I’ve uploaded OSSEC client and server roles to my github repository. Fully automating OSSEC was a challenge. I hope this play makes installing OSSEC much easier. I will describe the installation steps below.
CentOS operating system. It will work on other flavors of Linux with modification.
You must generate the OSSEC server keys before you run any of these plays. The OSSEC server needs two keys: one private, and a public certificate. The play requires that these keys be placed in the
files directory under the
ossec-server role. The private key must be named ossec.key and the public certificate ossec.cer.
To generate them on your Ansible workstation (if you do not have a PKI) execute the following commands:
openssl genrsa -out ossec.key 2048
openssl req -new -x509 -key ossec.key -out ossec.cer -days 365
Once the keys files have been stored in the
files directory then the play will run. You must run the
ossec-server role first so that it is listening for client registrations.
The client role does not require any preliminary tasks. It can be installed as-is.
These OSSEC plays are generic and I have added very little to them. There is one major configuration I’ve added and which you can easily remove if it doesn’t work for you. I’ve configured OSSEC to act as an intermediary between my network devices (switches, routers, etc.) and my central logging server. OSSEC receives these logs, stores them to a file, and then forwards them to the central log server. This way OSSEC can run its log rules engine on device logs.
If you don’t want this behavior then delete the last configuration setting in the
ossec-server.conf.j2 file and do not add the
syslog-ng-relay role to your OSSEC server.
The OSSEC client authorization daemon ossec-authd does not come (from the Atomic repository) with a default init script. I finally found one by Brad Lhotsky. This was very useful. Brad is also the author of a short OSSEC beginner’s guide called the Instant OSSEC Host-based Intrusion Detection System. I bought it and found it helpful.