freedomofpress / ossec Goto Github PK

Right now we've got a rake task to reduce the tedium of updating the checksums by hand, but that process can be improved further by bundling a custom module with the Ansible role to handle the lookups during execution. The vars that should be included:

• filename of tarball
• URL to download tarball from
• URL for checksum file
• MD5 checksum for tarball
• SHA1 checksum for tarball

Unfortunately the OSSEC maintainers do not provide SHA256 checksums for the OSSEC downloads, so we'll need to update the role to check the MD5 and SHA1 sums after downloading, foregoing the SHA256 verification built into the get_url module.

• The ossec-server and ossec-agent deb packages have changelogs file in their respective ossec/ossec-agent/usr/share/doc/ossec-agent/changelog.Debian that need to be updated for each release. This is currently a manual process.
• The ossec-server and ossec-agent deb packages have a init file that should be updated for each release. ossec/ossec-agent/etc/ossec-init.conf This is currently a manual process.

Since the changes in #5, which automated the retrieval of checksum info from the OSSEC website, it's necessary to run rake to generate ansible_vars.json. If you do not do this, there's a thoroughly unhelpful error message:

$ vagrant up build
Bringing machine 'build' up with 'virtualbox' provider...
There are errors in the configuration of this machine. Please fix
the following errors and try again:

ansible provisioner:
* `extra_vars` for the Ansible provisioner must be a hash or a path to an 
existing file. Received: ansible_vars.json (as String)

This is because the Vagrantfile now includes ansible.extra_vars = "ansible_vars.json", and vagrant can't find that file, so it yells at you.

Solutions

Add checks for file existence to Vagrantfile before the ansible provisioner runs

Advantage here is that we can have a custom error message, instructing the user to run the rake command, or at least refer to the README. This is worth implementing as a stopgap measure because it's a trivial change.

Move vars include into playbook

Doing so results in a marginally more useful error message:

# snip...

==> build: Running provisioner: ansible...
PYTHONUNBUFFERED=1 ANSIBLE_HOST_KEY_CHECKING=false ANSIBLE_FORCE_COLOR=true 
ANSIBLE_SSH_ARGS='-o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -o 
ControlMaster=auto -o ControlPersist=60s' ansible-playbook --user=vagrant 
--connection=ssh --timeout=30 --limit='build' 
--inventory-file=/path/to/this/repo/ossec/.vagrant/provisioners/ansible/inventor
y -v ansible/build-deb-pkgs.yml
ERROR: file could not read: /path/to/this/repo/ossec/ansible_vars.json
Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.

However, it still doesn't tell you what you need to fix it. It's cleaner practice, and so worth implementing, but only as a supplementary stopgap measure, on top of file existence checking.

Use ansible to fetch the vars dynamically

The rake dependency provided by #5 introduced complexity I was loathe to accept, but the additions were a great step forward in automating tedium. In fact, the rake approach is what gave me the idea to leverage ansible module for fetching vars in the grsecurity repo. A long-term solution should bundle a library with the ossec building role and ditch the Ruby dependencies for bundler and rake.

Santiago Bassett and Alien vault host the debian version of the ossec deb packages and was nice enough to open source his build process. We should finish incorporating his build process with pbuilder to build the generic OSSEC packages for Ubuntu.

https://github.com/santiago-bassett/ossec-debian