<yambe:breadcrumb>OSSEC|OSSEC</yambe:breadcrumb>

Automated OSSEC installation using ansible

ossec-server role

Automated OSSEC installation using ansible roles can be done using ossec-server role as follows:

Create roles/ossec-server/{files,handlers,tasks,templates,vars} folders using:

mkdir -p roles/ossec-server/{files,handlers,tasks,templates,vars}

Change directory to roles/ossec-server folder:

cd roles/ossec-server

Create files/add_agent.sh file with following contents:

#!/bin/bash

cat > ossec_agent_input.txt <<EOF
A
$1
$2

y
Q
EOF

/var/ossec/bin/manage_agents < ossec_agent_input.txt

rm -f ossec_agent_input.txt

exit 0

Create files/index.html with following contents:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
	<meta http-equiv="Content-type" content="text/html;charset=UTF-8" />
	<meta http-equiv="Refresh" content="0; URL=ossec" />
</head>
<body>
</body>
</html>

Create files/ossec_webui_setup.sh with following contents:

#!/usr/bin/expect -f
 
spawn ./setup.sh

expect "Username:" 
send "saurabh\r"
expect "password:" 
send "rekall123\r"
expect "password:"
send "rekall123\r"
expect "user name"
send "apache\r"
expect "directory path"
send "/var/ossec\r"

expect "anything that will not be there krati is responsible"
send_user "$expect_out(buffer)"

Create handlers/main.yaml with following contents:

---
- name: restart ossec
  service: name=ossec state=restarted

Create tasks/main.yaml with following contents:

---
- name: Install necessary packages - gcc, postgresql-devel, mysql-devel, php and expect
  yum: name="{{item}}" state=present
  with_items:
    - gcc
    - postgresql-devel
    - mysql-devel
    - php
    - expect
    - httpd

- name: Download Ossec server/agent 
  get_url: url="{{ossec_url}}" dest="{{ossec_path}}".tar.gz

- name: Extract Ossec server code
  unarchive: copy=no src="{{ossec_path}}".tar.gz dest="{{extract_path}}" creates="{{ossec_path}}"

- name: Copy the Ossec_input file
  template: src=ossec_server_input.j2 dest="{{ossec_path}}/ossec_server_input.txt"

- name: Install Ossec server
  shell: ./install.sh < ossec_server_input.txt
  args:
    chdir: "{{ossec_path}}"
    creates: /var/ossec/etc/ossec.conf

- name: Start ossec server
  service: name=ossec state=started

- name: Download Ossec web UI
  get_url: url="{{webui_url}}" dest="{{webui_path}}".tar.gz

- name: Extract Ossec web UI code
  unarchive: copy=no src="{{webui_path}}".tar.gz dest="{{extract_path}}" creates="{{webui_install_path}}" 

- name: Move the extracted web UI code to document root
  command: mv "{{webui_path}}" "{{webui_install_path}}"
  args:
    creates: "{{webui_install_path}}"

- name: Copy the Ossec_webui_input file
  copy: src=ossec_webui_setup.sh dest="{{webui_install_path}}" mode=544

- name: Install Ossec web UI
  shell: ./ossec_webui_setup.sh 
  args:
    chdir: /var/www/html/ossec
    creates: /var/www/html/ossec/.htpasswd

- name: Create index.html to automatically redirect to /ossec
  copy: src=index.html dest="{{document_root}}" owner=root group=root mode=644
    
- name: Ensure that apache service is running
  service: name=httpd state=started

#Tasks related to configuring client keys
- name: Copy add_agent.sh script
  copy: src=add_agent.sh dest=/root/add_agent.sh mode=755 owner=root group=root

- name: Add agent to the server
  shell: /root/add_agent.sh "{{item.hostname}}" "{{item.ip}}"
  with_items: ossec_client_ips
  notify: 
  - restart ossec

- name: Get all client keys from OSSEC server to ansible server
  fetch: src=/var/ossec/etc/client.keys dest=fetched

Create templates/ossec_server_input.j2 with following contents:

en

server


{{ admin_email_address }}
{{ smtp_server_address }}


n
y

Do not remove empty lines from this file. This file is used for input redirection and empty lines are necessary for corresponding input confirmation.

Create vars/main.yaml with following contents:

---
ossec_url: https://github.com/ossec/ossec-hids/releases/download/v2.8.0/ossec-hids-2.8.tar.gz
ossec_path: /root/ossec-hids-2.8
webui_url: http://www.ossec.net/files/ossec-wui-0.8.tar.gz
webui_path: /root/ossec-wui-0.8
webui_install_path: /var/www/html/ossec
extract_path: /root
document_root: /var/www/html

Note that a newer version of OSSEC might be available. It may make sense to setup a newer OSSEC server by replacing above URLs and values

Finally following additional variables should be defined at a central location (eg common_vars), in vars file of ossec-server role or in play-book.

admin_email_address: logs@sbarjatiya.com
smtp_server_address: smtp.sbarjatiya.com

ossec_client_ips:
  - { hostname: ca.sbarjatiya.com, ip: 10.4.20.150 }
  - { hostname: ns1.sbarjatiya.com, ip: 10.4.20.151 }

SMTP server must accept emails from OSSEC server without asking for authentications (postfix trusted_network, etc.) at least to admin_email_address. ossec_client_ips dictionary must be populated with list of all clients that will get monitored using current ossec-server. OSSEC server cannot / need not monitor itself by using ossec_client_ips list.

ossec-client role

Automated OSSEC client installation using ansible roles can be done using ossec-client role as follows:

Create roles/ossec-client/{tasks,templates,vars} folders using:

mkdir -p roles/ossec-client/{tasks,templates,vars}

Change directory to roles/ossec-client folder:

cd roles/ossec-client

Create tasks/main.yaml file with following contents:

---
- name: Install gcc postgres and mysql
  yum: name="{{item}}" state=present
  with_items:
    - gcc
    - postgresql-devel
    - mysql-devel

- name: Download Ossec server/agent 
  get_url: url="{{ossec_url}}" dest="{{ossec_path}}".tar.gz

- name: Extract Ossec server code
  unarchive: copy=no src="{{ossec_path}}".tar.gz dest="{{extract_path}}" creates="{{ossec_path}}"

- name: Copy the Ossec_input file
  template: src=ossec_client_input.j2 dest="{{ossec_path}}/ossec_client_input.txt"

- name: Install Ossec-agent
  shell: ./install.sh < ossec_client_input.txt 
  args:
    chdir: "{{ossec_path}}"
    creates: /var/ossec/etc/ossec.conf

- name: Get the client key from server
  copy: src="fetched/{{ossec_server_ip}}/var/ossec/etc/client.keys" dest=/var/ossec/etc/client2.keys  

- name: Extract only the key for current client
  shell: grep "{{ansible_default_ipv4.address}}" /var/ossec/etc/client2.keys > /var/ossec/etc/client.keys

- name: Delete other client keys   
  file: name=/var/ossec/etc/client2.keys state=absent

- name: Start Ossec server
  service: name=ossec state=restarted
 

Create templates/ossec_client_input.j2 file with following contents:

en

agent
/var/ossec
{{ ossec_server_ip }}
y
y
y

Do not remove empty lines from this file. This file is used for input redirection and empty lines serve very important purpose of input confirmation.

Create vars/main.yaml file with following contents:

---
ossec_url: http://www.ossec.net/files/ossec-hids-2.8.2.tar.gz 
ossec_path: /root/ossec-hids-2.8.2
ossec_manage_agent_input: /root/ossec_manage_agent_input.txt
extract_path: /root

If a newer version of OSSEC is available than paths and URLs can be changed accordingly. Note that input file also may need to change if the installation has changed. Typically new clients can connect to older version of server (2.8.2 clients to 2.8 server) without any issue.

Following variables must be defined in common_vars or in ossec-client role or in playbook which implements ossec-client role:

ossec_server_ip: 10.4.20.153

<yambe:breadcrumb>OSSEC|OSSEC</yambe:breadcrumb>