pro tip: automating unix ossec agent installs using capistrano
If you like linux, capistrano, and ossec then you may like these scripts to automate installing ossec agents. I’m assuming you already have decent familiarity with ossec & capistrano.
prerequisites:
- you can ssh to each of the hosts you want to install the ossec agent on using ssh pki (e.g. ssh-copy-id -i .ssh/id_rsa.pub alice@xxx.xxx.xxx.xxx)
- you have nopasswd sudo privileges on each host (check via sudo -l)
- you have a compiler (+ dependencies) installed on each host (yum -y install gcc glic-devel)
- you have capistrano installed
- you have the ossec source (current ver. = ossec-hids-2.4.1.tar.gz) (just put in your homedir)
steps you need to do:
- uncompress the ossec source
- use ossec-batch-manager.pl to quickly add agents to the server (located in the ossec contrib dir) (e.g. [alice@server]$ sudo ./ossec-batch-manager.pl -a -n host1 -p 10.10.10.10)
note: you need to restart the ossec server after adding agents - copy ./contrib/specs/agent/preloaded-vars.conf to your homedir then configure it for how you want your agents to work (make sure you specify your USER_AGENT_SERVER_IP) - mine looks like:
[alice@server]$ cat preloaded-vars.conf | egrep -v “^#|^$”
USER_LANGUAGE=”en”
USER_NO_STOP=”y”
USER_INSTALL_TYPE=”agent”
USER_DIR=”/var/ossec”
USER_DELETE_DIR=”y”
USER_ENABLE_ACTIVE_RESPONSE=”n”
USER_ENABLE_SYSCHECK=”y”
USER_ENABLE_ROOTCHECK=”y”
USER_UPDATE=”y”
USER_UPDATE_RULES=”y”
USER_AGENT_SERVER_IP=”xxx.xxx.xxx.xxx”
- create a file titled capfile in your homedir then copy & paste in the following code
default_run_options[:pty] = true default_run_options[:max_hosts] = 25 # VARIABLES set :ossec_version, "2.4.1" # ROLES role :new_agents, '10.10.10.10', '10.10.10.11', '10.10.10.12' # TASKS # ================================================================================ # Automatically install new UNIX based OSSEC agents # ================================================================================ namespace :new_agents do task :install_ossec_agent do upload("ossec-hids-#{ossec_version}.tar.gz", "/tmp/", :via => :scp) run "cd /tmp && tar zxf ossec-hids-#{ossec_version}.tar.gz" upload("preloaded-vars.conf", "/tmp/ossec-hids-#{ossec_version}/etc/preloaded-vars.conf", :via => :scp) run "cd /tmp/ossec-hids-#{ossec_version} && sudo ./install.sh" sudo "\\rm -rf /tmp/ossec-hids-#{ossec_version} && \\rm -f /tmp/ossec-hids-#{ossec_version}.tar.gz" end task :install_ossec_agent_keys do servers = find_servers_for_task(current_task) servers.each do |server| key = `sudo grep #{server} /var/ossec/etc/client.keys` logger.info "installing key on #{server}\n" put(key, "/tmp/client.keys", :hosts => server) end sudo "mv /tmp/client.keys /var/ossec/etc" sudo "chown root:ossec /var/ossec/etc/client.keys" end task :start_ossec_agents do sudo "/var/ossec/bin/ossec-control start" end task :do_all, :roles => :new_agents do install_ossec_agent install_ossec_agent_keys start_ossec_agents end end - modify the above code to match your environment (see below):
# VARIABLES set :ossec_version, "2.4.1" <--- put the version you downloaded here # ROLES role :new_agents, 'xxx.xxx.xxx.xxx', <--- list the IPs of the hosts you want the ossec agent installed on 'xxx.xxx.xxx.xxx', 'xxx.xxx.xxx.xxx' <--- no comma after listing the last IP - in your homedir (or wherever you have the ossec source, preloaded-vars.conf, & the capfile), execute the following to initiate scripted agent installation:
[alice@server] cap new_agents:do_all
You should see lots of output and if the agents installed successfully then the tail end looks something like:
** [out :: 10.10.10.10] Starting OSSEC HIDS v2.4.1 (by Trend Micro Inc.)...
** [out :: 10.10.10.10] Started ossec-execd...
** [out :: 10.10.10.10] Started ossec-agentd...
** [out :: 10.10.10.10] Started ossec-logcollector...
** [out :: 10.10.10.10] Started ossec-syscheckd...
** [out :: 10.10.10.11] Starting OSSEC HIDS v2.4.1 (by Trend Micro Inc.)...
** [out :: 10.10.10.11] Started ossec-execd...
** [out :: 10.10.10.11] Started ossec-agentd...
** [out :: 10.10.10.11] Started ossec-logcollector...
** [out :: 10.10.10.11] Started ossec-syscheckd...
** [out :: 10.10.10.10] Completed.
** [out :: 10.10.10.11] Completed.
command finished
bonus: here is a cap task to install syslog-ng from source minus the syslog-ng.conf file (you need to create that)
# =================================================================================================
# Automatically install syslog-ng from source
# =================================================================================================
task :install_syslog_ng, :roles => :new_agents do
desc <<-DESC
Disabling the default syslogd process on startup and stopping the current syslogd process
DESC
sudo "/etc/init.d/syslog stop"
sudo "/sbin/chkconfig syslog off"
sudo "yum -y install gcc libnet"
run "wget https://www.balabit.com/downloads/files/syslog-ng/sources/2.1.4/source/syslog-ng_2.1.4.tar.gz --no-check-certificate"
run "wget https://www.balabit.com/downloads/files/eventlog/0.2/eventlog_0.2.9.tar.gz --no-check-certificate"
run "wget https://www.balabit.com/downloads/files/libol/0.3/libol-0.3.18.tar.gz --no-check-certificate"
run "\\rm -rf ./eventlog-0.2.9/"
run "tar zxf eventlog_0.2.9.tar.gz"
run "cd ./eventlog-0.2.9/;./configure"
run "cd ./eventlog-0.2.9/;make"
run "cd ./eventlog-0.2.9/;sudo make install"
run "\\rm -rf ./libol-0.3.18/"
run "tar zxf libol-0.3.18.tar.gz"
run "cd ./libol-0.3.18/;./configure"
run "cd ./libol-0.3.18/;make"
run "cd ./libol-0.3.18/;sudo make install"
run "\\rm -rf ./syslog-ng_2.1.4/"
run "tar zxf syslog-ng_2.1.4.tar.gz"
run "export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig/;cd ./syslog-ng-2.1.4/;./configure"
run "cd ./syslog-ng-2.1.4/;make"
run "cd ./syslog-ng-2.1.4/;sudo make install"
desc <<-DESC
creating the directory home to the syslog-ng.conf file
DESC
sudo "mkdir -p /usr/local/etc/syslog-ng"
end
