1. Store
  2. Apps
  3. Hardware
  4. Support
  5. Solutions

ClearFoundation

Forums
Welcome, Guest
Install OSSEC HIDS on ClearOS System
(1 viewing) 1 Guest
Go to bottomPage: 1
TOPIC: Install OSSEC HIDS on ClearOS System
#27698
Install OSSEC HIDS on ClearOS System 3 Years, 6 Months ago  
All,

Here's a script I just wrote that will install OSSEC HIDS onto your ClearOS boxen.

There's a fair amount of notes in the script's comments, but there are 2 things you'll need to edit yourselves:

1) /etc/httpd/conf.d/ossec.conf
- Edit the "Allow from" directives to match your network addressing
- Edit the AuthLDAPURL with the proper "dc=" values to match your server's LDAP config
2) /var/www/apache_auth/ossec_auth.conf
- Note that I chose a default userid in this file, you can use this username to create an account in your LDAP, or edit it to match your desired account name. Either way, you'll need the account in LDAP before you can log into the OSSEC WUI

The OSSEC WUI (web user interface) can be found on your server at https : //your.servers.ip.address/ossec/
- Note, you MUST use https: (you dont' want to pass a username and password in the clear, do you?)

Please take some time to read through the script (and comments) before you try to use it. There are several questions you should have an answer to BEFORE you run the script.

Here's the script contents, and I'll attach the file to this post.

Code:


#!/bin/bash
# Copyright 2011-?, Robert Stangarone
# www.whataboutbob.org
# Version 0.1

# Version 0.1 - Initial version of this script, released 5.5.2011
#
# This script was tested on a fresh install of ClearOS 5.2 
#  Enterprise with NO additional software modules loaded. 
# Post install, the system was updated via the "yum -y update" 
#  command as root, then the system was rebooted before running 
# this script. 

# This script will install the ossec HIDS server and WUI interface,
# and implement IP address ACLs and authentication via the host's 
# LDAP server.
#
# Documenation related to this software can be found at: 
#
# http://www.ossec.net/main/documentation/

# Software packages related to this software can be found at:
#
# http://www.ossec.net/main/downloads/
#
# OSSEC: http://www.ossec.net/files/ossec-hids-2.5.1.tar.gz
#
# WUI: http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz

# Installation instructions related to this software can be found at:
#
# OSSEC: http://www.ossec.net/main/manual/#install
#
# WUI: http://www.ossec.net/wiki/index.php/OSSECWUI:Install

# You are going to need to tune your rules, here's a starting place to
# learn how:
#
# http://www.ossec.net/wiki/Know_How:Ignore_Rules#Ignoring_syslog_message

# Preconditions:
#
# 1) Needed packages are either installed, or available via the
# standard ClearOS repos.
# 2) You have the LDAP server installed, and configured on the
# target system.
# 3) You have already created the necessary user account(s) in LDAP
# to match the userids included in /var/www/apache_auth/ossec_auth.conf.
# 4) You have the ability to become root on the system you are trying to
# run this script on.
#  5) Have an email account available for the email notifications that
# the OSSEC HIDS will generate.



# Setup the script vars:
YUM=/usr/bin/yum
USERADD=/usr/sbin/useradd
GROUPADD=/usr/sbin/groupadd
USERMOD=/usr/sbin/usermod
MKDIR=/bin/mkdir
TAR=/bin/tar
CHKCONFIG=/sbin/chkconfig
CHGRP=/bin/chgrp
CHMOD=/bin/chmod
WORKING_DIR=$PWD/ossec_downloads
APACHE_OSSEC_CONFIG_FILE=/etc/httpd/conf.d/ossec.conf
OSSEC_USERS="ossec ossecm ossecr"
OSSEC_BASE_GID=16666
ERROR_MSG="Please verify your internet connections and re-run this script."
NEEDED_RPMS="gcc make httpd mod_ssl php openldap-servers openldap-clients app-ldap app-users"
OSSEC_URL="http://www.ossec.net/files/"
OSSEC_SRC="ossec-hids-2.5.1.tar.gz"
OSSEC_SRC_DIR="ossec-hids-2.5.1"
OSSEC_WUI_SRC="ossec-wui-0.3.tar.gz"
OSSEC_WUI_SRC_DIR="ossec-wui-0.3"

# Make sure you are root when you run our script
if [ "$(id -u)" != "0" ]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# First, let's install the necessary dependencies:
for RPM in $NEEDED_RPMS
do
$YUM -y install $RPM
done

# Then verify they were installed
for RPM in $NEEDED_RPMS
do
if [[ $( rpm -qa $RPM ) =~ ${RPM} ]]
then
   echo " Required package $RPM is installed."
else
   echo " Required package $RPM not found."
echo " $ERROR_MSG"
exit 1
fi
done

# Create a working directory for our download files
$MKDIR $WORKING_DIR

# Test to see if we made the dir, and if not exit the script with a status of 1
if [ ! -d $WORKING_DIR ]
then
echo " Cannot create working directory, check parent directory permissions and re-run script."
exit 1
fi

# Next, let's retrieve the source files for OSSEC and its WUI
# wget OSSEC HIDS source code
wget $OSSEC_URL/$OSSEC_SRC -O $WORKING_DIR/$OSSEC_SRC

# Test to see if we got the file, and if not exit the script with a status of 1
if [ ! -e "$WORKING_DIR/$OSSEC_SRC" ]
then
echo "OSSEC HIDS source was not downloaded successfully. $ERROR_MSG"
exit 1
fi

# wget OSSEC HIDS WUI source code
wget $OSSEC_URL/ui/$OSSEC_WUI_SRC -O $WORKING_DIR/$OSSEC_WUI_SRC

# Test to see if we got the file, and if not exit the script with a status of 1
if [ ! -e "$WORKING_DIR/$OSSEC_WUI_SRC" ]
then
echo "OSSEC HIDS source was not downloaded successfully. $ERROR_MSG"
exit 1
fi

# Extract the OSSEC HIDS source and WUI code
cd $WORKING_DIR
$TAR -xzf $WORKING_DIR/$OSSEC_SRC
$TAR -xzf $WORKING_DIR/$OSSEC_WUI_SRC

# Next, we need to add regular users for the ossec services
# and add them to the right groups as well
for USER in $OSSEC_USERS
do 
$USERADD -r $USER -s /sbin/nologin
$USERMOD -a -G ossec $USER
# debugging fun on next 2 lines
#cat /etc/passwd | grep $USER
#cat /etc/group | grep $USER
done

# You can comment out this section if you are sure that email notifications
# will work correctly. To comment out, add a "#" to the beginning of each
# line below before the line that says "# --- END potential comment out section"

# -- BEGIN potential comment out section

# Be sure you've already set the hostname before running this script
# if the script finds "system.clearos.lan" as the hostname it will 
# quit
#EXISTING_HOSTNAME="$HOSTNAME"
#DEFAULT_HOSTNAME="system.clearos.lan"
#if [ $EXISTING_HOSTNAME == $DEFAULT_HOSTNAME ]
#then
# echo "You have not set a unique hostname, your hostname is currently set to: $HOSTNAME."
# echo "OSSEC can be configured to send email notifications, which will not work with the"
# echo "existing hostname configuration."
# echo "Please set a unique hostname, hostname and re-run script."
# exit 1
#fi

# -- END potential comment out section

# Questions you should be prepared to answer before installing OSSEC:
#
# 1) What language? en
# 2) Is your hostname setup correctly? yes
# 3) What installation type do you want? local
# 4) Where do you want to install ossec? /var/ossec
#  5) Do you want email notification? yes
#  6) What email address do you want the notifications sent to? my.email@my.domain
# 7) Do you want to run the integrity check daemon? yes
# 8) Do you want to run the rootkit detection engine? yes
# 9) Do you want to enable active response? no

# Now, install the OSSEC HIDS
cd $OSSEC_SRC_DIR
./install.sh

# Check to see if there's an init script for ossec in /etc/init.d.
# If there is, assume the install went through cleanly and use
# chkconfig to set ossec to start at boot
if [ ! -e /etc/init.d/ossec ]
then
echo " OSSEC init script not found in /etc/init.d/ossec."
echo " It appears that the install did not complete successfully."
echo " Please re-run install script, or check system logs for more information."
echo " Exiting script."
exit 1
fi

# If we got this far, the init file is there, use chkconfig to set it to start
# at boot.
$CHKCONFIG ossec on

# Start OSSEC now
/etc/init.d/ossec start

# Show status to user
echo "Current status of ossec daemon:"
/etc/init.d/ossec status
echo "It is normal for the ossec-execd not to be running."

# Now for the WUI install and configuration
cd $WORKING_DIR

echo "Current directory before WUI is:" $PWD
echo "Working directory before WUI is:" $WORKING_DIR
echo "OSSEC WUI SRC DIR before WUI is:" $OSSEC_WUI_SRC_DIR

# Make sure the target directory exists
if [ ! -d /var/www/ossec ]
then
mkdir /var/www/ossec
fi

# Copy the WUI files to /var/www/ossec. We'll be setting up 
# an Apache Alias config and some access control stuff later
# in the script
cp -R $WORKING_DIR/$OSSEC_WUI_SRC_DIR/*  /var/www/ossec/

# Questions you should be prepared to answer before installing OSSEC WUI:
#
# 1) What is the NON-LDAP username and password you want to use to manage
# the OSSEC WUI? ossecadmin/your.1337.password
# 2) What LDAP user accounts on the system do you want to be able to access 
# the OSSEC WUI? ossecadmin


# Run the setup script
cd /var/www/ossec
./setup.sh

# Add Apache to the ossec group (assuming you've not changed the default user
# that ClearOS runs the httpd service as).
$USERMOD -a -G ossec apache

# Fix permissions for tmp directory in OSSEC WUI
$CHMOD 770 /var/www/ossec/tmp/
$CHGRP apache /var/www/ossec/tmp/
/etc/init.d/httpd restart

# Prompt user to consider changing values in php.ini
echo "The OSSEC install manual suggests that you may need"
echo "to modify the following values in your /etc/php.ini file:"
echo "max_execution_time = 180"
echo "max_input_time = 180"
echo "memory_limit = 30M"

echo "Your current values are: "
cat /etc/php.ini | grep "max_execution_time"
cat /etc/php.ini | grep "max_input_time"
cat /etc/php.ini | grep "memory_limit"

# Setup apache Alias and controls on the /var/www/ossec directory

if [ -e $APACHE_OSSEC_CONFIG_FILE ]
then
mv $APACHE_OSSEC_CONFIG_FILE $APACHE_OSSEC_CONFIG_FILE.old
fi 

#echo " " >> $APACHE_OSSEC_CONFIG_FILE

echo "Alias /ossec/ /var/www/ossec/" >> $APACHE_OSSEC_CONFIG_FILE
echo " " >> $APACHE_OSSEC_CONFIG_FILE
echo "<Directory "/var/www/ossec/">" >> $APACHE_OSSEC_CONFIG_FILE
# The next line requires users to connect using SSL, we're passing in 
# authentication over the network, and don't want that in the clear.
echo "SSLRequireSSL" >> $APACHE_OSSEC_CONFIG_FILE
echo "Order deny,allow" >> $APACHE_OSSEC_CONFIG_FILE
echo "Deny from all" >> $APACHE_OSSEC_CONFIG_FILE
echo "Allow from 127.0.0.1" >> $APACHE_OSSEC_CONFIG_FILE
# change the IP address range on the next line to match your internal network, if needed
# otherwise comment out or remove line from config file 
echo "Allow from 192.168.1.0/24" >> $APACHE_OSSEC_CONFIG_FILE
echo 'AuthName "OSSEC WUI"' >> $APACHE_OSSEC_CONFIG_FILE
echo "AuthType Basic" >> $APACHE_OSSEC_CONFIG_FILE
echo "AuthBasicProvider ldap" >> $APACHE_OSSEC_CONFIG_FILE
echo "AuthzLDAPAuthoritative off" >> $APACHE_OSSEC_CONFIG_FILE
# change the next line to match whatever your domain configuration is for LDAP
echo 'AuthLDAPURL "ldap://127.0.0.1/dc=mydomain,dc=com?uid"' >> $APACHE_OSSEC_CONFIG_FILE
echo "AuthGroupFile /var/www/apache_auth/ossec_auth.conf" >> $APACHE_OSSEC_CONFIG_FILE
echo "require group OSSEC" >> $APACHE_OSSEC_CONFIG_FILE
echo "</Directory>" >> $APACHE_OSSEC_CONFIG_FILE

# You'll also need to create the /var/www/apache_auth/ossec_auth.conf file
# referenced above
if [ ! -d /var/www/apache_auth ]
then
$MKDIR /var/www/apache_auth
fi


if [ ! -e /var/www/apache_auth/ossec_auth.conf ]
then
echo "OSSEC: ossecadmin" >> /var/www/apache_auth/ossec_auth.conf
else
echo "The file /var/www/apache_auth/ossec_auth.conf exists, and "
echo "contains the following:"
cat /var/www/apache_auth/ossec_auth.conf
echo "Moving current file to backup file."
mv /var/www/apache_auth/ossec_auth.conf /var/www/apache_auth/ossec_auth.conf.backup
echo "OSSEC: ossecadmin" >> /var/www/apache_auth/ossec_auth.conf
fi

# Restart apache for new config to take effect
/etc/init.d/httpd stop
/etc/init.d/httpd start

# We also need LDAP to be set at boot and running, or our auth scheme fails
$CHKCONFIG ldap on
/etc/init.d/ldap start

# We need to be sure apache is set to start on boot, or else the WUI will
# be unaccessable after the next system reboot
$CHKCONFIG httpd on

# Remind user that they'll still need to edit the 2 files created as part of this 
# script to match thier configuration
echo "************************************************************************"
echo "************* IMPORTANT ************************************************"
echo "You MUST edit /etc/httpd/conf.d/ossec.conf and"
echo "/var/www/apache_auth/ossec_auth.conf to match your hosts configuration. "
echo "Specifically, you'll need to add the appropriate userids to the "
echo "ossec_auth.conf file, and edit the AuthLDAPURL parameters to match your"
echo "LDAP configuration. Once you've completed these steps, you'll need to"
echo "restart the apache server by executing the following commands as root"
echo "on the target system: /etc/init.d/httpd stop;/etc/init.d/httpd start"
echo "************* IMPORTANT ************************************************"
echo "************************************************************************"



Link to script on my site: here
Bob Stangarone
Gold Boarder
Posts: 183
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
[ Linux User | CC Fan since 2.1 | packet captures and log entires are amazing debugging tools ]
[ www.whataboutbob.org | How To Ask Questions The Smart Way ]
 
#28975
Re: Install OSSEC HIDS on ClearOS System 3 Years, 4 Months ago  
works great! thanks for this.

Rico
Rico
Fresh Boarder
Posts: 3
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
 
#28976
Re:Install OSSEC HIDS on ClearOS System 3 Years, 4 Months ago  
Rico,

You are welcome. It's nice to hear that it worked for you, thanks for the feedback.

Bob
Bob Stangarone
Gold Boarder
Posts: 183
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
[ Linux User | CC Fan since 2.1 | packet captures and log entires are amazing debugging tools ]
[ www.whataboutbob.org | How To Ask Questions The Smart Way ]
 
#32606
Re:Install OSSEC HIDS on ClearOS System 3 Years, 1 Month ago  
Nice Bob

will def try this one...
Jimmy
Expert Boarder
Posts: 88
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
 
Go to topPage: 1
  get the latest posts directly to your desktop