Automated OSSEC installation using ansible

From Notes_Wiki
Revision as of 14:08, 14 March 2015 by Saurabh (talk | contribs)

<yambe:breadcrumb>OSSEC|OSSEC</yambe:breadcrumb>

Automated OSSEC installation using ansible

OSSEC server installation

For server installation following playbook can be used:

---
  - name: Ossec server installation
    hosts: ossec-server
    remote_user: root

    vars:
      ossec_url: https://github.com/ossec/ossec-hids/releases/download/v2.8.0/ossec-hids-2.8.tar.gz
      ossec_path: /root/ossec-hids-2.8
      webui_url: http://www.ossec.net/files/ossec-wui-0.8.tar.gz
      webui_path: /root/ossec-wui-0.8
      webui_install_path: /var/www/html/ossec
      extract_path: /root
      document_root: /var/www/html
      admin_email_address: saurabh@rekallsoftware.com
      smtp_server_address: smtp.admin.iiit.ac.in

    tasks:
    - name: Install necessary packages - gcc, postgresql-devel, mysql-devel, php and expect
      yum: name="{{item}}" state=present
      with_items:
        - gcc
        - postgresql-devel
        - mysql-devel
        - php
        - expect
        - httpd

    - name: Download Ossec server/agent 
      get_url: url="{{ossec_url}}" dest="{{ossec_path}}".tar.gz

    - name: Extract Ossec server code
      unarchive: copy=no src="{{ossec_path}}".tar.gz dest="{{extract_path}}" creates="{{ossec_path}}"

    - name: Copy the Ossec_input file
      template: src=ossec_server_input.j2 dest="{{ossec_path}}/ossec_server_input.txt"

    - name: Install Ossec server
      shell: ./install.sh < ossec_server_input.txt
      args:
        chdir: "{{ossec_path}}"
        creates: /var/ossec/etc/ossec.conf

    - name: Start ossec server
      service: name=ossec state=started

    - name: Download Ossec web UI
      get_url: url="{{webui_url}}" dest="{{webui_path}}".tar.gz
   
    - name: Extract Ossec web UI code
      unarchive: copy=no src="{{webui_path}}".tar.gz dest="{{extract_path}}" creates="{{webui_install_path}}" 

    - name: Move the extracted web UI code to document root
      command: mv "{{webui_path}}" "{{webui_install_path}}"
      args:
        creates: "{{webui_install_path}}"

    - name: Copy the Ossec_webui_input file
      copy: src=ossec_webui_setup.sh dest="{{webui_install_path}}" mode=544

    - name: Install Ossec web UI
      shell: ./ossec_webui_setup.sh 
      args:
        chdir: /var/www/html/ossec
        creates: /var/www/html/ossec/.htpasswd

    - name: Create index.html to automatically redirect to /ossec
      copy: src=index.html dest="{{document_root}}" owner=root group=root mode=644
        
    - name: Ensure that apache service is running
      service: name=httpd state=started

The above playbook refers to following files:

  • index.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
	<meta http-equiv="Content-type" content="text/html;charset=UTF-8" />
	<meta http-equiv="Refresh" content="0; URL=ossec" />
</head>
<body>
</body>
</html>
  • ossec_server_input.j2
en

server


{{ admin_email_address }}
{{ smtp_server_address }}


n
y



  • ossec_webui_setup.sh
#!/usr/bin/expect -f
 
spawn ./setup.sh

expect "Username:" 
send "saurabh\r"
expect "password:" 
send "rekall123\r"
expect "password:"
send "rekall123\r"
expect "user name"
send "apache\r"
expect "directory path"
send "/var/ossec\r"

expect "anything that will not be there krati is responsible"
send_user "$expect_out(buffer)"


OSSEC client installation

For ossec client installation hosts file should have host-group named ossec-client with names of all clients. Further IP address of all clients should be replaced in client_ips variable. Also remember to configure server_ip in server_ip variable.

---
  - name: Ossec agent installation on OSSEC server
    hosts: ossec-server
    remote_user: root
  
    vars:
      client_ips: 
        - 192.168.122.103
        - 192.168.122.104

    tasks:
    - name: Copy add_agent.sh script
      copy: src=add_agent.sh dest=/root/add_agent.sh mode=755 owner=root group=root

    - name: Add agent to the server
      shell: /root/add_agent.sh "{{item}}"
      with_items: client_ips
      notify: 
      - restart ossec
    
    - name: Get all client keys from OSSEC server to ansible server
      fetch: src=/var/ossec/etc/client.keys dest=/root/client.keys flat=yes
 
    handlers:
      - name: restart ossec
        service: name=ossec state=restarted


  - name: Ossec agent installation on OSSEC client
    hosts: ossec-client
    user: root

    vars:
      ossec_url: https://github.com/ossec/ossec-hids/releases/download/v2.8.0/ossec-hids-2.8.tar.gz
      ossec_path: /root/ossec-hids-2.8
      server_ip: 192.168.122.102
      ossec_manage_agent_input: /root/ossec_manage_agent_input.txt
      extract_path: /root

    tasks:
    - name: Install gcc postgres and mysql
      yum: name="{{item}}" state=present
      with_items:
        - gcc
        - postgresql-devel
        - mysql-devel
  
    - name: Download Ossec server/agent 
      get_url: url="{{ossec_url}}" dest="{{ossec_path}}".tar.gz
 
    - name: Extract Ossec server code
      unarchive: copy=no src="{{ossec_path}}".tar.gz dest="{{extract_path}}" creates="{{ossec_path}}"
 
    - name: Copy the Ossec_input file
      template: src=ossec_client_input.j2 dest="{{ossec_path}}/ossec_client_input.txt"
 
    - name: Install Ossec-agent
      shell: ./install.sh < ossec_client_input.txt 
      args:
        chdir: "{{ossec_path}}"
        creates: /var/ossec/etc/ossec.conf
 
    - name: Get the client key from server
      copy: src=/root/client.keys dest=/var/ossec/etc/client2.keys  
 
    - name: Extract only the key for current client
      shell: grep "{{ansible_default_ipv4.address}}" /var/ossec/etc/client2.keys > /var/ossec/etc/client.keys
 
    - name: Delete other client keys   
      file: name=/var/ossec/etc/client2.keys state=absent
 
    - name: Start Ossec server
      service: name=ossec state=started
 

This playbook requires following files:

  • add_agent.sh
#!/bin/bash

cat > ossec_agent_input.txt <<EOF
A
$1
$1

y
Q
EOF

/var/ossec/bin/manage_agents < ossec_agent_input.txt

rm -f ossec_agent_input.txt

exit 0
  • ossec_client_input.j2
en

agent
/var/ossec
{{ server_ip }}
y
y
y




<yambe:breadcrumb>OSSEC|OSSEC</yambe:breadcrumb>