Ansible OSSEC Role


I’ve uploaded OSSEC client and server roles to my github repository. Fully automating OSSEC was a challenge. I hope this play makes installing OSSEC much easier. I will describe the installation steps below.

Installation Steps

Requirements

CentOS operating system. It will work on other flavors of Linux with modification.

Preliminary Steps

You must generate the OSSEC server keys before you run any of these plays. The OSSEC server needs two keys: one private, and a public certificate. The play requires that these keys be placed in the files directory under the ossec-server role. The private key must be named ossec.key and the public certificate ossec.cer.

To generate them on your Ansible workstation (if you do not have a PKI) execute the following commands:

  • cd [play-root]/roles/ossec-server/files
  • openssl genrsa -out ossec.key 2048
  • openssl req -new -x509 -key ossec.key -out ossec.cer -days 365

Steps

Once the keys files have been stored in the files directory then the play will run. You must run the ossec-server role first so that it is listening for client registrations.

The client role does not require any preliminary tasks. It can be installed as-is.

Notes

These OSSEC plays are generic and I have added very little to them. There is one major configuration I’ve added and which you can easily remove if it doesn’t work for you. I’ve configured OSSEC to act as an intermediary between my network devices (switches, routers, etc.) and my central logging server. OSSEC receives these logs, stores them to a file, and then forwards them to the central log server. This way OSSEC can run its log rules engine on device logs.

If you don’t want this behavior then delete the last configuration setting in the ossec-server.conf.j2 file and do not add the syslog-ng-relay role to your OSSEC server.

The OSSEC client authorization daemon ossec-authd does not come (from the Atomic repository) with a default init script. I finally found one by Brad Lhotsky. This was very useful. Brad is also the author of a short OSSEC beginner’s guide called the Instant OSSEC Host-based Intrusion Detection System. I bought it and found it helpful.



Categories: DevOps

Tags: ,

Share Your Ideas

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: