Automated OSSEC installation using ansible
From Notes_Wiki
<yambe:breadcrumb>OSSEC|OSSEC</yambe:breadcrumb>
Automated OSSEC installation using ansible
OSSEC server installation
For server installation following playbook can be used:
---
- name: Ossec server installation
hosts: ossec-server
remote_user: root
vars:
ossec_url: https://github.com/ossec/ossec-hids/releases/download/v2.8.0/ossec-hids-2.8.tar.gz
ossec_path: /root/ossec-hids-2.8
webui_url: http://www.ossec.net/files/ossec-wui-0.8.tar.gz
webui_path: /root/ossec-wui-0.8
webui_install_path: /var/www/html/ossec
extract_path: /root
document_root: /var/www/html
admin_email_address: saurabh@rekallsoftware.com
smtp_server_address: smtp.admin.iiit.ac.in
tasks:
- name: Install necessary packages - gcc, postgresql-devel, mysql-devel, php and expect
yum: name="{{item}}" state=present
with_items:
- gcc
- postgresql-devel
- mysql-devel
- php
- expect
- httpd
- name: Download Ossec server/agent
get_url: url="{{ossec_url}}" dest="{{ossec_path}}".tar.gz
- name: Extract Ossec server code
unarchive: copy=no src="{{ossec_path}}".tar.gz dest="{{extract_path}}" creates="{{ossec_path}}"
- name: Copy the Ossec_input file
template: src=ossec_server_input.j2 dest="{{ossec_path}}/ossec_server_input.txt"
- name: Install Ossec server
shell: ./install.sh < ossec_server_input.txt
args:
chdir: "{{ossec_path}}"
creates: /var/ossec/etc/ossec.conf
- name: Start ossec server
service: name=ossec state=started
- name: Download Ossec web UI
get_url: url="{{webui_url}}" dest="{{webui_path}}".tar.gz
- name: Extract Ossec web UI code
unarchive: copy=no src="{{webui_path}}".tar.gz dest="{{extract_path}}" creates="{{webui_install_path}}"
- name: Move the extracted web UI code to document root
command: mv "{{webui_path}}" "{{webui_install_path}}"
args:
creates: "{{webui_install_path}}"
- name: Copy the Ossec_webui_input file
copy: src=ossec_webui_setup.sh dest="{{webui_install_path}}" mode=544
- name: Install Ossec web UI
shell: ./ossec_webui_setup.sh
args:
chdir: /var/www/html/ossec
creates: /var/www/html/ossec/.htpasswd
- name: Create index.html to automatically redirect to /ossec
copy: src=index.html dest="{{document_root}}" owner=root group=root mode=644
- name: Ensure that apache service is running
service: name=httpd state=started
The above playbook refers to following files:
- index.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-type" content="text/html;charset=UTF-8" /> <meta http-equiv="Refresh" content="0; URL=ossec" /> </head> <body> </body> </html>
- ossec_server_input.j2
en
server
{{ admin_email_address }}
{{ smtp_server_address }}
n
y
- ossec_webui_setup.sh
#!/usr/bin/expect -f spawn ./setup.sh expect "Username:" send "saurabh\r" expect "password:" send "rekall123\r" expect "password:" send "rekall123\r" expect "user name" send "apache\r" expect "directory path" send "/var/ossec\r" expect "anything that will not be there krati is responsible" send_user "$expect_out(buffer)"
OSSEC client installation
For ossec client installation hosts file should have host-group named ossec-client with names of all clients. Further IP address of all clients should be replaced in client_ips variable. Also remember to configure server_ip in server_ip variable.
---
- name: Ossec agent installation on OSSEC server
hosts: ossec-server
remote_user: root
vars:
client_ips:
- 192.168.122.103
- 192.168.122.104
tasks:
- name: Copy add_agent.sh script
copy: src=add_agent.sh dest=/root/add_agent.sh mode=755 owner=root group=root
- name: Add agent to the server
shell: /root/add_agent.sh "{{item}}"
with_items: client_ips
notify:
- restart ossec
- name: Get all client keys from OSSEC server to ansible server
fetch: src=/var/ossec/etc/client.keys dest=/root/client.keys flat=yes
handlers:
- name: restart ossec
service: name=ossec state=restarted
- name: Ossec agent installation on OSSEC client
hosts: ossec-client
user: root
vars:
ossec_url: https://github.com/ossec/ossec-hids/releases/download/v2.8.0/ossec-hids-2.8.tar.gz
ossec_path: /root/ossec-hids-2.8
server_ip: 192.168.122.102
ossec_manage_agent_input: /root/ossec_manage_agent_input.txt
extract_path: /root
tasks:
- name: Install gcc postgres and mysql
yum: name="{{item}}" state=present
with_items:
- gcc
- postgresql-devel
- mysql-devel
- name: Download Ossec server/agent
get_url: url="{{ossec_url}}" dest="{{ossec_path}}".tar.gz
- name: Extract Ossec server code
unarchive: copy=no src="{{ossec_path}}".tar.gz dest="{{extract_path}}" creates="{{ossec_path}}"
- name: Copy the Ossec_input file
template: src=ossec_client_input.j2 dest="{{ossec_path}}/ossec_client_input.txt"
- name: Install Ossec-agent
shell: ./install.sh < ossec_client_input.txt
args:
chdir: "{{ossec_path}}"
creates: /var/ossec/etc/ossec.conf
- name: Get the client key from server
copy: src=/root/client.keys dest=/var/ossec/etc/client2.keys
- name: Extract only the key for current client
shell: grep "{{ansible_default_ipv4.address}}" /var/ossec/etc/client2.keys > /var/ossec/etc/client.keys
- name: Delete other client keys
file: name=/var/ossec/etc/client2.keys state=absent
- name: Start Ossec server
service: name=ossec state=started
This playbook requires following files:
- add_agent.sh
#!/bin/bash cat > ossec_agent_input.txt <<EOF A $1 $1 y Q EOF /var/ossec/bin/manage_agents < ossec_agent_input.txt rm -f ossec_agent_input.txt exit 0
- ossec_client_input.j2
en
agent
/var/ossec
{{ server_ip }}
y
y
y
<yambe:breadcrumb>OSSEC|OSSEC</yambe:breadcrumb>
