Automated OSSEC installation using ansible
From Notes_Wiki
<yambe:breadcrumb>OSSEC|OSSEC</yambe:breadcrumb>
Automated OSSEC installation using ansible
OSSEC server installation
For server installation following playbook can be used:
--- - name: Ossec server installation hosts: ossec-server remote_user: root vars: ossec_url: https://github.com/ossec/ossec-hids/releases/download/v2.8.0/ossec-hids-2.8.tar.gz ossec_path: /root/ossec-hids-2.8 webui_url: http://www.ossec.net/files/ossec-wui-0.8.tar.gz webui_path: /root/ossec-wui-0.8 webui_install_path: /var/www/html/ossec extract_path: /root document_root: /var/www/html admin_email_address: saurabh@rekallsoftware.com smtp_server_address: smtp.admin.iiit.ac.in tasks: - name: Install necessary packages - gcc, postgresql-devel, mysql-devel, php and expect yum: name="{{item}}" state=present with_items: - gcc - postgresql-devel - mysql-devel - php - expect - httpd - name: Download Ossec server/agent get_url: url="{{ossec_url}}" dest="{{ossec_path}}".tar.gz - name: Extract Ossec server code unarchive: copy=no src="{{ossec_path}}".tar.gz dest="{{extract_path}}" creates="{{ossec_path}}" - name: Copy the Ossec_input file template: src=ossec_server_input.j2 dest="{{ossec_path}}/ossec_server_input.txt" - name: Install Ossec server shell: ./install.sh < ossec_server_input.txt args: chdir: "{{ossec_path}}" creates: /var/ossec/etc/ossec.conf - name: Start ossec server service: name=ossec state=started - name: Download Ossec web UI get_url: url="{{webui_url}}" dest="{{webui_path}}".tar.gz - name: Extract Ossec web UI code unarchive: copy=no src="{{webui_path}}".tar.gz dest="{{extract_path}}" creates="{{webui_install_path}}" - name: Move the extracted web UI code to document root command: mv "{{webui_path}}" "{{webui_install_path}}" args: creates: "{{webui_install_path}}" - name: Copy the Ossec_webui_input file copy: src=ossec_webui_setup.sh dest="{{webui_install_path}}" mode=544 - name: Install Ossec web UI shell: ./ossec_webui_setup.sh args: chdir: /var/www/html/ossec creates: /var/www/html/ossec/.htpasswd - name: Create index.html to automatically redirect to /ossec copy: src=index.html dest="{{document_root}}" owner=root group=root mode=644 - name: Ensure that apache service is running service: name=httpd state=started
The above playbook refers to following files:
- index.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-type" content="text/html;charset=UTF-8" /> <meta http-equiv="Refresh" content="0; URL=ossec" /> </head> <body> </body> </html>
- ossec_server_input.j2
en server {{ admin_email_address }} {{ smtp_server_address }} n y
- ossec_webui_setup.sh
#!/usr/bin/expect -f spawn ./setup.sh expect "Username:" send "saurabh\r" expect "password:" send "rekall123\r" expect "password:" send "rekall123\r" expect "user name" send "apache\r" expect "directory path" send "/var/ossec\r" expect "anything that will not be there krati is responsible" send_user "$expect_out(buffer)"
OSSEC client installation
For ossec client installation hosts file should have host-group named ossec-client with names of all clients. Further IP address of all clients should be replaced in client_ips variable. Also remember to configure server_ip in server_ip variable.
--- - name: Ossec agent installation on OSSEC server hosts: ossec-server remote_user: root vars: client_ips: - 192.168.122.103 - 192.168.122.104 tasks: - name: Copy add_agent.sh script copy: src=add_agent.sh dest=/root/add_agent.sh mode=755 owner=root group=root - name: Add agent to the server shell: /root/add_agent.sh "{{item}}" with_items: client_ips notify: - restart ossec - name: Get all client keys from OSSEC server to ansible server fetch: src=/var/ossec/etc/client.keys dest=/root/client.keys flat=yes handlers: - name: restart ossec service: name=ossec state=restarted - name: Ossec agent installation on OSSEC client hosts: ossec-client user: root vars: ossec_url: https://github.com/ossec/ossec-hids/releases/download/v2.8.0/ossec-hids-2.8.tar.gz ossec_path: /root/ossec-hids-2.8 server_ip: 192.168.122.102 ossec_manage_agent_input: /root/ossec_manage_agent_input.txt extract_path: /root tasks: - name: Install gcc postgres and mysql yum: name="{{item}}" state=present with_items: - gcc - postgresql-devel - mysql-devel - name: Download Ossec server/agent get_url: url="{{ossec_url}}" dest="{{ossec_path}}".tar.gz - name: Extract Ossec server code unarchive: copy=no src="{{ossec_path}}".tar.gz dest="{{extract_path}}" creates="{{ossec_path}}" - name: Copy the Ossec_input file template: src=ossec_client_input.j2 dest="{{ossec_path}}/ossec_client_input.txt" - name: Install Ossec-agent shell: ./install.sh < ossec_client_input.txt args: chdir: "{{ossec_path}}" creates: /var/ossec/etc/ossec.conf - name: Get the client key from server copy: src=/root/client.keys dest=/var/ossec/etc/client2.keys - name: Extract only the key for current client shell: grep "{{ansible_default_ipv4.address}}" /var/ossec/etc/client2.keys > /var/ossec/etc/client.keys - name: Delete other client keys file: name=/var/ossec/etc/client2.keys state=absent - name: Start Ossec server service: name=ossec state=started
This playbook requires following files:
- add_agent.sh
#!/bin/bash cat > ossec_agent_input.txt <<EOF A $1 $1 y Q EOF /var/ossec/bin/manage_agents < ossec_agent_input.txt rm -f ossec_agent_input.txt exit 0
- ossec_client_input.j2
en agent /var/ossec {{ server_ip }} y y y
<yambe:breadcrumb>OSSEC|OSSEC</yambe:breadcrumb>