I’ve uploaded OSSEC client and server roles to my github repository. Fully automating OSSEC was a challenge. I hope this play makes installing OSSEC much easier. I will describe the installation steps below.
Installation Steps
Requirements
CentOS operating system. It will work on other flavors of Linux with modification.
Preliminary Steps
You must generate the OSSEC server keys before you run any of these plays. The OSSEC server needs two keys: one private, and a public certificate. The play requires that these keys be placed in the files
directory under the ossec-server
role. The private key must be named ossec.key and the public certificate ossec.cer.
To generate them on your Ansible workstation (if you do not have a PKI) execute the following commands:
cd [play-root]/roles/ossec-server/files
openssl genrsa -out ossec.key 2048
openssl req -new -x509 -key ossec.key -out ossec.cer -days 365
Steps
Once the keys files have been stored in the files
directory then the play will run. You must run the ossec-server
role first so that it is listening for client registrations.
The client role does not require any preliminary tasks. It can be installed as-is.
Notes
These OSSEC plays are generic and I have added very little to them. There is one major configuration I’ve added and which you can easily remove if it doesn’t work for you. I’ve configured OSSEC to act as an intermediary between my network devices (switches, routers, etc.) and my central logging server. OSSEC receives these logs, stores them to a file, and then forwards them to the central log server. This way OSSEC can run its log rules engine on device logs.
If you don’t want this behavior then delete the last configuration setting in the ossec-server.conf.j2
file and do not add the syslog-ng-relay
role to your OSSEC server.
The OSSEC client authorization daemon ossec-authd does not come (from the Atomic repository) with a default init script. I finally found one by Brad Lhotsky. This was very useful. Brad is also the author of a short OSSEC beginner’s guide called the Instant OSSEC Host-based Intrusion Detection System. I bought it and found it helpful.
Categories: DevOps
Share Your Ideas