ossec的配置及批量安装

简介

写在前面的话，网上能够找到一些关于ossec方面的资料，虽然很少，但是总比没有强，不过在实际的使用过程中还是会碰到许多稀奇古怪的问题。整理整理我的使用过程，就当做一篇笔记吧。本文基础环境与lamp的安装将不做介绍；

环境：

服务端：192.168.1.19

客户端： 192.168.1.21
        192.168.1.22
        192.168.1.23

准备工作

1、启动mysql并创建相关账户和权限；

shell> mysql -uroot -p
mysql> create database ossec;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec@localhost;
mysql> set password for ossec@localhost=PASSWORD('ossec');
mysql> flush privileges;
mysql> exit

开始安装

1、下载ossec最新安装包，并进行数据库配置和支持；

shell> wget https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz
shell> tar zxf ossec-hids-2.8.3.tar.gz
shell> cd src; make setdb; cd ..

当出现如下提示信息即表示可以支持mysql数据库

Info: Compiled with MySQL support.

2、开始执行安装，根据自己需求来填充相关参数或选项

root@qs-mysql:/opt/ossec-hids-2.8.3# ./install.sh 

  ** Para instala莽茫o em portugu锚s, escolha [br].
  ** 瑕浣跨涓杩瀹, 璇烽[cn].
  ** Fur eine deutsche Installation wohlen Sie [de].
  ** 喂伪 蔚纬魏伪维伪畏 伪 位位畏谓喂魏维, 蔚喂位苇尉蔚 [el].
  ** For installation in English, choose [en].
  ** Para instalar en Espa帽ol , eliga [es].
  ** Pour une installation en fran莽ais, choisissez [fr]
  ** A Magyar nyelv疟 telep铆t茅shez v谩lassza [hu].
  ** Per l'installazione in Italiano, scegli [it].
  ** ユ瑾сゃ广笺俱告︿[jp].
  ** Voor installatie in het Nederlands, kies [nl].
  ** Aby instalowa w jzyku Polskim, wybierz [pl].
  ** 谢 懈薪泻懈泄 锌芯 邪薪芯胁泻械 薪邪 泻芯屑 ,胁胁械写懈械 [ru].
  ** Za instalaciju na srpskom, izaberi [sr].
  ** T眉rk莽e kurulum i莽in se莽in [tr].
  (en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en
 OSSEC HIDS v2.8.3 Installation Script - http://www.ossec.net

 You are about to start the installation process of the OSSEC HIDS.
 You must have a C compiler pre-installed in your system.
 If you have any questions or comments, please send an e-mail
 to dcid@ossec.net (or daniel.cid@gmail.com).

  - System: Linux qs-mysql 3.13.0-66-generic
  - User: root
  - Host: qs-mysql


  -- Press ENTER to continue or Ctrl-C to abort. --


1- What kind of installation do you want (server, agent, local, hybrid or help)? server

  - Server installation chosen.

2- Setting up the installation environment.

 - Choose where to install the OSSEC HIDS [/var/ossec]: /ops/ossec

    - Installation will be made at  /ops/ossec .

3- Configuring the OSSEC HIDS.

  3.1- Do you want e-mail notification? (y/n) [y]: y
   - What's your e-mail address? yingcaiye@163.com
   - What's your SMTP server ip/host? localhost

  3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

   - Running syscheck (integrity check daemon).

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

   - Running rootcheck (rootkit detection).

  3.4- Active response allows you to execute a specific 
       command based on the events received. For example,
       you can block an IP address or disable access for
       a specific user.  
       More information at:
       http://www.ossec.net/en/manual.html#active-response

   - Do you want to enable active response? (y/n) [y]: y

     - Active response enabled.

   - By default, we can enable the host-deny and the 
     firewall-drop responses. The first one will add
     a host to the /etc/hosts.deny and the second one
     will block the host on iptables (if linux) or on
     ipfilter (if Solaris, FreeBSD or NetBSD).
   - They can be used to stop SSHD brute force scans, 
     portscans and some other forms of attacks. You can 
     also add them to block on snort events, for example.

   - Do you want to enable the firewall-drop response? (y/n) [y]: y

     - firewall-drop enabled (local) for levels >= 6

   - Default white list for the active response:
      - 8.8.8.8
      - 8.8.4.4

   - Do you want to add more IPs to the white list? (y/n)? [n]: 192.168.1.19
   - IPs (space separated): 192.168.1.19

  3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: 

   - Remote syslog enabled.

  3.6- Setting the configuration to analyze the following logs:
    -- /var/log/auth.log
    -- /var/log/syslog
    -- /var/log/dpkg.log
    -- /var/log/nginx/access.log (apache log)
    -- /var/log/nginx/error.log (apache log)

 - If you want to monitor any other file, just change 
   the ossec.conf and add a new localfile entry.
   Any questions about the configuration can be answered
   by visiting us online at http://www.ossec.net .

3、开启数据库支持

shell> /opt/ossec/bin/ossec-control enable database

4、倒入mysql表结构

shell> mysql -uossec -p ossec < ./src/os_dbd/mysql.schema

5、修改文件权限，避免启动出错

shell> chmod u+w /opt/ossec/etc/ossec.conf

6、编辑ossec.conf配置文件，添加数据库配置内容

<ossec_config>
    <database_output>
        <hostname>192.168.1.19</hostname>
        <username>ossec</username>
        <password>ossec</password>
        <database>ossec</database>
        <type>mysql</type>
    </database_output>
</ossec_config>

7、在ossec.conf配置文件中添加网段配置

  <remote>
    <connection>syslog</connection>
    <allowed-ips>192.168.0.0/16</allowed-ips>
  </remote>

截止到此，server端的配置已经完成，下边开始做client端的批量安装和相关准备工作！

1、在某一目录下创建IP列表以及key生产脚本，我这里的目录使用为/tmp
ip.txt内容如下：

test1-host:192.168.1.21
test2-host:192.168.1.22
test3-host:192.168.1.23.......

key生成脚本key-gen.py内容如下：

#!/usr/bin/python


import os    

if __name__ == '__main__':
    save_keys_path = "keys.logs"
    f = open("ip.txt")
    lines = f.read().splitlines()
f.close()
shell_path ="/opt/ossec-hids-2.8.3/contrib/ossec-batch-manager.pl"
for line in lines:
    arr = line.split(":")
    host_name = arr[0]
    ip = arr[1]
    cmd = "%s -a --ip %s --name %s" % (shell_path,ip,host_name)
    os.system(cmd)
    cmd = "%s -e %s >> %s" % (shell_path,ip,save_keys_path)
    os.system(cmd)

默认生产的key存放在/var/ossec/etc/client.keys ;生成后，把key文件拷贝到实际的ossec环境的etc目录下即可；

2、修改/opt/ossec-hids-2.8.3/etc/preloaded-vars.conf 文件：

# preloaded-vars.conf, Daniel B. Cid (dcid @ ossec.net).
#
# Use this file to customize your installations.
# It will make the install.sh script pre-load some
# specific options to make it run automatically
# or with less questions.

# PLEASE NOTE:
# When we use "n" or "y" in here, it should be changed
# to "n" or "y" in the language your are doing the
# installation. For example, in portuguese it would
# be "s" or "n".


# USER_LANGUAGE defines to language to be used.
# It can be "en", "br", "tr", "it", "de" or "pl".
# In case of an invalid language, it will default
# to English "en" 
USER_LANGUAGE="en"     # For english
#USER_LANGUAGE="br"     # For portuguese


# If USER_NO_STOP is set to anything, the confirmation
# messages are not going to be asked.
USER_NO_STOP="y"


# USER_INSTALL_TYPE defines the installation type to
# be used during install. It can only be "local",
# "agent" or "server".
#USER_INSTALL_TYPE="local"
USER_INSTALL_TYPE="agent"
#USER_INSTALL_TYPE="server"


# USER_DIR defines the location to install ossec
USER_DIR="/opt/ossec"


# If USER_DELETE_DIR is set to "y", the directory
# to install OSSEC will be removed if present.
#USER_DELETE_DIR="y"


# If USER_ENABLE_ACTIVE_RESPONSE is set to "n",
# active response will be disabled.
USER_ENABLE_ACTIVE_RESPONSE="y"


# If USER_ENABLE_SYSCHECK is set to "y", 
# syscheck will be enabled. Set to "n" to
# disable it.
USER_ENABLE_SYSCHECK="y"


# If USER_ENABLE_ROOTCHECK is set to "y",
# rootcheck will be enabled. Set to "n" to
# disable it.
USER_ENABLE_ROOTCHECK="y"


# If USER_UPDATE is set to anything, the update
# installation will be done.
USER_UPDATE="y"

# If USER_UPDATE_RULES is set to anything, the
# rules will also be updated.
USER_UPDATE_RULES="y"

# If USER_BINARYINSTALL is set, the installation
# is not going to compile the code, but use the
# binaries from ./bin/
#USER_BINARYINSTALL="x"


### Agent Installation variables. ###

# Specifies the IP address or hostname of the
# ossec server. Only used on agent installations.
# Choose only one, not both.
USER_AGENT_SERVER_IP="172.17.0.5"
# USER_AGENT_SERVER_NAME


# USER_AGENT_CONFIG_PROFILE specifies the agent's config profile
# name. This is used to create agent.conf configuration profiles
# for this particular profile name. Only used on agent installations.
# Can be any string. E.g. LinuxDBServer or WindowsDomainController
#USER_AGENT_CONFIG_PROFILE="generic"



### Server/Local Installation variables. ###

# USER_ENABLE_EMAIL enables or disables email alerting.
#USER_ENABLE_EMAIL="y"

# USER_EMAIL_ADDRESS defines the destination e-mail of the alerts.
#USER_EMAIL_ADDRESS="dcid@test.ossec.net"

# USER_EMAIL_SMTP defines the SMTP server to send the e-mails.
#USER_EMAIL_SMTP="test.ossec.net"


# USER_ENABLE_SYSLOG enables or disables remote syslog.
#USER_ENABLE_SYSLOG="y"


# USER_ENABLE_FIREWALL_RESPONSE enables or disables
# the firewall response.
#USER_ENABLE_FIREWALL_RESPONSE="y"


# Enable PF firewall (OpenBSD, FreeBSD and Darwin only)
#USER_ENABLE_PF="y"


# PF table to use (OpenBSD, FreeBSD and Darwin only).
#USER_PF_TABLE="ossec_fwtable"


# USER_WHITE_LIST is a list of IPs or networks
# that are going to be set to never be blocked.
#USER_WHITE_LIST="192.168.2.1 192.168.1.0/24"


#### exit ? ###

以上文件为安装时的应答文件，可以避免出现手动交互输入的问题；从而实现批量安装；

3、将以上修改过的文件：ossec.conf、preloaded-vars.conf、client.keys以及ossec安装ossec-hids-2.8.3.tar.gz 放在Apache的默认访问目录下即可（这里为/var/www/html）

ls /var/ww/html

client.keys  ossec-hids-2.8.3.tar.gz  ossec.conf  preloaded-vars.conf

4、在需要安装的客户端机器上创建部署脚本ossec_agent_install.sh

#!/bin/bash    

cd /opt
wget http://192.168.1.19/ossec-hids-2.8.3.tar.gz
tar -zxvf ossec-hids-2.8.3.tar.gz     

cd ossec-hids-2.8.3    

cd etc    

mv preloaded-vars.conf preloaded-vars.conf.bak    

#从服务端下载预配置文件，基于顺序安装，不基于对话交互模式
wget http://192.168.1.19/preloaded-vars.conf
#װ
../install.sh    

cd /opt/ossec/etc   

#下载server端生成的key文件
wget http://192.168.1.42/client.keys    

ip1=`/sbin/ifconfig eth0|sed -n '2p' |awk -F: '{print $2}'|awk '{print$1}'`
#ip2=`/sbin/ifconfig eth1|sed -n '2p' |awk -F: '{print $2}'|awk '{print$1}'`
#这个主要是根据实际的网卡情况，是eth0还是eth1 
sed -i '/'$ip1'/!'d /opt/ossec/etc/client.keys    


rm -rf ossec.conf
#下载统一配置文件
wget http://192.168.1.42/ossec.conf


#启动客户端程序
   /opt/ossec/bin/ossec-control start

将此脚本存放在/opt目录下执行，脚本执行完成后client端即安装完成，查看进程确认启动无误即可；

web部分查看配置

1、上面我们安装了ossec的服务端，并且为ossec添加了一个客户端，非常简单的一个环境，环境是搭建好了，可是目前这个环境如果我们要分析ossec的报警信息就太麻烦了，所以我们安装第三方的 web界面用来显示报警信息

shell> wget https://github.com/ECSC/analogi/archive/master.zip
shell> unzip master
shell> mv analogi-master/ /var/www/html/analogi
shell> cd /var/www/html/
shell> chown -R apache.apache analogi/
shell> cd analogi/
shell> cp db_ossec.php.new db_ossec.php

2、修改db_ossec.php里的数据库配置：

define ('DB_USER_O', 'ossec');
define ('DB_PASSWORD_O', 'ossec');
define ('DB_HOST_O', '127.0.0.1');
define ('DB_NAME_O', 'ossec');

3、在Apache中增加相关配置：

vim /etc/httpd/conf.d/analogi.conf

内容如下：

Alias /analogi /var/www/html/analogi
<Directory /var/www/html/analogi>
    Order deny,allow
    Deny from all
    Allow from 192.168.0.0/16
</Directory>

4、重新启动Apache，并访问即可

shell> /etc/init.d/httpd restart

http://192.168.1.19/analogi