Automated OSSEC installation using ansible
<yambe:breadcrumb>OSSEC|OSSEC</yambe:breadcrumb>
Automated OSSEC installation using ansible
ossec-server role
Automated OSSEC installation using ansible roles can be done using ossec-server role as follows:
Create roles/ossec-server/{files,handlers,tasks,templates,vars} folders using:
mkdir -p roles/ossec-server/{files,handlers,tasks,templates,vars}
Change directory to roles/ossec-server folder:
cd roles/ossec-server
Create files/add_agent.sh file with following contents:
#!/bin/bash cat > ossec_agent_input.txt <<EOF A $1 $2 y Q EOF /var/ossec/bin/manage_agents < ossec_agent_input.txt rm -f ossec_agent_input.txt exit 0
Create files/index.html with following contents:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-type" content="text/html;charset=UTF-8" /> <meta http-equiv="Refresh" content="0; URL=ossec" /> </head> <body> </body> </html>
Create files/ossec_webui_setup.sh with following contents:
#!/usr/bin/expect -f spawn ./setup.sh expect "Username:" send "saurabh\r" expect "password:" send "rekall123\r" expect "password:" send "rekall123\r" expect "user name" send "apache\r" expect "directory path" send "/var/ossec\r" expect "anything that will not be there krati is responsible" send_user "$expect_out(buffer)"
Create handlers/main.yaml with following contents:
--- - name: restart ossec service: name=ossec state=restarted
Create tasks/main.yaml with following contents:
--- - name: Install necessary packages - gcc, postgresql-devel, mysql-devel, php and expect yum: name="{{item}}" state=present with_items: - gcc - postgresql-devel - mysql-devel - php - expect - httpd - name: Download Ossec server/agent get_url: url="{{ossec_url}}" dest="{{ossec_path}}".tar.gz - name: Extract Ossec server code unarchive: copy=no src="{{ossec_path}}".tar.gz dest="{{extract_path}}" creates="{{ossec_path}}" - name: Copy the Ossec_input file template: src=ossec_server_input.j2 dest="{{ossec_path}}/ossec_server_input.txt" - name: Install Ossec server shell: ./install.sh < ossec_server_input.txt args: chdir: "{{ossec_path}}" creates: /var/ossec/etc/ossec.conf - name: Start ossec server service: name=ossec state=started - name: Download Ossec web UI get_url: url="{{webui_url}}" dest="{{webui_path}}".tar.gz - name: Extract Ossec web UI code unarchive: copy=no src="{{webui_path}}".tar.gz dest="{{extract_path}}" creates="{{webui_install_path}}" - name: Move the extracted web UI code to document root command: mv "{{webui_path}}" "{{webui_install_path}}" args: creates: "{{webui_install_path}}" - name: Copy the Ossec_webui_input file copy: src=ossec_webui_setup.sh dest="{{webui_install_path}}" mode=544 - name: Install Ossec web UI shell: ./ossec_webui_setup.sh args: chdir: /var/www/html/ossec creates: /var/www/html/ossec/.htpasswd - name: Create index.html to automatically redirect to /ossec copy: src=index.html dest="{{document_root}}" owner=root group=root mode=644 - name: Ensure that apache service is running service: name=httpd state=started #Tasks related to configuring client keys - name: Copy add_agent.sh script copy: src=add_agent.sh dest=/root/add_agent.sh mode=755 owner=root group=root - name: Add agent to the server shell: /root/add_agent.sh "{{item.hostname}}" "{{item.ip}}" with_items: ossec_client_ips notify: - restart ossec - name: Get all client keys from OSSEC server to ansible server fetch: src=/var/ossec/etc/client.keys dest=fetched
Create templates/ossec_server_input.j2 with following contents:
en server {{ admin_email_address }} {{ smtp_server_address }} n y
Do not remove empty lines from this file. This file is used for input redirection and empty lines are necessary for corresponding input confirmation.
Create vars/main.yaml with following contents:
--- ossec_url: https://github.com/ossec/ossec-hids/releases/download/v2.8.0/ossec-hids-2.8.tar.gz ossec_path: /root/ossec-hids-2.8 webui_url: http://www.ossec.net/files/ossec-wui-0.8.tar.gz webui_path: /root/ossec-wui-0.8 webui_install_path: /var/www/html/ossec extract_path: /root document_root: /var/www/html
Note that a newer version of OSSEC might be available. It may make sense to setup a newer OSSEC server by replacing above URLs and values
Finally following additional variables should be defined at a central location (eg common_vars), in vars file of ossec-server role or in play-book.
admin_email_address: logs@example.com smtp_server_address: smtp.example.com ossec_client_ips: - { hostname: ca.sbarjatiya.com, ip: 10.4.20.150 } - { hostname: ns1.sbarjatiya.com, ip: 10.4.20.151 }
SMTP server must accept emails from OSSEC server without asking for authentications (postfix trusted_network, etc.) at least to admin_email_address. ossec_client_ips dictionary must be populated with list of all clients that will get monitored using current ossec-server. OSSEC server cannot / need not monitor itself by using ossec_client_ips list.
ossec-client role
Automated OSSEC client installation using ansible roles can be done using ossec-client role as follows:
Create roles/ossec-client/{tasks,templates,vars} folders using:
mkdir -p roles/ossec-client/{tasks,templates,vars}
Change directory to roles/ossec-client folder:
cd roles/ossec-client
Create tasks/main.yaml file with following contents:
--- - name: Install gcc postgres and mysql yum: name="{{item}}" state=present with_items: - gcc - postgresql-devel - mysql-devel - name: Download Ossec server/agent get_url: url="{{ossec_url}}" dest="{{ossec_path}}".tar.gz - name: Extract Ossec server code unarchive: copy=no src="{{ossec_path}}".tar.gz dest="{{extract_path}}" creates="{{ossec_path}}" - name: Copy the Ossec_input file template: src=ossec_client_input.j2 dest="{{ossec_path}}/ossec_client_input.txt" - name: Install Ossec-agent shell: ./install.sh < ossec_client_input.txt args: chdir: "{{ossec_path}}" creates: /var/ossec/etc/ossec.conf - name: Get the client key from server copy: src="fetched/{{ossec_server_ip}}/var/ossec/etc/client.keys" dest=/var/ossec/etc/client2.keys - name: Extract only the key for current client shell: grep "{{ansible_default_ipv4.address}}" /var/ossec/etc/client2.keys > /var/ossec/etc/client.keys - name: Delete other client keys file: name=/var/ossec/etc/client2.keys state=absent - name: Start Ossec server service: name=ossec state=restarted
Create templates/ossec_client_input.j2 file with following contents:
en agent /var/ossec {{ ossec_server_ip }} y y y
Do not remove empty lines from this file. This file is used for input redirection and empty lines serve very important purpose of input confirmation.
Create vars/main.yaml file with following contents:
--- ossec_url: http://www.ossec.net/files/ossec-hids-2.8.2.tar.gz ossec_path: /root/ossec-hids-2.8.2 ossec_manage_agent_input: /root/ossec_manage_agent_input.txt extract_path: /root
If a newer version of OSSEC is available than paths and URLs can be changed accordingly. Note that input file also may need to change if the installation has changed. Typically new clients can connect to older version of server (2.8.2 clients to 2.8 server) without any issue.
Following variables must be defined in common_vars or in ossec-client role or in playbook which implements ossec-client role:
ossec_server_ip: 10.4.20.153
<yambe:breadcrumb>OSSEC|OSSEC</yambe:breadcrumb>