OSSEC Installation on DEBIAN HARDY 5.0
324 views
Skip to first unread message
dychen
Sep 16, 2009, 1:34:31 AM9/16/09
to ossec-list
This is the step by step I used to install OSSEC on DEBIAN 5
Also create scripts to copy client.keys to be process and seperated
for Windows automated installation
# commented lines - do not try to use on commandline
#DEBIAN - 5 HARDY
#Aussumed you have a DEBIAN install running - these are the commands
to get it up and running in about 20mins
-----//start install//-----
passwd root
su
cd /
mkdir src
cd src
apt-get install ssh
apt-get install gcc
#no you can login via putty or remote ssh client
apt-get install build-essential
apt-get install sleuthkit
apt-get install samba smbfs
apt-get install mysql-server
apt-get install apache2 libapache2-mod-php5
apt-get install php5 libapache2-mod-php5
apt-get install php5-cli
apt-get install php5-cgi
apt-get install php5-mysql
/etc/init.d/apache2 restart
wget http://www.ossec.net/files/ossec-hids-latest.tar.gz
wget http://www.ossec.net/files/ossec-hids-latest_sum.txt
cat ossec-hids-latest_sum.txt
#md5sum ossec-hids-latest.tar.gz
#sha1sum ossec-hids-latest.tar.gz
tar -zxvf ossec-hids-*.tar.gz
#updated to 2.2 through coping to /mnt/remote_logs after all
installations has happened
cd ossec-hids-*
./install.sh
#- running ossec setup --- en, server, /var/ossec, y, na...@email.com,
n, mail.server.name, y,y,y,y,n,y, enter
/var/ossec/bin/ossec-control start
cd /var/www
wget http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz
wget http://www.ossec.net/files/ui/ossec-wui-0.3-checksum.txt
md5sum -c ossec-wui-0.3-checksum.txt
sha1sum -c ossec-wui-0.3-checksum.txt
tar -zxvf ossec-wui-0.3.tar.gz
mv ossec-wui-0.3 ossec
#wait 5 sec
cd ossec
./setup.sh
#remember your username and password
usermod -a -G ossec www-data
cat /etc/group |grep ossec
chmod 770 tmp/
chgrp www-data tmp/
apache2ctl restart
/var/ossec/bin/manage_agents
#apt-get install arpwatch <- if you want to watch arp address'
apt-get install snort
chown -R snort:snort /etc/snort/rules
#install oink to update snort
apt-get install oinkmaster
#license code
#register snort and get your code<- no hash
vi /etc/oinkmaster.conf undeer 2.2
url = http://www.snort.org/pub-bin/oinkmaster.cgi/<snort code>/
snortrules-snapshot-2.8.tar.gz
#paste at end of file
modifysid * "^alert" | "drop"
#WRITE AND EXIT OINKMASTER.CONF
mkdir /etc/snort/backup
useradd oinkmaster
chown -R oinkmaster /etc/snort/backup
chown -R oinkmaster /etc/snort/rules
chown -R oinkmaster /var/run/oinkmaster
chmod 644 /etc/snort/snort.conf
oinkmaster -o /etc/snort/rules -b /etc/snort/backup 2>&1
ls /etc/snort/backup <to see backup snort rules
/etc/crontab -e -u oinkmaster
30 00 * * * oinkmaster -o /etc/snort/rules -b /etc/snort/backup 2>&1
>> /dev/null 2>&1
chmod +w /var/ossec/etc/ossec.conf
vi /var/ossec/etc/ossec.conf
#insert this at the end of file
<localfile>
<log_format>syslog</log_format>
<location>/var/log/snort/alert</location>
</localfile>
vi /etc/crontab
#insert this at the end of file
00 0 * * * root apt-get upgrade
#I created a share on a windows box for backup reasons and to allow me
to run the automated windows install.
#so with smbmount make sure you use your servername and share point
pico /var/ossec/etc/copykeys
#this creates a webpage that has the the client keys if required
#add the following lines
smbmount //server/share /mnt/remote_logs -o
username=logaccount,password=Password1
echo "<html>" >/var/www/ossec/keys.html
echo "<body>" >>/var/www/ossec/keys.html
echo "<pre>" >>/var/www/ossec/keys.html
cat /var/ossec/etc/client.keys >>/var/www/ossec/keys.html
echo "</html>" >>/var/www/ossec/keys.html
echo "</body>" >>/var/www/ossec/keys.html
chmod 666 /var/www/ossec/keys.html
rm /mnt/remote_logs/ossec/keys/client.keys
cp client.keys /mnt/remote_logs/ossec/keys/client.keys
#exit file
chmod 755 /var/ossec/etc/copykeys
#now if you run /var/ossec/etc/copykeys you should be able to open a
webpage http://<ossecserver>/ossec/keys.html will show you your keys
#setup alias'
pico ~/.profile
#add these lines to the end
alias addagent="/var/ossec/bin/manage_agents"
alias restartossec="/var/ossec/bin/ossec-control restart"
alias restartweb="apache2ctl restart"
alias copykeys="/var/ossec/etc/copykeys"
mkdir /mnt/remote_logs
#create file /var/www/ossec/backuplogs - copy next lines
smbmount //server/share /mnt/remote_logs -o
username=logaccount,password=Password1
cp -r -u /var/ossec/logs/* /mnt/remote_logs/ossec
chmod 755 /var/www/ossec/backuplogs
pico /etc/crontab
#insert line
00 1 * * * root /var/www/ossec/backuplogs
----//end config//-----
When you logout and back in alias' will be setup
addagent will shortcut you to install agents
for the next part of the script you will need to setup all your agents
on the OSSEC server and the account names must be the computername
they will be installed on so the extrackeys script can them setup for
the automated get.
------//end linux side//--------------
Windows Automated install of OSSEC agent
Create a share for your smbmount and create extractkeys.cmd file and
insert this line in it
for /f "tokens=1-4 delims= " %%a in (client.keys) do echo %%a %%b %%c %
%d>%%b.txt
this will rip through the client.keys file that was copied via the
"copykeys" script from the OSSEC server and genterate %computername
%.txt files ready for the auto install part
I used "AutoIT" scripting tool to create a macro that will do a
installation of the OSSEC 2.2 agent - install AutoIT and SciTE so you
can complie this into and .exe
You need to copy the ossec 2.2 agent installer to the server share and
rename it to just ossec.exe
In the following script you need to modify the following 3 lines to
reflect the OSSEC server and the fileshare
ClipPut("<ossecserver FQDN>")
Run('\\server\share\ossec\keys\ossec.exe')
FileCopy ( "\\server\share\ossec\keys\" & @computername & ".txt", "c:
\program files\ossec-agent\client.keys",
----//start ossecinstall.au3//------
Opt("WinWaitDelay",100)
Opt("WinTitleMatchMode",4)
Opt("WinDetectHiddenText",1)
Opt("MouseCoordMode",0)
ClipPut("<ossecserver FQDN>")
Run('\\server\share\ossec\keys\ossec.exe')
WinWait("Ossec HIDS Windows Agent v2.2 Setup","Welcome to the Ossec")
If Not WinActive("Ossec HIDS Windows Agent v2.2 Setup","Welcome to the
Ossec") Then WinActivate("Ossec HIDS Windows Agent v2.2
Setup","Welcome to the Ossec")
WinWaitActive("Ossec HIDS Windows Agent v2.2 Setup","Welcome to the
Ossec")
Send("{SPACE}")
WinWait("Ossec HIDS Windows Agent v2.2 Setup ","Copyright (C) 2009 T")
If Not WinActive("Ossec HIDS Windows Agent v2.2 Setup ","Copyright (C)
2009 T") Then WinActivate("Ossec HIDS Windows Agent v2.2 Setup
","Copyright (C) 2009 T")
WinWaitActive("Ossec HIDS Windows Agent v2.2 Setup ","Copyright (C)
2009 T")
Send("{ALTDOWN}a{ALTUP}{ALTDOWN}n{ALTUP}{ALTDOWN}i{ALTUP}")
WinWait("OSSEC Agent Manager","Agent: Auth key not ")
If Not WinActive("OSSEC Agent Manager","Agent: Auth key not ") Then
WinActivate("OSSEC Agent Manager","Agent: Auth key not ")
WinWaitActive("OSSEC Agent Manager","Agent: Auth key not ")
Send("{CTRLDOWN}v{CTRLUP}")
sleep (1000)
FileCopy ( "\\server\share\ossec\keys\" & @computername & ".txt", "c:
\program files\ossec-agent\client.keys", 8 )
sleep(1000)
Send("{ALTDOWN}s{ALTUP}{ALTDOWN}me")
WinWait("Ossec HIDS Windows Agent v2.2 Setup ","Completing the Ossec")
If Not WinActive("Ossec HIDS Windows Agent v2.2 Setup ","Completing
the Ossec") Then WinActivate("Ossec HIDS Windows Agent v2.2 Setup
","Completing the Ossec")
WinWaitActive("Ossec HIDS Windows Agent v2.2 Setup ","Completing the
Ossec")
Send("{ALTDOWN}f{ALTUP}")
Send("{SPACE}")
----//end ossecinstall.au3//----
Once you have modified the .au3 complie it to an .exe and you have an
automated installer
This script will go to the \\server\share and grab the key file for
the computername after it has setup the agent
Works for me
Also create scripts to copy client.keys to be process and seperated
for Windows automated installation
# commented lines - do not try to use on commandline
#DEBIAN - 5 HARDY
#Aussumed you have a DEBIAN install running - these are the commands
to get it up and running in about 20mins
-----//start install//-----
passwd root
su
cd /
mkdir src
cd src
apt-get install ssh
apt-get install gcc
#no you can login via putty or remote ssh client
apt-get install build-essential
apt-get install sleuthkit
apt-get install samba smbfs
apt-get install mysql-server
apt-get install apache2 libapache2-mod-php5
apt-get install php5 libapache2-mod-php5
apt-get install php5-cli
apt-get install php5-cgi
apt-get install php5-mysql
/etc/init.d/apache2 restart
wget http://www.ossec.net/files/ossec-hids-latest.tar.gz
wget http://www.ossec.net/files/ossec-hids-latest_sum.txt
cat ossec-hids-latest_sum.txt
#md5sum ossec-hids-latest.tar.gz
#sha1sum ossec-hids-latest.tar.gz
tar -zxvf ossec-hids-*.tar.gz
#updated to 2.2 through coping to /mnt/remote_logs after all
installations has happened
cd ossec-hids-*
./install.sh
#- running ossec setup --- en, server, /var/ossec, y, na...@email.com,
n, mail.server.name, y,y,y,y,n,y, enter
/var/ossec/bin/ossec-control start
cd /var/www
wget http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz
wget http://www.ossec.net/files/ui/ossec-wui-0.3-checksum.txt
md5sum -c ossec-wui-0.3-checksum.txt
sha1sum -c ossec-wui-0.3-checksum.txt
tar -zxvf ossec-wui-0.3.tar.gz
mv ossec-wui-0.3 ossec
#wait 5 sec
cd ossec
./setup.sh
#remember your username and password
usermod -a -G ossec www-data
cat /etc/group |grep ossec
chmod 770 tmp/
chgrp www-data tmp/
apache2ctl restart
/var/ossec/bin/manage_agents
#apt-get install arpwatch <- if you want to watch arp address'
apt-get install snort
chown -R snort:snort /etc/snort/rules
#install oink to update snort
apt-get install oinkmaster
#license code
#register snort and get your code<- no hash
vi /etc/oinkmaster.conf undeer 2.2
url = http://www.snort.org/pub-bin/oinkmaster.cgi/<snort code>/
snortrules-snapshot-2.8.tar.gz
#paste at end of file
modifysid * "^alert" | "drop"
#WRITE AND EXIT OINKMASTER.CONF
mkdir /etc/snort/backup
useradd oinkmaster
chown -R oinkmaster /etc/snort/backup
chown -R oinkmaster /etc/snort/rules
chown -R oinkmaster /var/run/oinkmaster
chmod 644 /etc/snort/snort.conf
oinkmaster -o /etc/snort/rules -b /etc/snort/backup 2>&1
ls /etc/snort/backup <to see backup snort rules
/etc/crontab -e -u oinkmaster
30 00 * * * oinkmaster -o /etc/snort/rules -b /etc/snort/backup 2>&1
>> /dev/null 2>&1
chmod +w /var/ossec/etc/ossec.conf
vi /var/ossec/etc/ossec.conf
#insert this at the end of file
<localfile>
<log_format>syslog</log_format>
<location>/var/log/snort/alert</location>
</localfile>
vi /etc/crontab
#insert this at the end of file
00 0 * * * root apt-get upgrade
#I created a share on a windows box for backup reasons and to allow me
to run the automated windows install.
#so with smbmount make sure you use your servername and share point
pico /var/ossec/etc/copykeys
#this creates a webpage that has the the client keys if required
#add the following lines
smbmount //server/share /mnt/remote_logs -o
username=logaccount,password=Password1
echo "<html>" >/var/www/ossec/keys.html
echo "<body>" >>/var/www/ossec/keys.html
echo "<pre>" >>/var/www/ossec/keys.html
cat /var/ossec/etc/client.keys >>/var/www/ossec/keys.html
echo "</html>" >>/var/www/ossec/keys.html
echo "</body>" >>/var/www/ossec/keys.html
chmod 666 /var/www/ossec/keys.html
rm /mnt/remote_logs/ossec/keys/client.keys
cp client.keys /mnt/remote_logs/ossec/keys/client.keys
#exit file
chmod 755 /var/ossec/etc/copykeys
#now if you run /var/ossec/etc/copykeys you should be able to open a
webpage http://<ossecserver>/ossec/keys.html will show you your keys
#setup alias'
pico ~/.profile
#add these lines to the end
alias addagent="/var/ossec/bin/manage_agents"
alias restartossec="/var/ossec/bin/ossec-control restart"
alias restartweb="apache2ctl restart"
alias copykeys="/var/ossec/etc/copykeys"
mkdir /mnt/remote_logs
#create file /var/www/ossec/backuplogs - copy next lines
smbmount //server/share /mnt/remote_logs -o
username=logaccount,password=Password1
cp -r -u /var/ossec/logs/* /mnt/remote_logs/ossec
chmod 755 /var/www/ossec/backuplogs
pico /etc/crontab
#insert line
00 1 * * * root /var/www/ossec/backuplogs
----//end config//-----
When you logout and back in alias' will be setup
addagent will shortcut you to install agents
for the next part of the script you will need to setup all your agents
on the OSSEC server and the account names must be the computername
they will be installed on so the extrackeys script can them setup for
the automated get.
------//end linux side//--------------
Windows Automated install of OSSEC agent
Create a share for your smbmount and create extractkeys.cmd file and
insert this line in it
for /f "tokens=1-4 delims= " %%a in (client.keys) do echo %%a %%b %%c %
%d>%%b.txt
this will rip through the client.keys file that was copied via the
"copykeys" script from the OSSEC server and genterate %computername
%.txt files ready for the auto install part
I used "AutoIT" scripting tool to create a macro that will do a
installation of the OSSEC 2.2 agent - install AutoIT and SciTE so you
can complie this into and .exe
You need to copy the ossec 2.2 agent installer to the server share and
rename it to just ossec.exe
In the following script you need to modify the following 3 lines to
reflect the OSSEC server and the fileshare
ClipPut("<ossecserver FQDN>")
Run('\\server\share\ossec\keys\ossec.exe')
FileCopy ( "\\server\share\ossec\keys\" & @computername & ".txt", "c:
\program files\ossec-agent\client.keys",
----//start ossecinstall.au3//------
Opt("WinWaitDelay",100)
Opt("WinTitleMatchMode",4)
Opt("WinDetectHiddenText",1)
Opt("MouseCoordMode",0)
ClipPut("<ossecserver FQDN>")
Run('\\server\share\ossec\keys\ossec.exe')
WinWait("Ossec HIDS Windows Agent v2.2 Setup","Welcome to the Ossec")
If Not WinActive("Ossec HIDS Windows Agent v2.2 Setup","Welcome to the
Ossec") Then WinActivate("Ossec HIDS Windows Agent v2.2
Setup","Welcome to the Ossec")
WinWaitActive("Ossec HIDS Windows Agent v2.2 Setup","Welcome to the
Ossec")
Send("{SPACE}")
WinWait("Ossec HIDS Windows Agent v2.2 Setup ","Copyright (C) 2009 T")
If Not WinActive("Ossec HIDS Windows Agent v2.2 Setup ","Copyright (C)
2009 T") Then WinActivate("Ossec HIDS Windows Agent v2.2 Setup
","Copyright (C) 2009 T")
WinWaitActive("Ossec HIDS Windows Agent v2.2 Setup ","Copyright (C)
2009 T")
Send("{ALTDOWN}a{ALTUP}{ALTDOWN}n{ALTUP}{ALTDOWN}i{ALTUP}")
WinWait("OSSEC Agent Manager","Agent: Auth key not ")
If Not WinActive("OSSEC Agent Manager","Agent: Auth key not ") Then
WinActivate("OSSEC Agent Manager","Agent: Auth key not ")
WinWaitActive("OSSEC Agent Manager","Agent: Auth key not ")
Send("{CTRLDOWN}v{CTRLUP}")
sleep (1000)
FileCopy ( "\\server\share\ossec\keys\" & @computername & ".txt", "c:
\program files\ossec-agent\client.keys", 8 )
sleep(1000)
Send("{ALTDOWN}s{ALTUP}{ALTDOWN}me")
WinWait("Ossec HIDS Windows Agent v2.2 Setup ","Completing the Ossec")
If Not WinActive("Ossec HIDS Windows Agent v2.2 Setup ","Completing
the Ossec") Then WinActivate("Ossec HIDS Windows Agent v2.2 Setup
","Completing the Ossec")
WinWaitActive("Ossec HIDS Windows Agent v2.2 Setup ","Completing the
Ossec")
Send("{ALTDOWN}f{ALTUP}")
Send("{SPACE}")
----//end ossecinstall.au3//----
Once you have modified the .au3 complie it to an .exe and you have an
automated installer
This script will go to the \\server\share and grab the key file for
the computername after it has setup the agent
Works for me
Reply all
Reply to author
Forward
0 new messages