ossec的配置及批量安装

简介

写在前面的话，网上能够找到一些关于ossec方面的资料，虽然很少，但是总比没有强，不过在实际的使用过程中还是会碰到许多稀奇古怪的问题。整理整理我的使用过程，就当做一篇笔记吧。本文基础环境与lamp的安装将不做介绍；

环境：

服务端：192.168.1.19

客户端： 192.168.1.21        192.168.1.22        192.168.1.23

准备工作

1、启动mysql并创建相关账户和权限；

shell> mysql -uroot -pmysql> create database ossec;mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec@localhost;mysql> set password for ossec@localhost=PASSWORD('ossec');mysql> flush privileges;mysql> exit

开始安装

1、下载ossec最新安装包，并进行数据库配置和支持；

shell> wget https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gzshell> tar zxf ossec-hids-2.8.3.tar.gzshell> cd src; make setdb; cd ..

当出现如下提示信息即表示可以支持mysql数据库

Info: Compiled with MySQL support.

2、开始执行安装，根据自己需求来填充相关参数或选项

root@qs-mysql:/opt/ossec-hids-2.8.3# ./install.sh   ** Para instala莽茫o em portugu锚s, escolha [br].  ** 瑕浣跨涓杩瀹, 璇烽[cn].  ** Fur eine deutsche Installation wohlen Sie [de].  ** 喂伪 蔚纬魏伪维伪畏 伪 位位畏谓喂魏维, 蔚喂位苇尉蔚 [el].  ** For installation in English, choose [en].  ** Para instalar en Espa帽ol , eliga [es].  ** Pour une installation en fran莽ais, choisissez [fr]  ** A Magyar nyelv疟 telep铆t茅shez v谩lassza [hu].  ** Per l'installazione in Italiano, scegli [it].  ** ユ瑾сゃ广笺俱告︿[jp].  ** Voor installatie in het Nederlands, kies [nl].  ** Aby instalowa w jzyku Polskim, wybierz [pl].  ** 谢 懈薪泻懈泄 锌芯 邪薪芯胁泻械 薪邪 泻芯屑 ,胁胁械写懈械 [ru].  ** Za instalaciju na srpskom, izaberi [sr].  ** T眉rk莽e kurulum i莽in se莽in [tr].  (en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en OSSEC HIDS v2.8.3 Installation Script - http://www.ossec.net You are about to start the installation process of the OSSEC HIDS. You must have a C compiler pre-installed in your system. If you have any questions or comments, please send an e-mail to dcid@ossec.net (or daniel.cid@gmail.com).  - System: Linux qs-mysql 3.13.0-66-generic  - User: root  - Host: qs-mysql  -- Press ENTER to continue or Ctrl-C to abort. --1- What kind of installation do you want (server, agent, local, hybrid or help)? server  - Server installation chosen.2- Setting up the installation environment. - Choose where to install the OSSEC HIDS [/var/ossec]: /ops/ossec    - Installation will be made at  /ops/ossec .3- Configuring the OSSEC HIDS.  3.1- Do you want e-mail notification? (y/n) [y]: y   - What's your e-mail address? yingcaiye@163.com   - What's your SMTP server ip/host? localhost  3.2- Do you want to run the integrity check daemon? (y/n) [y]: y   - Running syscheck (integrity check daemon).  3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y   - Running rootcheck (rootkit detection).  3.4- Active response allows you to execute a specific        command based on the events received. For example,       you can block an IP address or disable access for       a specific user.         More information at:       http://www.ossec.net/en/manual.html#active-response   - Do you want to enable active response? (y/n) [y]: y     - Active response enabled.   - By default, we can enable the host-deny and the      firewall-drop responses. The first one will add     a host to the /etc/hosts.deny and the second one     will block the host on iptables (if linux) or on     ipfilter (if Solaris, FreeBSD or NetBSD).   - They can be used to stop SSHD brute force scans,      portscans and some other forms of attacks. You can      also add them to block on snort events, for example.   - Do you want to enable the firewall-drop response? (y/n) [y]: y     - firewall-drop enabled (local) for levels >= 6   - Default white list for the active response:      - 8.8.8.8      - 8.8.4.4   - Do you want to add more IPs to the white list? (y/n)? [n]: 192.168.1.19   - IPs (space separated): 192.168.1.19  3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]:    - Remote syslog enabled.  3.6- Setting the configuration to analyze the following logs:    -- /var/log/auth.log    -- /var/log/syslog    -- /var/log/dpkg.log    -- /var/log/nginx/access.log (apache log)    -- /var/log/nginx/error.log (apache log) - If you want to monitor any other file, just change    the ossec.conf and add a new localfile entry.   Any questions about the configuration can be answered   by visiting us online at http://www.ossec.net .

3、开启数据库支持

shell> /opt/ossec/bin/ossec-control enable database

4、倒入mysql表结构

shell> mysql -uossec -p ossec < ./src/os_dbd/mysql.schema

5、修改文件权限，避免启动出错

shell> chmod u+w /opt/ossec/etc/ossec.conf

6、编辑ossec.conf配置文件，添加数据库配置内容

<ossec_config>    <database_output>        <hostname>192.168.1.19</hostname>        <username>ossec</username>        <password>ossec</password>        <database>ossec</database>        <type>mysql</type>    </database_output></ossec_config>

7、在ossec.conf配置文件中添加网段配置

  <remote>    <connection>syslog</connection>    <allowed-ips>192.168.0.0/16</allowed-ips>  </remote>

截止到此，server端的配置已经完成，下边开始做client端的批量安装和相关准备工作！

1、在某一目录下创建IP列表以及key生产脚本，我这里的目录使用为/tmp
ip.txt内容如下：

test1-host:192.168.1.21test2-host:192.168.1.22test3-host:192.168.1.23.......

key生成脚本key-gen.py内容如下：

#!/usr/bin/pythonimport os    if __name__ == '__main__':    save_keys_path = "keys.logs"    f = open("ip.txt")    lines = f.read().splitlines()f.close()shell_path ="/opt/ossec-hids-2.8.3/contrib/ossec-batch-manager.pl"for line in lines:    arr = line.split(":")    host_name = arr[0]    ip = arr[1]    cmd = "%s -a --ip %s --name %s" % (shell_path,ip,host_name)    os.system(cmd)    cmd = "%s -e %s >> %s" % (shell_path,ip,save_keys_path)    os.system(cmd)

默认生产的key存放在/var/ossec/etc/client.keys ;生成后，把key文件拷贝到实际的ossec环境的etc目录下即可；

2、修改/opt/ossec-hids-2.8.3/etc/preloaded-vars.conf 文件：

# preloaded-vars.conf, Daniel B. Cid (dcid @ ossec.net).## Use this file to customize your installations.# It will make the install.sh script pre-load some# specific options to make it run automatically# or with less questions.# PLEASE NOTE:# When we use "n" or "y" in here, it should be changed# to "n" or "y" in the language your are doing the# installation. For example, in portuguese it would# be "s" or "n".# USER_LANGUAGE defines to language to be used.# It can be "en", "br", "tr", "it", "de" or "pl".# In case of an invalid language, it will default# to English "en" USER_LANGUAGE="en"     # For english#USER_LANGUAGE="br"     # For portuguese# If USER_NO_STOP is set to anything, the confirmation# messages are not going to be asked.USER_NO_STOP="y"# USER_INSTALL_TYPE defines the installation type to# be used during install. It can only be "local",# "agent" or "server".#USER_INSTALL_TYPE="local"USER_INSTALL_TYPE="agent"#USER_INSTALL_TYPE="server"# USER_DIR defines the location to install ossecUSER_DIR="/opt/ossec"# If USER_DELETE_DIR is set to "y", the directory# to install OSSEC will be removed if present.#USER_DELETE_DIR="y"# If USER_ENABLE_ACTIVE_RESPONSE is set to "n",# active response will be disabled.USER_ENABLE_ACTIVE_RESPONSE="y"# If USER_ENABLE_SYSCHECK is set to "y", # syscheck will be enabled. Set to "n" to# disable it.USER_ENABLE_SYSCHECK="y"# If USER_ENABLE_ROOTCHECK is set to "y",# rootcheck will be enabled. Set to "n" to# disable it.USER_ENABLE_ROOTCHECK="y"# If USER_UPDATE is set to anything, the update# installation will be done.USER_UPDATE="y"# If USER_UPDATE_RULES is set to anything, the# rules will also be updated.USER_UPDATE_RULES="y"# If USER_BINARYINSTALL is set, the installation# is not going to compile the code, but use the# binaries from ./bin/#USER_BINARYINSTALL="x"### Agent Installation variables. #### Specifies the IP address or hostname of the# ossec server. Only used on agent installations.# Choose only one, not both.USER_AGENT_SERVER_IP="172.17.0.5"# USER_AGENT_SERVER_NAME# USER_AGENT_CONFIG_PROFILE specifies the agent's config profile# name. This is used to create agent.conf configuration profiles# for this particular profile name. Only used on agent installations.# Can be any string. E.g. LinuxDBServer or WindowsDomainController#USER_AGENT_CONFIG_PROFILE="generic"### Server/Local Installation variables. #### USER_ENABLE_EMAIL enables or disables email alerting.#USER_ENABLE_EMAIL="y"# USER_EMAIL_ADDRESS defines the destination e-mail of the alerts.#USER_EMAIL_ADDRESS="dcid@test.ossec.net"# USER_EMAIL_SMTP defines the SMTP server to send the e-mails.#USER_EMAIL_SMTP="test.ossec.net"# USER_ENABLE_SYSLOG enables or disables remote syslog.#USER_ENABLE_SYSLOG="y"# USER_ENABLE_FIREWALL_RESPONSE enables or disables# the firewall response.#USER_ENABLE_FIREWALL_RESPONSE="y"# Enable PF firewall (OpenBSD, FreeBSD and Darwin only)#USER_ENABLE_PF="y"# PF table to use (OpenBSD, FreeBSD and Darwin only).#USER_PF_TABLE="ossec_fwtable"# USER_WHITE_LIST is a list of IPs or networks# that are going to be set to never be blocked.#USER_WHITE_LIST="192.168.2.1 192.168.1.0/24"#### exit ? ###

以上文件为安装时的应答文件，可以避免出现手动交互输入的问题；从而实现批量安装；

3、将以上修改过的文件：ossec.conf、preloaded-vars.conf、client.keys以及ossec安装ossec-hids-2.8.3.tar.gz 放在Apache的默认访问目录下即可（这里为/var/www/html）

ls /var/ww/htmlclient.keys  ossec-hids-2.8.3.tar.gz  ossec.conf  preloaded-vars.conf

4、在需要安装的客户端机器上创建部署脚本ossec_agent_install.sh

#!/bin/bash    cd /optwget http://192.168.1.19/ossec-hids-2.8.3.tar.gztar -zxvf ossec-hids-2.8.3.tar.gz     cd ossec-hids-2.8.3    cd etc    mv preloaded-vars.conf preloaded-vars.conf.bak    #从服务端下载预配置文件，基于顺序安装，不基于对话交互模式wget http://192.168.1.19/preloaded-vars.conf#װ../install.sh    cd /opt/ossec/etc   #下载server端生成的key文件wget http://192.168.1.42/client.keys    ip1=`/sbin/ifconfig eth0|sed -n '2p' |awk -F: '{print $2}'|awk '{print$1}'`#ip2=`/sbin/ifconfig eth1|sed -n '2p' |awk -F: '{print $2}'|awk '{print$1}'`#这个主要是根据实际的网卡情况，是eth0还是eth1 sed -i '/'$ip1'/!'d /opt/ossec/etc/client.keys    rm -rf ossec.conf#下载统一配置文件wget http://192.168.1.42/ossec.conf#启动客户端程序   /opt/ossec/bin/ossec-control start

将此脚本存放在/opt目录下执行，脚本执行完成后client端即安装完成，查看进程确认启动无误即可；

web部分查看配置

1、上面我们安装了ossec的服务端，并且为ossec添加了一个客户端，非常简单的一个环境，环境是搭建好了，可是目前这个环境如果我们要分析ossec的报警信息就太麻烦了，所以我们安装第三方的 web界面用来显示报警信息

shell> wget https://github.com/ECSC/analogi/archive/master.zipshell> unzip mastershell> mv analogi-master/ /var/www/html/analogishell> cd /var/www/html/shell> chown -R apache.apache analogi/shell> cd analogi/shell> cp db_ossec.php.new db_ossec.php

2、修改db_ossec.php里的数据库配置：

define ('DB_USER_O', 'ossec');define ('DB_PASSWORD_O', 'ossec');define ('DB_HOST_O', '127.0.0.1');define ('DB_NAME_O', 'ossec');

3、在Apache中增加相关配置：

vim /etc/httpd/conf.d/analogi.conf

内容如下：

Alias /analogi /var/www/html/analogi<Directory /var/www/html/analogi>    Order deny,allow    Deny from all    Allow from 192.168.0.0/16</Directory>

4、重新启动Apache，并访问即可

shell> /etc/init.d/httpd restart

http://192.168.1.19/analogi