH 17/23] Create agent.yml (#30) Moved from travis to Github Actions; Co-authored-by: Werner Dijkerman --- .github/workflows/agent.yml | 44 +++++++++++++++++++++ .travis.yml | 16 -------- defaults/main.yml | 2 + molecule/default/Dockerfile.j2 | 7 ---- molecule/default/INSTALL.rst | 46 --------------------- molecule/default/converge.yml | 21 ++++++++++ molecule/default/create.yml | 57 --------------------------- molecule/default/destroy.yml | 25 ------------ molecule/default/molecule.yml | 33 +++++----------- molecule/default/playbook.yml | 15 ------- molecule/default/prepare.yml | 24 +++++++++++ molecule/default/tests/test_agent.py | 30 +++++++------- molecule/default/tests/test_server.py | 12 ------ molecule/default/yaml-lint.yml | 9 ----- requirements.txt | 10 +++-- tasks/Debian.yml | 2 +- tasks/main.yml | 12 +++++- 17 files changed, 133 insertions(+), 232 deletions(-) create mode 100644 .github/workflows/agent.yml delete mode 100644 .travis.yml delete mode 100644 molecule/default/Dockerfile.j2 delete mode 100644 molecule/default/INSTALL.rst create mode 100644 molecule/default/converge.yml delete mode 100644 molecule/default/create.yml delete mode 100644 molecule/default/destroy.yml delete mode 100644 molecule/default/playbook.yml delete mode 100644 molecule/default/tests/test_server.py delete mode 100644 molecule/default/yaml-lint.yml diff --git a/.github/workflows/agent.yml b/.github/workflows/agent.yml new file mode 100644 index 0000000..4472b71 --- /dev/null +++ b/.github/workflows/agent.yml @@ -0,0 +1,44 @@ +# This is a basic workflow to help you get started with Actions + +name: CI + +# Controls when the action will run. Triggers the workflow on push or pull request +# events but only for the master branch +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + build: + strategy: + fail-fast: false + matrix: + molecule_distro: + - container: centos7 + - container: centos8 + - container: ubuntu1604 + - container: ubuntu1804 + - container: debian8 + - container: debian9 + runs-on: ubuntu-latest + + steps: + - name: Check out code + uses: actions/checkout@v1 + + - name: Set up Python 3.7 + uses: actions/setup-python@v1 + with: + python-version: 3.7 + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r requirements.txt + + - name: Run role tests + run: >- + MY_MOLECULE_CONTAINER=${{ matrix.molecule_distro.container }} + molecule test diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 2635ebd..0000000 --- a/.travis.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -sudo: required -language: python -services: - - docker - -install: - - pip install -r requirements.txt - -script: - - molecule --version - - ansible --version - - molecule test - -notifications: - webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/defaults/main.yml b/defaults/main.yml index 730971e..a110a1d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -9,3 +9,5 @@ ossec_agent_package_name: ossec-hids-agent # Set to an empty string or null to disable adding a key ossec_agent_debian_repository_key: "https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt" ossec_agent_debian_repository_url: "https://updates.atomicorp.com/channels/atomic/{{ ansible_distribution | lower }}" + +ossec_agent_client_pass: diff --git a/molecule/default/Dockerfile.j2 b/molecule/default/Dockerfile.j2 deleted file mode 100644 index 7ba209c..0000000 --- a/molecule/default/Dockerfile.j2 +++ /dev/null @@ -1,7 +0,0 @@ -FROM {{ item.image }} - -RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ - elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python python-devel python2-dnf bash && dnf clean all; \ - elif [ $(command -v yum) ]; then yum makecache fast && yum update -y && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ - elif [ $(command -v zypper) ]; then zypper refresh && zypper update -y && zypper install -y python sudo bash python-xml && zypper clean -a; \ - elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; fi diff --git a/molecule/default/INSTALL.rst b/molecule/default/INSTALL.rst deleted file mode 100644 index 09e8735..0000000 --- a/molecule/default/INSTALL.rst +++ /dev/null @@ -1,46 +0,0 @@ -******* -Install -******* - -This set of playbooks have specific dependencies on Ansible due to the modules -being used. - -Requirements -============ - -* Ansible 2.2 -* Docker Engine -* docker-py - -Install OS dependencies on CentOS 7 - -.. code-block:: bash - - $ sudo yum install -y epel-release - $ sudo yum install -y gcc python-pip python-devel openssl-devel - # If installing Molecule from source. - $ sudo yum install libffi-devel git - -Install OS dependencies on Ubuntu 16.x - -.. code-block:: bash - - $ sudo apt-get update - $ sudo apt-get install -y python-pip libssl-dev docker-engine - # If installing Molecule from source. - $ sudo apt-get install -y libffi-dev git - -Install OS dependencies on Mac OS - -.. code-block:: bash - - $ brew install python - $ brew install git - -Install using pip: - -.. code-block:: bash - - $ sudo pip install ansible - $ sudo pip install docker-py - $ sudo pip install molecule --pre diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml new file mode 100644 index 0000000..d85fde8 --- /dev/null +++ b/molecule/default/converge.yml @@ -0,0 +1,21 @@ +--- +- name: Converge + hosts: server + pre_tasks: + - name: "Get ip Ossec Server" + shell: grep $(hostname) /etc/hosts | awk '{print $1}' | sort | head -n 1 + register: ossec_server + changed_when: False + + - name: "Get ossec_server_client_auth" + shell: cat /var/ossec/logs/ossec.log | grep "Random password chosen for agent authentication:" | tail -n1 | cut -d':' -f4 | awk '{$1=$1};1' + register: ossec_server_client_auth + changed_when: False + +- hosts: all:!server + roles: + - role: ansible-ossec-agent + ossec_server_name: ossec-server-centos + ossec_server_ip: "{{ hostvars['ossec-server-centos']['ossec_server']['stdout'] }}" + ossec_server_fqdn: ossec-server-centos + ossec_agent_client_pass: "{{ hostvars['ossec-server-centos']['ossec_server_client_auth']['stdout'] }}" diff --git a/molecule/default/create.yml b/molecule/default/create.yml deleted file mode 100644 index 4b4f649..0000000 --- a/molecule/default/create.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- -- name: Create - hosts: localhost - connection: local - gather_facts: False - # no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}" - vars: - molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}" - molecule_ephemeral_directory: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}" - molecule_scenario_directory: "{{ lookup('env', 'MOLECULE_SCENARIO_DIRECTORY') }}" - molecule_yml: "{{ lookup('file', molecule_file) | from_yaml }}" - tasks: - - name: Create Dockerfiles from image names - template: - src: "{{ molecule_scenario_directory }}/Dockerfile.j2" - dest: "{{ molecule_ephemeral_directory }}/Dockerfile_{{ item.image | regex_replace('[^a-zA-Z0-9_]', '_') }}" - with_items: "{{ molecule_yml.platforms }}" - register: platforms - - - name: Discover local Docker images - docker_image_facts: - name: "molecule_local/{{ item.item.name }}" - with_items: "{{ platforms.results }}" - register: docker_images - - - name: Build an Ansible compatible image - docker_image: - path: "{{ molecule_ephemeral_directory }}" - name: "molecule_local/{{ item.item.image }}" - dockerfile: "{{ item.item.dockerfile | default(item.invocation.module_args.dest) }}" - force: "{{ item.item.force | default(True) }}" - with_items: "{{ platforms.results }}" - when: platforms.changed or docker_images.results | map(attribute='images') | select('equalto', []) | list | count >= 0 - - - name: Create a network - docker_network: - name: ossec - state: present - - - name: "Create a network" - shell: docker network create --ipv6 --subnet="2001:db8::/32" ossec6 - failed_when: False - - - name: Create molecule instance(s) - docker_container: - name: "{{ item.name }}" - hostname: "{{ item.name }}" - image: "molecule_local/{{ item.image }}" - state: started - recreate: False - log_driver: none - command: "{{ item.command | default('sleep infinity') }}" - privileged: "{{ item.privileged | default(omit) }}" - volumes: "{{ item.volumes | default(omit) }}" - capabilities: "{{ item.capabilities | default(omit) }}" - networks: "{{ item.networks | default(omit) }}" - with_items: "{{ molecule_yml.platforms }}" diff --git a/molecule/default/destroy.yml b/molecule/default/destroy.yml deleted file mode 100644 index ffd27c1..0000000 --- a/molecule/default/destroy.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -- name: Destroy - hosts: localhost - connection: local - gather_facts: False - no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}" - vars: - molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}" - molecule_yml: "{{ lookup('file', molecule_file) | from_yaml }}" - tasks: - - name: Destroy molecule instance(s) - docker_container: - name: "{{ item.name }}" - state: absent - force_kill: "{{ item.force_kill | default(True) }}" - with_items: "{{ molecule_yml.platforms }}" - - - name: Delete a network - docker_network: - name: ossec - state: absent - - - name: "Delete a network" - shell: docker network rm ossec6 - failed_when: False diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 7344474..cb5734d 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -3,41 +3,28 @@ dependency: name: galaxy driver: name: docker -lint: - name: yamllint - options: - config-file: molecule/default/yaml-lint.yml platforms: - name: ossec-server-centos hostname: ossec-server-centos groups: - server - image: milcom/centos7-systemd + image: geerlingguy/docker-centos7-ansible + pre_build_image: True privileged: True + command: /usr/sbin/init + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro networks: - name: ossec - - name: ossec6 - - name: ossec-agent-centos + - name: ossec-agent-${MY_MOLECULE_CONTAINER:-centos7} groups: - agent - image: milcom/centos7-systemd - privileged: True - networks: - - name: ossec - - name: ossec-agent-debian - groups: - - agent - image: maint/debian-systemd - privileged: True - networks: - - name: ossec - - name: ossec-agent-ubuntu - image: solita/ubuntu-systemd - command: /sbin/init - groups: - - ossec + image: geerlingguy/docker-${MY_MOLECULE_CONTAINER:-centos7}-ansible privileged: True + pre_build_image: True + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro networks: - name: ossec diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml deleted file mode 100644 index 4cf5d0e..0000000 --- a/molecule/default/playbook.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: Converge - hosts: server - pre_tasks: - - name: "Get ip Ossec Server" - shell: grep $(hostname) /etc/hosts | awk '{print $1}' | sort | head -n 2 | tail -n 1 - register: ossec_server - changed_when: False - -- hosts: all:!server - roles: - - role: ansible-ossec-agent - ossec_server_name: ossec-server-centos - ossec_server_ip: "{{ hostvars['ossec-server-centos']['ossec_server']['stdout'] }}" - ossec_server_fqdn: "{{ hostvars['ossec-server-centos']['ossec_server']['stdout'] }}" diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index a9eb95c..a4d2eaa 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -9,3 +9,27 @@ roles: - role: dj-wasabi.ossec-server + +- name: Prepare + hosts: agent + tasks: + + - name: "Apt-update" + shell: apt-get update + args: + warn: False + when: + - ansible_os_family == "Debian" + + - name: "Installing tools on Debian" + apt: + name: + - net-tools + - apt-transport-https + - sudo + - apt-utils + - ca-certificates + - "{{ 'gnupg-agent' if ansible_distribution_major_version in ['8', '16'] else 'gpg-agent' }}" + state: present + when: + - ansible_os_family == "Debian" diff --git a/molecule/default/tests/test_agent.py b/molecule/default/tests/test_agent.py index ccf6438..bef86ae 100644 --- a/molecule/default/tests/test_agent.py +++ b/molecule/default/tests/test_agent.py @@ -6,35 +6,35 @@ os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('agent') -def test_ossec_package_installed(Package, SystemInfo): - if SystemInfo.distribution in ['debian', 'ubuntu']: - ossec = Package('ossec-hids-agent') - elif SystemInfo.distribution == 'centos': - ossec = Package('ossec-hids') +def test_ossec_package_installed(host): + if host.system_info.distribution in ['debian', 'ubuntu']: + ossec = host.package('ossec-hids-agent') + elif host.system_info.distribution == 'centos': + ossec = host.package('ossec-hids') assert ossec.is_installed -def test_ossec_service_running_and_enabled(Service, SystemInfo): - if SystemInfo.distribution in ['debian', 'ubuntu']: - ossec = Service('ossec') +def test_ossec_service_running_and_enabled(host): + if host.system_info.distribution in ['debian', 'ubuntu']: + ossec = host.service('ossec') else: - ossec = Service('ossec-hids') + ossec = host.service('ossec-hids') assert ossec.is_enabled assert ossec.is_running -def test_client_keys(File): - zabbix_server_conf = File("/var/ossec/etc/client.keys") +def test_client_keys(host): + zabbix_server_conf = host.file("/var/ossec/etc/client.keys") assert zabbix_server_conf.user == "root" assert zabbix_server_conf.group == "ossec" assert zabbix_server_conf.mode == 0o640 -def test_ossec_agent(File, SystemInfo): - if SystemInfo.distribution in ['debian', 'ubuntu']: - ossec_file = File("/var/ossec/etc/ossec.conf") +def test_ossec_agent(host): + if host.system_info.distribution in ['debian', 'ubuntu']: + ossec_file = host.file("/var/ossec/etc/ossec.conf") else: - ossec_file = File("/var/ossec/etc/ossec-agent.conf") + ossec_file = host.file("/var/ossec/etc/ossec-agent.conf") assert ossec_file.user == "root" assert ossec_file.group == "root" assert ossec_file.mode == 0o644 diff --git a/molecule/default/tests/test_server.py b/molecule/default/tests/test_server.py deleted file mode 100644 index db4c4a3..0000000 --- a/molecule/default/tests/test_server.py +++ /dev/null @@ -1,12 +0,0 @@ -import os - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('server') - - -def test_ossec_package_installed(host): - cmd = host.run("/var/ossec/bin/list_agents -a") - assert 'ossec-agent-centos' in cmd.stdout - assert 'ossec-agent-debian' in cmd.stdout diff --git a/molecule/default/yaml-lint.yml b/molecule/default/yaml-lint.yml deleted file mode 100644 index ab5cdeb..0000000 --- a/molecule/default/yaml-lint.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- - -extends: default - -rules: - line-length: - max: 120 - level: warning - truthy: disable diff --git a/requirements.txt b/requirements.txt index f3b2021..4e3bf01 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,6 @@ -ansible==2.4.4.0 -docker==3.3.0 -molecule==2.13.1 -testinfra==1.12.0 +ansible==2.9.11 +ansible-lint==4.2.0 +docker==4.2.1 +molecule==3.0.4 +netaddr==0.7.19 +testinfra==5.2.1 diff --git a/tasks/Debian.yml b/tasks/Debian.yml index 673e12f..7860199 100644 --- a/tasks/Debian.yml +++ b/tasks/Debian.yml @@ -2,9 +2,9 @@ - name: Debian/Ubuntu | Installing repository key apt_key: url: "{{ ossec_agent_debian_repository_key }}" - when: ossec_agent_debian_repository_key - name: Debian/Ubuntu | Installing repository apt_repository: repo: "deb {{ ossec_agent_debian_repository_url }} {{ ansible_distribution_release }} main" + mode: '0644' state: present diff --git a/tasks/main.yml b/tasks/main.yml index 51ee4e4..869d1b5 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -38,6 +38,14 @@ - init - config +- name: "Install pass file" + copy: + dest: /var/ossec/etc/authd.pass + content: "{{ ossec_agent_client_pass }}" + owner: ossec + group: ossec + mode: 0600 + - name: "Check if client.keys exists" stat: path: /var/ossec/etc/client.keys @@ -55,7 +63,7 @@ - config - name: "Starting auth daemon on server {{ ossec_server_name }}" - service: + systemd: name: ossec-authd state: started when: ossec_managed_server and not check_keys.stat.exists and ossec_server_name|default("") != "" @@ -73,7 +81,7 @@ - skip_ansible_lint - name: "register client" - shell: "/var/ossec/bin/agent-auth -m {{ ossec_server_ip|default(ossec_server_fqdn) }} -p 1515 -A '{{ ossec_agent_name|default(ansible_hostname) }}'" + shell: "/var/ossec/bin/agent-auth -m {{ ossec_server_ip|default(ossec_server_fqdn) }} -p 1515 -A '{{ ossec_agent_name|default(ansible_hostname) }}' -P /var/ossec/etc/authd.pass" args: creates: /var/ossec/etc/client.keys tags: From d9cbd02c5a9f424cc49c11698bff1181f0a5bef4 Mon Sep 17 00:00:00 2001 From: Werner Dijkerman Date: Mon, 31 Aug 2020 18:13:44 +0200 Subject: [PATCH 18/23] Corrected badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e14c5ab..3355882 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ This role will install and configure an ossec-agent on the server. When there is Build Status: -[![Build Status](https://travis-ci.org/dj-wasabi/ansible-ossec-agent.svg?branch=master)](https://travis-ci.org/dj-wasabi/ansible-ossec-agent) +[![Build Status](https://img.shields.io/endpoint.svg?url=https%3A%2F%2Factions-badge.atrox.dev%2Fdj-wasabi%2Fansible-ossec-agent%2Fbadge%3Fref%3Dmaster&style=flat)](https://actions-badge.atrox.dev/dj-wasabi/ansible-ossec-agent/goto?ref=master) Requirements From 861e694b675412866f0fb34e52d011bd16e624cf Mon Sep 17 00:00:00 2001 From: Werner Dijkerman Date: Mon, 31 Aug 2020 18:18:38 +0200 Subject: [PATCH 19/23] Go to new version 0.2.0 --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index acf5948..451f661 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ Below an overview of all changes in the releases. Version (Release date) +0.2.0 (2020-08-31) + + * Optionally disable public repos #22 (By pull request: briankfitzwater (Thanks!)) + * Option to set agent name #23 (By pull request: briankfitzwater (Thanks!)) + * Switch repo to atomicorp #29 (By pull request: emmetog (Thanks!)) + 0.1.0 (2018-01-02) * Using Molecule V2 for CI test purposes #21 From 9bf69bc7c2e6d4a6d5e92d35c1ff4c6d8ff093b8 Mon Sep 17 00:00:00 2001 From: Werner Dijkerman Date: Tue, 1 Sep 2020 16:44:26 +0200 Subject: [PATCH 20/23] MadeC --- defaults/main.yml | 4 ++++ molecule/default/molecule.yml | 3 +++ tasks/RedHat.yml | 9 ++++++++- 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index a110a1d..1af8224 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -9,5 +9,9 @@ ossec_agent_package_name: ossec-hids-agent # Set to an empty string or null to disable adding a key ossec_agent_debian_repository_key: "https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt" ossec_agent_debian_repository_url: "https://updates.atomicorp.com/channels/atomic/{{ ansible_distribution | lower }}" +ossec_filename: "atomic-release-{{ ossec_server_atomic_release }}.el{{ ansible_distribution_major_version }}.art.noarch.rpm" +ossec_url: "https://www.atomicorp.com/channels/atomic/centos/{{ ansible_distribution_major_version }}/x86_64/RPMS" +ossec_download_url: "{{ ossec_url }}/{{ ossec_filename }}" +ossec_server_disable_gpgkey: False ossec_agent_client_pass: diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index cb5734d..4b5046b 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -34,7 +34,10 @@ provisioner: name: ansible-lint inventory: group_vars: + agent: + ossec_server_disable_gpgkey: True server: + ossec_server_disable_gpgkey: True ossec_server_config: mail_to: - me@example.com diff --git a/tasks/RedHat.yml b/tasks/RedHat.yml index a8e4e2d..6bc57ed 100644 --- a/tasks/RedHat.yml +++ b/tasks/RedHat.yml @@ -8,9 +8,16 @@ - name: "RedHat | Install atomicorp repo" yum: - name: "https://www.atomicorp.com/channels/atomic/centos/{{ ansible_distribution_major_version }}/x86_64/RPMS/atomic-release-{{ ossec_server_atomic_release }}.el{{ ansible_distribution_major_version }}.art.noarch.rpm" + name: "{{ ossec_download_url }}" + disable_gpg_check: "{{ ossec_server_disable_gpgkey }}" state: present +- name: "RedHat | Install epel repo rpm key" + rpm_key: + state: present + key: "https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}" + + - name: "RedHat | Install epel repo" yum: name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm" From 5a8544511f1390bf39e823f7bfaa5e558c231cb5 Mon Sep 17 00:00:00 2001 From: Werner Dijkerman Date: Tue, 1 Sep 2020 16:55:02 +0200 Subject: [PATCH 21/23] Removing requirements file and use it from ci-base repo (#31) Co-authored-by: Werner Dijkerman --- .github/workflows/agent.yml | 1 + requirements.txt | 6 ------ 2 files changed, 1 insertion(+), 6 deletions(-) delete mode 100644 requirements.txt diff --git a/.github/workflows/agent.yml b/.github/workflows/agent.yml index 4472b71..2b600c2 100644 --- a/.github/workflows/agent.yml +++ b/.github/workflows/agent.yml @@ -36,6 +36,7 @@ jobs: - name: Install dependencies run: | python -m pip install --upgrade pip + curl -so requirements.txt 'https://raw.githubusercontent.com/dj-wasabi/ansible-ci-base/master/requirements.txt' pip install -r requirements.txt - name: Run role tests diff --git a/requirements.txt b/requirements.txt deleted file mode 100644 index 4e3bf01..0000000 --- a/requirements.txt +++ /dev/null @@ -1,6 +0,0 @@ -ansible==2.9.11 -ansible-lint==4.2.0 -docker==4.2.1 -molecule==3.0.4 -netaddr==0.7.19 -testinfra==5.2.1 From f7e57a9c7f72439e1f8ed99475626b17b68ee35c Mon Sep 17 00:00:00 2001 From: Emmet O'Grady Date: Fri, 4 Sep 2020 12:23:42 +0100 Subject: [PATCH 22/23] Allow configuration of certs and passwords for agent-server comms --- README.md | 11 ++++++++++- defaults/main.yml | 12 +++++++----- tasks/main.yml | 23 +++++++++++++++++++---- 3 files changed, 36 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 3355882..147cbaa 100644 --- a/README.md +++ b/README.md @@ -27,13 +27,22 @@ This role needs 4 parameters: * `ossec_server_name`: This is the hostname of the server running the ossec-server used for delegate with ansible. * `ossec_managed_server`: When set to false, tasks that delegate to ossec server will be skipped -This role has 3 tasks with 'delagation_to' which needs the parameter `ossec_server_name`. When this parameter is not set, you'll need to run manually the `/var/ossec/bin/ossec-authd` on the server and `/var/ossec/bin/agent-auth` on the agent. When this is the case, it will show you an message with the exact command line. +This role has 3 tasks with 'delagation_to' which needs the parameter `ossec_server_name`. When this parameter +is not set, you'll need to run manually the `/var/ossec/bin/ossec-authd` on the server and `/var/ossec/bin/agent-auth` +on the agent. When this is the case, it will pause and show you an message with the exact command line. You can skip +these pauses using the `ossec_agent_pause_for_manual_steps` variable (see below). The following role variables are optional: * `ossec_active_response_disabled`: Disables active response if set to yes. If this is not defined active response is enabled. * `ossec_disable_public_repos`: Disables installation of public repositories if set to "yes". * `ossec_agent_package_name`: Default is "ossec-hids-agent". This can be set to a URL or path to a .rpm file or path to a .deb file if the public repositories cannot be used. * `ossec_agent_name`: Optional name for the OSSEC agent. Default is to use hostname. +* `ossec_agent_pause_for_manual_steps`: Defaults to true, if false then the playbook will not pause to run manual steps on server. Meant to be used with auto registration. +* `ossec_agent_client_pass`: If set, the agent will use this password when registering with the server. +* `ossec_agent_server_cert_path`: If set, the agent will use this root cert to validate any certs provided by the server when registering (the SAN of the cert used by the server must match the `ossec_server_name` used by the client to connect). +* `ossec_agent_cert_path`: If set, the agent will use this cert for itself when registering. +* `ossec_agent_key_path`: If set, the agent will use this key for itself when registering. +``` Dependencies ------------ diff --git a/defaults/main.yml b/defaults/main.yml index 1af8224..fdd297e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -9,9 +9,11 @@ ossec_agent_package_name: ossec-hids-agent # Set to an empty string or null to disable adding a key ossec_agent_debian_repository_key: "https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt" ossec_agent_debian_repository_url: "https://updates.atomicorp.com/channels/atomic/{{ ansible_distribution | lower }}" -ossec_filename: "atomic-release-{{ ossec_server_atomic_release }}.el{{ ansible_distribution_major_version }}.art.noarch.rpm" -ossec_url: "https://www.atomicorp.com/channels/atomic/centos/{{ ansible_distribution_major_version }}/x86_64/RPMS" -ossec_download_url: "{{ ossec_url }}/{{ ossec_filename }}" -ossec_server_disable_gpgkey: False -ossec_agent_client_pass: +ossec_agent_client_pass: "" + +ossec_agent_server_cert_path: "" +ossec_agent_cert_path: "" +ossec_agent_key_path: "" + +ossec_agent_pause_for_manual_steps: true diff --git a/tasks/main.yml b/tasks/main.yml index 869d1b5..4c4fe15 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -45,6 +45,7 @@ owner: ossec group: ossec mode: 0600 + when: ossec_agent_client_pass != "" - name: "Check if client.keys exists" stat: @@ -76,12 +77,26 @@ pause: minutes: 2 prompt: 'Please execute the following command on your ossec-server: "service ossec-authd start"' - when: not ossec_managed_server and not check_keys.stat.exists or ossec_server_name|default("") == "" + when: ossec_agent_pause_for_manual_steps and ( not ossec_managed_server and not check_keys.stat.exists or ossec_server_name|default("") == "" ) tags: - skip_ansible_lint +- name: Generate command to register client + set_fact: + ossec_agent_register_string: | + /var/ossec/bin/agent-auth + -m {{ ossec_server_ip|default(ossec_server_fqdn) }} + -p {{ ossec_server_port|default(1515) }} + -A '{{ ossec_agent_name|default(ansible_hostname) }}' + {% if ossec_agent_client_pass %}-P /var/ossec/etc/authd.pass{% endif %} + {% if ossec_agent_server_cert_path %}-v {{ ossec_agent_server_cert_path }}{% endif %} + {% if ossec_agent_cert_path %}-x {{ ossec_agent_cert_path }}{% endif %} + {% if ossec_agent_key_path %}-k {{ ossec_agent_key_path }}{% endif %} + +- debug: var=ossec_agent_register_string + - name: "register client" - shell: "/var/ossec/bin/agent-auth -m {{ ossec_server_ip|default(ossec_server_fqdn) }} -p 1515 -A '{{ ossec_agent_name|default(ansible_hostname) }}' -P /var/ossec/etc/authd.pass" + command: "{{ ossec_agent_register_string }}" args: creates: /var/ossec/etc/client.keys tags: @@ -107,7 +122,7 @@ pause: minutes: 2 prompt: 'Please execute the following command on your ossec-server: "service ossec-authd stop"' - when: not ossec_managed_server and not check_keys.stat.exists and ossec_server_name|default("") == "" + when: ossec_agent_pause_for_manual_steps and ( not ossec_managed_server and not check_keys.stat.exists and ossec_server_name|default("") == "" ) - name: "Restart ossec-remoted on server. If this is the first agent added it will not be running." shell: /var/ossec/bin/ossec-control restart @@ -121,7 +136,7 @@ pause: minutes: 2 prompt: 'Please execute the following command on your ossec-server: "/var/ossec/bin/ossec-control restart"' - when: not ossec_managed_server and not check_server_keys.stat.exists and ossec_server_name|default("") == "" + when: ossec_agent_pause_for_manual_steps and ( not ossec_managed_server and not check_server_keys.stat.exists and ossec_server_name|default("") == "" ) - name: "Start ossec-agent if not already running" service: From ba76483a4645d543edbc0e3f8900aaf32c2f2626 Mon Sep 17 00:00:00 2001 From: Emmet O'Grady Date: Fri, 4 Sep 2020 12:25:58 +0100 Subject: [PATCH 23/23] Re-add removed default vars by mistake --- defaults/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index fdd297e..7548f95 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -10,6 +10,11 @@ ossec_agent_package_name: ossec-hids-agent ossec_agent_debian_repository_key: "https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt" ossec_agent_debian_repository_url: "https://updates.atomicorp.com/channels/atomic/{{ ansible_distribution | lower }}" +ossec_filename: "atomic-release-{{ ossec_server_atomic_release }}.el{{ ansible_distribution_major_version }}.art.noarch.rpm" +ossec_url: "https://www.atomicorp.com/channels/atomic/centos/{{ ansible_distribution_major_version }}/x86_64/RPMS" +ossec_download_url: "{{ ossec_url }}/{{ ossec_filename }}" + +ossec_server_disable_gpgkey: False ossec_agent_client_pass: "" ossec_agent_server_cert_path: ""