在Linux发行版上配置OSSEC
发布日期:2025年8月12日
我们在Trunc是OSSEC的忠实粉丝。我们在多个不同的NOC资产中维护着可能是最大规模的活跃部署之一。下面我们将分享一个内部使用的脚本,用于在不同Linux发行版上快速部署OSSEC。
该脚本假设您在Linux发行版(如Fedora、Ubuntu、CentOS或Debian)上进行部署。在运行前会强制您选择发行版操作系统,这确保了根据发行版类型安装适当的依赖项。
此脚本使用Daniel的发行版。如果您想脱离主发行版,请根据需要编辑。
OSSEC可以通过预加载变量进行编译和安装,而无需install.sh的交互性。这就是我在将输出回显到etc/preloaded-vars.conf配置文件时使用的方法。您可以直接从Github下载此代码。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
#!/bin/bash
# Created by: Tony Perez
# Version 1.0
#####################################################
#####################################################
# Description:
# This script will configure an OSSEC Agent. It is designed to work with an OSSEC manager.
# This script will:
# - Check for dependencies based on OS type
# - Will create appropriate folders, default directory is /root
# - This uses the Daniel's OSSEC build
# - This script will install OSSEC using preload variables.
# - Will ask you to define the Manager before doing the install.
# - All variables are created in the install directory ../etc/preloaded-vars.conf
# - This will not start OSSEC, you have to start manually once configured.
#
echo "Hi, this script is going to install the OSSEC product with an Agent configuration.."
echo "Please be sure to watch for the prompt to enter the Manager IP."
echo "All other settings are set in preloaded-vars.conf to streamline the deployment."
#Begin installation of OSSEC: https://dcid.me/texts/my-ossec-setup-manual.html
RED='\033[0;31m'
NC='\033[0m'
bold=$(tput bold)
normal=$(tput sgr0)
#Install dependencies first
if [ "x$1" = "xcentos" ] ; then
echo "You have selected CentOS"
echo "Installing CentOS dependencies"
sudo yum -y install gcc make libc-dev wget
echo "Done with CentOS dependencies."
elif [ "x$1" = "xubuntu" ] ; then
echo "You have selected Ubuntu"
echo "Intalling Ubuntu dependencies"
sudo apt install -y gcc make libevent-dev zlib1g-dev libssl-dev libpcre2-dev wget unzip tar
echo "Done with Ubuntu dependencies."
elif [ "x$1" = "xdebian" ] ; then
echo "You have selected Debian"
echo "Installing Debian dependencies"
sudo apt-get update
sudo apt-get install -y build-essential inotify-tools ntp
sudo systemctl start ntp
echo "Debian doesn't have IPTables..will install"
sudo apt-get install -y iptables-persistent
sudo systemctl restart netfilter-persistent
echo "Done with Debian dependencies."
elif [ "x$1" = "xfederoa" ] ; then
echo "You have selected Federoa"
echo "Installing Fedora dependencies"
sudo yum install -y bind-utils gcc make inotify-tools
echo "Done with Fedora dependencies."
else
echo " "
echo "Please pass one of the following options into the script:"
echo " "
echo -e " Run the following command: ${RED}$0 centos${NC}"
echo -e " Run the following command: ${RED}$0 ubuntu${NC}"
echo -e " Run the following command: ${RED}$0 debian${NC}"
echo -e " Run the following command: ${RED}$0 fedora${NC}"
exit 1
fi
echo "Creating new Downloads directory in root"
cd /root/
mkdir /root/Downloads
cd /root/Downloads
PWD="/root/Downloads"
echo "New Downloads directory created and set"
echo "Downloading OSSEC installation"
wget https://github.com/dcid/ossec-hids/archive/refs/heads/master.zip
echo "Decrypting installation into Downloads folder"
unzip master.zip
echo "Switching directories to the new decrypted installation"
downloaddir="/root/Downloads/ossec-hids-master"
#Setting Default OSSEC installation settings
echo "Adding default OSSEC configurations values:"
echo "Enter manager IP:"
read managerIP
echo "Set language to English..."
echo "USER_LANGUAGE="en"" > $downloaddir/etc/preloaded-vars.conf
echo "Disabled confirmation messages..."
echo "USER_NO_STOP="y"" >> $downloaddir/etc/preloaded-vars.conf
echo "User deployment as an AGENT install.."
echo "USER_INSTALL_TYPE="agent"" >> $downloaddir/etc/preloaded-vars.conf
echo "Set the OSSEC server.."
echo "USER_AGENT_SERVER_IP="$managerIP"" >> $downloaddir/etc/preloaded-vars.conf
echo "Set default location as /var/log/ossec..."
echo "USER_DIR="/var/ossec"" >> $downloaddir/etc/preloaded-vars.conf
echo "Enabled Active Response..."
echo "USER_ENABLE_ACTIVE_RESPONSE="y"" >> $downloaddir/etc/preloaded-vars.conf
echo "Enabled system checks..."
echo "USER_ENABLE_SYSCHECK="y"" >> $downloaddir/etc/preloaded-vars.conf
echo "Enabled rootcheck..."
echo "USER_ENABLE_ROOTCHECK="y"" >> $downloaddir/etc/preloaded-vars.conf
echo "Disabled email notifications..."
echo "USER_ENABLE_EMAIL="n"" >> $downloaddir/etc/preloaded-vars.conf
echo "Enabled Firewall Response... "
echo USER_ENABLE_FIREWALL_RESPONSE="y" >> etc/preloaded-vars.conf
echo "Done adding defaults..."
echo "Begin the OSSEC installation..."
cd $downloaddir
./install.sh
echo "OSSEC installed successfully, begin manual configuration..."
#Cleaning up mess
echo "Cleaning up mess.."
rm /root/Downloads/master.zip
echo "Installation is complete.."
|
如有任何问题,请发送至support@noc.org。
发布分类: ossecossec-configurations