基于主机的入侵检测系统ossec安装部署

时间  2019-11-21
标签 基于 主机 入侵 检测 系统 ossec 安装 部署 栏目 系统安全 繁體版
原文   原文链接

【agent端主要配置文件】
/var/ossec/monitor.sh    
/etc/audit/audit.rules
/tmp/pid_old.txt
/var/log/audit/audit.log
1.ossec服务端安装
解压>>>
#tar -zxvf ossec_server.tar.gz
#cd ossec
安装>>>
#./install.sh
agent.conf初始化>>>
#touch /var/ossec/etc/shared/agent.conf
服务启动>>>
#/var/ossec/bin/ossec-control start
安装受权>>>
# openssl genrsa -out /var/ossec/etc/sslmanager.key
# openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365html

受权监听启动>>>
# /var/ossec/bin/ossec-authd &java

ps:
1.警告邮件地址在安装过程当中录入
2.(开启联动),通常不开启。
2.ossec客户端(agent)安装
# /var/ossec/bin/manage_agents 
将服务端注册的添加agent对应的key拷贝过来

# /etc/init.d/ossec restart
服务端检查,是否添加成功
全部已经创建链接的列表
# /var/ossec/bin/agent_control -lc
全部管理的agent节点,及各个节点当前的状态
# /var/ossec/bin/agent_control -l
【获取java进程id脚本monitor.sh】git

#!/bin/bash

update_jboss_pid(){
	if [ ! -e "/tmp/pid_old.txt" ]; then 
		touch "/tmp/pid_old.txt" 
	fi
	#Update monitor jboss ppid
	pidnew=`ps aux | grep "Bootstrap start" | grep -v grep | awk '{print $2} ' | xargs`
	pidold=`cat /tmp/pid_old.txt`
	if [ "$pidnew" != "$pidold" ]; then
		echo $pidnew > /tmp/pid_old.txt
		sed -i "/arch/d" /etc/audit/audit.rules
		ps axu | grep "Bootstrap start" | grep -v grep | awk '{print $2,$11}' | while read pid javabin
		do
			#Check if the jdk is 32bit(arch=b32) or 64bit(arch=b64).
	        ver=`$javabin -version 2>&1`
	        echo $ver | grep 64-Bit > /dev/null
	        if [ $? -eq 0 ];then
	    		echo "-a exit,always -F arch=b64 -F ppid=${pid} -S execve -k webshell" >> /etc/audit/audit.rules
	        else
	    		echo "-a exit,always -F arch=b32 -F ppid=${pid} -S execve -k webshell" >> /etc/audit/audit.rules
	        fi
		done
		#If u modify audit.rules u need restart service auditd
		/etc/init.d/auditd restart >> /dev/null
	fi	
}

bash_connetion_check(){
	netstat -antlp | grep ESTABLISHED | egrep '/(bash|sh)' | grep -v 10050
}

ppid_check(){
	ps -ef | grep bash | grep -v grep | awk '{if($8 ~ "^-?bash"){print $3}}' | while read ppid
	do
		ls -al /proc/$ppid/exe | egrep -v "(/bin/login|/usr/sbin/sshd|/bin/su|/usr/bin/tmux|/usr/bin/gnome-terminal)"
	done
}

tmp_process_check(){
	ls /proc/ -tr | grep -v "[a-z]" | while read line
	do
		if [ -d "/proc/$line" ];then
			file /proc/$line/exe | grep "symbolic link to" >> /dev/null
			if [ $? -eq 0 ];then
				ls -al /proc/$line/exe | awk '{print $11}' | egrep '^/(tmp|var/tmp|dev/shm)' 
			fi
		fi
	done
}
update_jboss_pid
bash_connetion_check
tmp_process_check

【ossec.conf配置文件内容】
/var/ossec/etc/ossec.confgithub

<ossec_config>
  <client>
    <server-ip>{serverip248}</server-ip>
  </client>

  <syscheck>
    <!-- Frequency that syscheck is executed - default to every 22 hours -->
    <frequency>79200</frequency>
    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_sha1sum="yes">/usr/bin,/usr/sbin</directories>
    <directories check_sha1sum="yes">/bin,/sbin,/boot</directories>
    <prefilter_cmd>/usr/sbin/prelink -y</prefilter_cmd>
    <skip_nfs>yes</skip_nfs>
  </syscheck>

  <rootcheck>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
  </rootcheck>
  <!-- Files to monitor (localfiles) -->

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/secure</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/audit/audit.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/root/vulnerable.txt</location>
  </localfile>

  <localfile>
    <log_format>command</log_format>
    <command>/var/ossec/monitor.sh</command>
    <frequency>600</frequency>
  </localfile>

</ossec_config>

【或利用salt作客户端salt安装】
#salt '192.168.192.101' state.sls ossec
客户端启动
#/var/ossec/bin/ossec-control start
服务端重启
#/var/ossec/bin/ossec-control restart
salt的server端init.sls内容web

include:
  - mk_Downloads

install_ossec_packages:
  pkg.latest:
    - pkgs:
      - openssl-devel
      - gcc
      - prelink

install_ossec:
  archive.extracted:
    - name: /root/Downloads/ossec
    - source: salt://ossec/ossec.tar.gz
    - archive_format: tar
    - if_missing: /root/Downloads/ossec 
  cmd.run:
    - name: cd ossec && sh install.sh
    - cwd: /root/Downloads
    - unless: test -e /var/ossec/bin/ossec-control

add_ossec_config:
  file.recurse:
    - name: /var/ossec/
    - source: salt://ossec/conf/
    - user: ossec
    - group: ossec
    - dir_mode: 744 
    - template: jinja

agentauth:
  cmd.run:
    - name: /var/ossec/bin/agent-auth -m ${ossec_server_ip} -p 1515 -A $(ifconfig | egrep -o '10\.(59|211|200|223).[0-9]{1,3}.[0-9]{1,3}' | head -n 1)
    - unless: test -s /var/ossec/etc/client.keys

serverstart:
  cmd.run:
    - name: /var/ossec/bin/ossec-control restart
    - onchanges: 
      - file: add_ossec_config

同时须要增长
/root/Downloads/ossec/preloaded-vars.conf文件,内容以下:shell

USER_LANGUAGE="cn"     # For english
USER_NO_STOP="y"
USER_INSTALL_TYPE="agent"
USER_DIR="/var/ossec"
USER_ENABLE_ACTIVE_RESPONSE="y"
USER_ENABLE_SYSCHECK="y"
USER_ENABLE_ROOTCHECK="y"
USER_AGENT_SERVER_IP="*.*.*.248"

3.一些命令
#查看当前链接的agents(agent存活查看)
#/var/ossec/bin/agent_control -lc(服务端执行)
启动成功后,服务端会开启1514/udp端口(1514为交互端口),用来与agent端进行交互。
经过:# netstat -anp|grep 1514
查看服务端服务是否正常启动
#查看全部agents的链接状态
#/var/ossec/bin/agent_control -l(服务端执行)
#将agent192.168.192.144注册到服务端192.168.192.239(agent端执行)(1515为认证端口
#/var/ossec/bin/agent-auth -m 192.168.192.239 -p 1515 -A 192.168.192.144
【服务端经常使用命令】
#查看存活节点
# /var/ossec/bin/agent_control -lc
#查看运行状态
# /var/ossec/bin/ossec-control status
#管理节点
# /var/ossec/bin/manage_agents windows

【windows操做系统安装agent】bash

step1:官网下载直接点击安装
此步中的Authentication key即为step3中的key.

step2:服务端添加节点:
less

step3:导出key节点key,下一步使用:

step4:检查agent节点是否已经链接
# /var/ossec/bin/agent_control -lc
如未链接则查看agent端ossec服务是否启动&邮件启动

【异常处理】
服务端:
[root@bbs217 rids]# /var/ossec/bin/agent_control -l
OSSEC HIDS agent_control. List of available agents:
   ID: 000, Name: bbs217 (server), IP: 127.0.0.1, Active/Local
   ID: 1024, Name: 192.168.192.101, IP: any, Active
agent端异常:
ERROR: Duplicated counter for '192.168.192.101'.
分别在angent及server执行以下命令,并重启ossec服务:
#rm -rf /var/ossec/queue/rids/*

【日志位置】
服务&agent端:/var/ossec/logs/ossec.logssh

【参考网站】
http://ossec.github.io/downloads.html
http://www.ossec.net/

【异常】
2019/05/05 16:40:03 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2019/05/05 16:40:03 rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2019/05/05 16:40:03 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'.
2019/05/05 16:40:03 ossec-remoted(1211): ERROR: Unable to access queue: '/queue/ossec/queue'. Giving up..
2019/05/05 16:40:08 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2019/05/05 16:40:08 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
2019/05/05 16:40:11 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2019/05/05 16:40:11 rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2019/05/05 16:40:24 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2019/05/05 16:40:24 rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
查看日志:发现是空间满了致使的。

还有一种状况是由于目录queue目录没有执行权限,也会抛出上面的异常

检查以后发现 /var/ossec/ 目录的权限存在问题
[root@web-10_59_1_103 ossec]# ll /var/ossec/ -d
drw-r--r-- 14 root root 4096 Jun  4 02:21 /var/ossec/
ossec agent 启动的用户是 ossec ,可是该目录的 other 没有 x(进入)权限,因此没法获取到文件

解决方案:
将目录权限修改成
[root@web200_162 ossec]# ll -d /var/ossec/
dr-xr-x--- 14 root ossec 4096 Feb  5 14:31 /var/ossec/

异常:Duplicate Counter Error in OSSEC

On the server:
execute /var/ossec/bin/manage_agents
select “Remove and agent” (R)
select your agent (for example 006)
back in the main menu, select “Add an agent” (A)
give OSSEC the name and IP
back on the main menu, select “Extract key for an agent”
copy the key you’re given
quit and restart OSSEC

On the agent:
execute /var/ossec/bin/manage_agents
select “Import key from server” (I)
paste the key
quit and restart OSSEC

【官网】
http://www.ossec.net
https://documentation.wazuh.com

相关文章
相关标签/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公众号
   欢迎关注本站公众号,获取更多信息
联系我们 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程