• Centos 6 下安装 OSSEC-2.8.1 (一)

    ossec -2.8.1 安装:

    ## 1 ) 安装依赖包:
	RedHat / Centos / Fedora / Amazon Linux
	yum install -y pcre mysql mysql-server httpd php wget gcc make mysql-devel php-mysql sendmail
	
	yum install zlib-devel pcre2-devel make gcc zlib-devel pcre2-devel sqlite-devel openssl-devel libevent-devel
	yum install mysql-devel postgresql-devel


	for i in {httpd,mysqld,sendmail}; do service $i restart; done


## 2 )安装Mysql并创建用户和导入sql:
	mysql -uroot -p
	mysql> create database ossec;
	mysql> CREATE USER 'ossec'@'localhost';
	mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec@localhost;
	mysql> set password for ossec@localhost =PASSWORD('ossec');
	mysql> flush privileges;
	mysql> exit

## 3 ) 下载OSsec-2.8.1 安装包: 
	wget https://github.com/ossec/ossec-hids/archive/2.8.1.tar.gz 
	tar zxf 2.8.1.tar.gz ; cd ossec-hids-2.8.1
 
   3.1 )让OSSEC支持MySQL:
	cd src; make setdb;cd ..

	[root@bj-check src]# make setdb;cd ..
	Info: Compiled with MySQL support.
	Info: Compiled with PostgreSQL support.

    avatar

       3.2 )  导入sql文件:
   cd /data/src/ossec-hids-2.8.1/
   mysql -u ossec -p ossec < ./src/os_dbd/mysql.schema

## 4 ) 开始安装ossec:

   4.1 ) 安装过程:
	执行install.sh
	[root@bj-check ossec-hids-2.8.1]# ./install.sh

    avatar
    avatar
    avatar
    avatar

      4.2 ) 安装好服务端之后,还需要配置,执行下面命令启用数据库支持:
         /var/ossec/bin/ossec-control enable database


## 5 ) 配置ossec:
	cd /var/ossec/etc;
	chmod u+w /var/ossec/etc/ossec.conf

	 5.1)  添加可收集的网段:
	  由于服务端安装过程中设置了支持接受远程机器的syslog,所以需要对ossec.conf文件中的syslog部分进行配置
	  修改ossec.conf文件,将需要收集的网段全添加进去。(配置后的ossec.conf)

	  <remote>
		<connection>syslog</connection>
		<allowed-ips>192.168.0.0/16</allowed-ips>
		<allowed-ips>10.0.0.0/16</allowed-ips>
		<allowed-ips>172.0.0.0/16</allowed-ips>
		<allowed-ips>192.0.0.0/16</allowed-ips>
	  </remote>
	  
	  
	  5.2) 添加支持Mysql配置:
		<database_output>
		<hostname>localhost</hostname>
		<username>ossec</username>
		<password>ossec</password>
		<database>ossec</database>
		<type>mysql</type>
	  </database_output>
	  
	  ...... 保存退出

    avatar

    ## 6 )  启动ossec :

	[root@bj-check html]# /var/ossec/bin/ossec-control start
	Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...
	Started ossec-maild...
	Started ossec-execd...
	Started ossec-analysisd...
	Started ossec-logcollector...
	Started ossec-remoted...
	Started ossec-syscheckd...
	Started ossec-monitord...
	Completed.

    avatar

    ## 7 ) 添加ossec 客户端并生成key:
在服务端上添加客户端的信息,按照要求来输入:

[root@bj-check ossec]# /var/ossec/bin/manage_agents


****************************************
* OSSEC HIDS v2.8 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: A

- Adding a new agent (use 'q' to return to the main menu).
  Please provide the following:
   * A name for the new agent: ossec-agent
   * The IP Address of the new agent: 192.168.26.252
   * An ID for the new agent[001]: 001
Agent information:
   ID:001
   Name:ossec-agent
   IP Address:192.168.26.252

Confirm adding it?(y/n): y
Agent added.


****************************************
* OSSEC HIDS v2.8 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: E

Available agents: 
   ID: 001, Name: ossec-agent, IP: 192.168.26.252
Provide the ID of the agent to extract the key (or 'q' to quit): 001

Agent key information for '001' is: 
MDAxIG9zc2VjLWFnZW50IDE5Mi4xNjguMjYuMjUyIDA5YjQyOWZkYzlhOThmOTMyNGZkY2U4MWJmNDY5ZmRhMzU5YzU4Y2E0MDM4ODY4OWZlNWJlNjM4OWU3ZGMyY2Y=

** Press ENTER to return to the main menu.


#### Key的作用是在客户端中导入并使得服务端与客户端达到联动的效果,这里记得把密钥复制一下保存起来。

查看ossec服务端的状态
[root@bj-check ossec]# /var/ossec/bin/agent_control -lc

OSSEC HIDS agent_control. List of available agents:
   ID: 000, Name: bj-check (server), IP: 127.0.0.1, Active/Local

    进入安装步骤,执行install.sh脚本,同时按照下面的信息进行填写,红色部分是我们需要输入的,其余部分按回车继续即可:
    avatar

    一开始装的是目前最稳定的3.6.0版本,但是make不支持mysql,一直报错:make: *** 没有规则可以创建目标“setdb”。 查阅文档发现从3.0.0版本开始,编译方式不一样,也参考过使用make TARGET=server DATABASE=mysql install,但是还是会提示OSSEC not compiled with support for 'mysql',只能用回2.8.1的版本)

    安装web界面:

     cd /data/src/
 wget https://github.com/ossec/ossec-wui/archive/0.9.tar.gz
 tar -zxf 0.9.tar.gz;cd ossec-wui-0.9
 cd ossec-wui-0.9/;./setup.sh

    avatar

    # 配置httpd 文件:
vim /etc/httpd/conf.d/ossec.conf

Alias ossec/ "/var/www/html/ossec/"
<Directory "/var/www/html/ossec/">
AuthName "OSSEC AUTH"
Require valid-user
AuthType Basic
AuthUserFile /var/www/html/ossec/.htpasswd
</Directory>

# 复制文件到代码目录:
cp -rf ossec-wui-0.9 /var/www/html/ossec

# 重启httpd:
/etc/init.d/httpd restart

# 访问web页面:
http://ip/ossec   |  admin  |  123456 

# 问题:
web 页面需要对/var/ossec 安装目录有可读权限, 要不然apache 读不到数据,会出错.
chmod -R 777 /var/ossec/

    avatar

    安装agent(client 端操作):

    1 ) 安装ossec agent 程序:
	wget https://github.com/ossec/ossec-hids/archive/2.8.1.tar.gz 
	tar zxf 2.8.1.tar.gz ; cd ossec-hids-2.8.1
	
2 ) 开始安装ossec agent:	
    ./install.sh

     [root@bj-mt1 ossec-hids-2.8.1]#  ./install.sh
  ** Para instalação em português, escolha [br].
  ** 要使用中文进行安装, 请选择 [cn].
  ** Fur eine deutsche Installation wohlen Sie [de].
  ** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].
  ** For installation in English, choose [en].
  ** Para instalar en Español , eliga [es].
  ** Pour une installation en français, choisissez [fr]
  ** A Magyar nyelvű telepítéshez válassza [hu].
  ** Per l'installazione in Italiano, scegli [it].
  ** 日本語でインストールします.選択して下さい.[jp].
  ** Voor installatie in het Nederlands, kies [nl].
  ** Aby instalować w języku Polskim, wybierz [pl].
  ** Для инструкций по установке на русском ,введите [ru].
  ** Za instalaciju na srpskom, izaberi [sr].
  ** Türkçe kurulum için seçin [tr].
  (en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: cn
 OSSEC HIDS v2.8 安装脚本 - http://www.ossec.net
 
 您将开始 OSSEC HIDS 的安装.
 请确认在您的机器上已经正确安装了 C 编译器.
 如果您有任何疑问或建议,请给 dcid@ossec.net (或 daniel.cid@gmail.com) 发邮件.
 
  - 系统类型: Linux bj-mt1 2.6.32-754.17.1.el6.centos.plus.x86_64
  - 用户: root
  - 主机: bj-mt1


  -- 按 ENTER 继续或 Ctrl-C 退出. --


1- 您希望哪一种安装 (server, agent, local or help)? agent

  - 选择了 Agent(client) 类型的安装.

2- 正在初始化安装环境.

 - 请选择 OSSEC HIDS 的安装路径 [/var/ossec]: 

    - OSSEC HIDS 将安装在  /var/ossec .

3- 正在配置 OSSEC HIDS.

  3.1- 请输入 OSSEC HIDS 服务器的IP地址或主机名: 10.20.0.197

   - 添加服务器IP  10.20.0.197

  3.2- 您希望运行系统完整性检测模块吗? (y/n) [y]: y

   - 系统完整性检测模块将被部署.

  3.3- 您希望运行 rootkit检测吗? (y/n) [y]: y

   - rootkit检测将被部署.

  3.4 - 您希望开启联动(active response)功能吗? (y/n) [y]: y

5- 正在安装系统
 - 正在运行Makefile
INFO: Little endian set.
..........

    avatar

    3 ) 导入服务端生成的KEY:
cd /var/ossec/bin;./manage_agents


[root@bj-mt1 bin]# ./manage_agents


****************************************
* OSSEC HIDS v2.8 Agent manager.     *
* The following options are available: *
****************************************
   (I)mport key from the server (I).
   (Q)uit.
Choose your action: I or Q: I

* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.

Paste it here (or 'q' to quit): MDAzIGJqLW10LTEgMTkyLjE2OC4yNi4yNTIgYTVlYTRhMjc3MGY4OTMwOTBiNjAwZWIyM2RiYThmOTUxMGExOTQ5ZGVmMzVkYmQ4NTkwNmE4Zjg1OGMyNzBkOQ==

Agent information:
   ID:003
   Name:bj-mt-1
   IP Address:192.168.26.252

Confirm adding it?(y/n): y
Added.
** Press ENTER to return to the main menu.



****************************************
* OSSEC HIDS v2.8 Agent manager.     *
* The following options are available: *
****************************************
   (I)mport key from the server (I).
   (Q)uit.
Choose your action: I or Q: q

** You must restart OSSEC for your changes to take effect.

manage_agents: Exiting ..

    avatar
    下一篇 写ossec 邮件告警

    ** 引用自以下两篇文章,感谢两位作者.

    https://www.cnblogs.com/quanbisen/p/13613940.html

    https://www.freesion.com/article/2406252665/
  • 相关阅读:
    SecureCRT 迁移到新环境,配置导出
    Git 常用操作
    Java 性能分析工具 Asyncprofiler
    冒号语法
    后台乱码转中文
    js讲解视频
    下载指定版本的loader.调整文件夹结构
    react大型数据渲染列表
    git拉取报错
    记录一个排序表格的插件
  • 原文地址:https://www.cnblogs.com/zhenxing06/p/13650873.html
Copyright © 2020-2023  润新知