ossec -2.8.1 安装:
## 1 ) 安装依赖包:
RedHat / Centos / Fedora / Amazon Linux
yum install -y pcre mysql mysql-server httpd php wget gcc make mysql-devel php-mysql sendmail
yum install zlib-devel pcre2-devel make gcc zlib-devel pcre2-devel sqlite-devel openssl-devel libevent-devel
yum install mysql-devel postgresql-devel
for i in {httpd,mysqld,sendmail}; do service $i restart; done
## 2 )安装Mysql并创建用户和导入sql:
mysql -uroot -p
mysql> create database ossec;
mysql> CREATE USER 'ossec'@'localhost';
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec@localhost;
mysql> set password for ossec@localhost =PASSWORD('ossec');
mysql> flush privileges;
mysql> exit
## 3 ) 下载OSsec-2.8.1 安装包:
wget https://github.com/ossec/ossec-hids/archive/2.8.1.tar.gz
tar zxf 2.8.1.tar.gz ; cd ossec-hids-2.8.1
3.1 )让OSSEC支持MySQL:
cd src; make setdb;cd ..
[root@bj-check src]# make setdb;cd ..
Info: Compiled with MySQL support.
Info: Compiled with PostgreSQL support.
3.2 ) 导入sql文件:
cd /data/src/ossec-hids-2.8.1/
mysql -u ossec -p ossec < ./src/os_dbd/mysql.schema
## 4 ) 开始安装ossec:
4.1 ) 安装过程:
执行install.sh
[root@bj-check ossec-hids-2.8.1]# ./install.sh
4.2 ) 安装好服务端之后,还需要配置,执行下面命令启用数据库支持:
/var/ossec/bin/ossec-control enable database
## 5 ) 配置ossec:
cd /var/ossec/etc;
chmod u+w /var/ossec/etc/ossec.conf
5.1) 添加可收集的网段:
由于服务端安装过程中设置了支持接受远程机器的syslog,所以需要对ossec.conf文件中的syslog部分进行配置
修改ossec.conf文件,将需要收集的网段全添加进去。(配置后的ossec.conf)
<remote>
<connection>syslog</connection>
<allowed-ips>192.168.0.0/16</allowed-ips>
<allowed-ips>10.0.0.0/16</allowed-ips>
<allowed-ips>172.0.0.0/16</allowed-ips>
<allowed-ips>192.0.0.0/16</allowed-ips>
</remote>
5.2) 添加支持Mysql配置:
<database_output>
<hostname>localhost</hostname>
<username>ossec</username>
<password>ossec</password>
<database>ossec</database>
<type>mysql</type>
</database_output>
...... 保存退出
## 6 ) 启动ossec :
[root@bj-check html]# /var/ossec/bin/ossec-control start
Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.
## 7 ) 添加ossec 客户端并生成key:
在服务端上添加客户端的信息,按照要求来输入:
[root@bj-check ossec]# /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: A
- Adding a new agent (use 'q' to return to the main menu).
Please provide the following:
* A name for the new agent: ossec-agent
* The IP Address of the new agent: 192.168.26.252
* An ID for the new agent[001]: 001
Agent information:
ID:001
Name:ossec-agent
IP Address:192.168.26.252
Confirm adding it?(y/n): y
Agent added.
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: E
Available agents:
ID: 001, Name: ossec-agent, IP: 192.168.26.252
Provide the ID of the agent to extract the key (or 'q' to quit): 001
Agent key information for '001' is:
MDAxIG9zc2VjLWFnZW50IDE5Mi4xNjguMjYuMjUyIDA5YjQyOWZkYzlhOThmOTMyNGZkY2U4MWJmNDY5ZmRhMzU5YzU4Y2E0MDM4ODY4OWZlNWJlNjM4OWU3ZGMyY2Y=
** Press ENTER to return to the main menu.
#### Key的作用是在客户端中导入并使得服务端与客户端达到联动的效果,这里记得把密钥复制一下保存起来。
查看ossec服务端的状态
[root@bj-check ossec]# /var/ossec/bin/agent_control -lc
OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: bj-check (server), IP: 127.0.0.1, Active/Local
进入安装步骤,执行install.sh脚本,同时按照下面的信息进行填写,红色部分是我们需要输入的,其余部分按回车继续即可:
一开始装的是目前最稳定的3.6.0版本,但是make不支持mysql,一直报错:make: *** 没有规则可以创建目标“setdb”。 查阅文档发现从3.0.0版本开始,编译方式不一样,也参考过使用make TARGET=server DATABASE=mysql install,但是还是会提示OSSEC not compiled with support for 'mysql',只能用回2.8.1的版本)
安装web界面:
cd /data/src/
wget https://github.com/ossec/ossec-wui/archive/0.9.tar.gz
tar -zxf 0.9.tar.gz;cd ossec-wui-0.9
cd ossec-wui-0.9/;./setup.sh
# 配置httpd 文件:
vim /etc/httpd/conf.d/ossec.conf
Alias ossec/ "/var/www/html/ossec/"
<Directory "/var/www/html/ossec/">
AuthName "OSSEC AUTH"
Require valid-user
AuthType Basic
AuthUserFile /var/www/html/ossec/.htpasswd
</Directory>
# 复制文件到代码目录:
cp -rf ossec-wui-0.9 /var/www/html/ossec
# 重启httpd:
/etc/init.d/httpd restart
# 访问web页面:
http://ip/ossec | admin | 123456
# 问题:
web 页面需要对/var/ossec 安装目录有可读权限, 要不然apache 读不到数据,会出错.
chmod -R 777 /var/ossec/
安装agent(client 端操作):
1 ) 安装ossec agent 程序:
wget https://github.com/ossec/ossec-hids/archive/2.8.1.tar.gz
tar zxf 2.8.1.tar.gz ; cd ossec-hids-2.8.1
2 ) 开始安装ossec agent:
./install.sh
[root@bj-mt1 ossec-hids-2.8.1]# ./install.sh
** Para instalação em português, escolha [br].
** 要使用中文进行安装, 请选择 [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].
** For installation in English, choose [en].
** Para instalar en Español , eliga [es].
** Pour une installation en français, choisissez [fr]
** A Magyar nyelvű telepítéshez válassza [hu].
** Per l'installazione in Italiano, scegli [it].
** 日本語でインストールします.選択して下さい.[jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalować w języku Polskim, wybierz [pl].
** Для инструкций по установке на русском ,введите [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Türkçe kurulum için seçin [tr].
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: cn
OSSEC HIDS v2.8 安装脚本 - http://www.ossec.net
您将开始 OSSEC HIDS 的安装.
请确认在您的机器上已经正确安装了 C 编译器.
如果您有任何疑问或建议,请给 dcid@ossec.net (或 daniel.cid@gmail.com) 发邮件.
- 系统类型: Linux bj-mt1 2.6.32-754.17.1.el6.centos.plus.x86_64
- 用户: root
- 主机: bj-mt1
-- 按 ENTER 继续或 Ctrl-C 退出. --
1- 您希望哪一种安装 (server, agent, local or help)? agent
- 选择了 Agent(client) 类型的安装.
2- 正在初始化安装环境.
- 请选择 OSSEC HIDS 的安装路径 [/var/ossec]:
- OSSEC HIDS 将安装在 /var/ossec .
3- 正在配置 OSSEC HIDS.
3.1- 请输入 OSSEC HIDS 服务器的IP地址或主机名: 10.20.0.197
- 添加服务器IP 10.20.0.197
3.2- 您希望运行系统完整性检测模块吗? (y/n) [y]: y
- 系统完整性检测模块将被部署.
3.3- 您希望运行 rootkit检测吗? (y/n) [y]: y
- rootkit检测将被部署.
3.4 - 您希望开启联动(active response)功能吗? (y/n) [y]: y
5- 正在安装系统
- 正在运行Makefile
INFO: Little endian set.
..........
3 ) 导入服务端生成的KEY:
cd /var/ossec/bin;./manage_agents
[root@bj-mt1 bin]# ./manage_agents
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: I
* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.
Paste it here (or 'q' to quit): MDAzIGJqLW10LTEgMTkyLjE2OC4yNi4yNTIgYTVlYTRhMjc3MGY4OTMwOTBiNjAwZWIyM2RiYThmOTUxMGExOTQ5ZGVmMzVkYmQ4NTkwNmE4Zjg1OGMyNzBkOQ==
Agent information:
ID:003
Name:bj-mt-1
IP Address:192.168.26.252
Confirm adding it?(y/n): y
Added.
** Press ENTER to return to the main menu.
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: q
** You must restart OSSEC for your changes to take effect.
manage_agents: Exiting ..
下一篇 写ossec 邮件告警
** 引用自以下两篇文章,感谢两位作者.