基於主機的入侵檢測系統ossec安裝部署

【agent端主要配置文件】
/var/ossec/monitor.sh    
/etc/audit/audit.rules
/tmp/pid_old.txt
/var/log/audit/audit.log
1.ossec服務端安裝
解壓>>>
#tar -zxvf ossec_server.tar.gz
#cd ossec
安裝>>>
#./install.sh
agent.conf初始化>>>
#touch /var/ossec/etc/shared/agent.conf
服務啓動>>>
#/var/ossec/bin/ossec-control start
安裝受權>>>
# openssl genrsa -out /var/ossec/etc/sslmanager.key
# openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365

受權監聽啓動>>>
# /var/ossec/bin/ossec-authd &

ps:
1.警告郵件地址在安裝過程當中錄入
2.(開啓聯動)，通常不開啓。
2.ossec客戶端(agent)安裝
# /var/ossec/bin/manage_agents 
將服務端註冊的添加agent對應的key拷貝過來

# /etc/init.d/ossec restart
服務端檢查，是否添加成功
全部已經創建鏈接的列表
# /var/ossec/bin/agent_control -lc
全部管理的agent節點，及各個節點當前的狀態
# /var/ossec/bin/agent_control -l
【獲取java進程id腳本monitor.sh】

#!/bin/bash

update_jboss_pid(){
	if [ ! -e "/tmp/pid_old.txt" ]; then 
		touch "/tmp/pid_old.txt" 
	fi
	#Update monitor jboss ppid
	pidnew=`ps aux | grep "Bootstrap start" | grep -v grep | awk '{print $2} ' | xargs`
	pidold=`cat /tmp/pid_old.txt`
	if [ "$pidnew" != "$pidold" ]; then
		echo $pidnew > /tmp/pid_old.txt
		sed -i "/arch/d" /etc/audit/audit.rules
		ps axu | grep "Bootstrap start" | grep -v grep | awk '{print $2,$11}' | while read pid javabin
		do
			#Check if the jdk is 32bit(arch=b32) or 64bit(arch=b64).
	        ver=`$javabin -version 2>&1`
	        echo $ver | grep 64-Bit > /dev/null
	        if [ $? -eq 0 ];then
	    		echo "-a exit,always -F arch=b64 -F ppid=${pid} -S execve -k webshell" >> /etc/audit/audit.rules
	        else
	    		echo "-a exit,always -F arch=b32 -F ppid=${pid} -S execve -k webshell" >> /etc/audit/audit.rules
	        fi
		done
		#If u modify audit.rules u need restart service auditd
		/etc/init.d/auditd restart >> /dev/null
	fi	
}

bash_connetion_check(){
	netstat -antlp | grep ESTABLISHED | egrep '/(bash|sh)' | grep -v 10050
}

ppid_check(){
	ps -ef | grep bash | grep -v grep | awk '{if($8 ~ "^-?bash"){print $3}}' | while read ppid
	do
		ls -al /proc/$ppid/exe | egrep -v "(/bin/login|/usr/sbin/sshd|/bin/su|/usr/bin/tmux|/usr/bin/gnome-terminal)"
	done
}

tmp_process_check(){
	ls /proc/ -tr | grep -v "[a-z]" | while read line
	do
		if [ -d "/proc/$line" ];then
			file /proc/$line/exe | grep "symbolic link to" >> /dev/null
			if [ $? -eq 0 ];then
				ls -al /proc/$line/exe | awk '{print $11}' | egrep '^/(tmp|var/tmp|dev/shm)' 
			fi
		fi
	done
}
update_jboss_pid
bash_connetion_check
tmp_process_check

【ossec.conf配置文件內容】
/var/ossec/etc/ossec.conf

<ossec_config>
  <client>
    <server-ip>{serverip248}</server-ip>
  </client>

  <syscheck>
    <!-- Frequency that syscheck is executed - default to every 22 hours -->
    <frequency>79200</frequency>
    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_sha1sum="yes">/usr/bin,/usr/sbin</directories>
    <directories check_sha1sum="yes">/bin,/sbin,/boot</directories>
    <prefilter_cmd>/usr/sbin/prelink -y</prefilter_cmd>
    <skip_nfs>yes</skip_nfs>
  </syscheck>

  <rootcheck>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
  </rootcheck>
  <!-- Files to monitor (localfiles) -->

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/secure</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/audit/audit.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/root/vulnerable.txt</location>
  </localfile>

  <localfile>
    <log_format>command</log_format>
    <command>/var/ossec/monitor.sh</command>
    <frequency>600</frequency>
  </localfile>

</ossec_config>

【或利用salt作客戶端salt安裝】
#salt '192.168.192.101' state.sls ossec
客戶端啓動
#/var/ossec/bin/ossec-control start
服務端重啓
#/var/ossec/bin/ossec-control restart
salt的server端init.sls內容

include:
  - mk_Downloads

install_ossec_packages:
  pkg.latest:
    - pkgs:
      - openssl-devel
      - gcc
      - prelink

install_ossec:
  archive.extracted:
    - name: /root/Downloads/ossec
    - source: salt://ossec/ossec.tar.gz
    - archive_format: tar
    - if_missing: /root/Downloads/ossec 
  cmd.run:
    - name: cd ossec && sh install.sh
    - cwd: /root/Downloads
    - unless: test -e /var/ossec/bin/ossec-control

add_ossec_config:
  file.recurse:
    - name: /var/ossec/
    - source: salt://ossec/conf/
    - user: ossec
    - group: ossec
    - dir_mode: 744 
    - template: jinja

agentauth:
  cmd.run:
    - name: /var/ossec/bin/agent-auth -m ${ossec_server_ip} -p 1515 -A $(ifconfig | egrep -o '10\.(59|211|200|223).[0-9]{1,3}.[0-9]{1,3}' | head -n 1)
    - unless: test -s /var/ossec/etc/client.keys

serverstart:
  cmd.run:
    - name: /var/ossec/bin/ossec-control restart
    - onchanges: 
      - file: add_ossec_config

同時須要增長
/root/Downloads/ossec/preloaded-vars.conf文件，內容以下：

USER_LANGUAGE="cn"     # For english
USER_NO_STOP="y"
USER_INSTALL_TYPE="agent"
USER_DIR="/var/ossec"
USER_ENABLE_ACTIVE_RESPONSE="y"
USER_ENABLE_SYSCHECK="y"
USER_ENABLE_ROOTCHECK="y"
USER_AGENT_SERVER_IP="*.*.*.248"

3.一些命令
#查看當前鏈接的agents(agent存活查看)
#/var/ossec/bin/agent_control -lc（服務端執行）
啓動成功後，服務端會開啓1514/udp端口（1514爲交互端口），用來與agent端進行交互。
經過：# netstat -anp|grep 1514
查看服務端服務是否正常啓動
#查看全部agents的鏈接狀態
#/var/ossec/bin/agent_control -l（服務端執行）
#將agent192.168.192.144註冊到服務端192.168.192.239（agent端執行）（1515爲認證端口）
#/var/ossec/bin/agent-auth -m 192.168.192.239 -p 1515 -A 192.168.192.144
【服務端經常使用命令】
#查看存活節點
# /var/ossec/bin/agent_control -lc
#查看運行狀態
# /var/ossec/bin/ossec-control status
#管理節點
# /var/ossec/bin/manage_agents 

【windows操做系統安裝agent】

step1:官網下載直接點擊安裝
此步中的Authentication key即爲step3中的key.

step2:服務端添加節點:

step3:導出key節點key，下一步使用:

step4:檢查agent節點是否已經鏈接
# /var/ossec/bin/agent_control -lc
如未鏈接則查看agent端ossec服務是否啓動&郵件啓動

【異常處理】
服務端：
[root@bbs217 rids]# /var/ossec/bin/agent_control -l
OSSEC HIDS agent_control. List of available agents:
   ID: 000, Name: bbs217 (server), IP: 127.0.0.1, Active/Local
   ID: 1024, Name: 192.168.192.101, IP: any, Active
agent端異常：
ERROR: Duplicated counter for '192.168.192.101'.
分別在angent及server執行以下命令，並重啓ossec服務：
#rm -rf /var/ossec/queue/rids/*

【日誌位置】
服務&agent端：/var/ossec/logs/ossec.log

【參考網站】
http://ossec.github.io/downloads.html
http://www.ossec.net/

【異常】
2019/05/05 16:40:03 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2019/05/05 16:40:03 rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2019/05/05 16:40:03 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue' not accessible: 'Connection refused'.
2019/05/05 16:40:03 ossec-remoted(1211): ERROR: Unable to access queue: '/queue/ossec/queue'. Giving up..
2019/05/05 16:40:08 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2019/05/05 16:40:08 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
2019/05/05 16:40:11 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2019/05/05 16:40:11 rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2019/05/05 16:40:24 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2019/05/05 16:40:24 rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
查看日誌：發現是空間滿了致使的。

還有一種狀況是由於目錄queue目錄沒有執行權限，也會拋出上面的異常

檢查以後發現 /var/ossec/ 目錄的權限存在問題
[root@web-10_59_1_103 ossec]# ll /var/ossec/ -d
drw-r--r-- 14 root root 4096 Jun  4 02:21 /var/ossec/
ossec agent 啓動的用戶是 ossec ，可是該目錄的 other 沒有 x(進入)權限，因此沒法獲取到文件

解決方案：
將目錄權限修改成
[root@web200_162 ossec]# ll -d /var/ossec/
dr-xr-x--- 14 root ossec 4096 Feb  5 14:31 /var/ossec/

異常：Duplicate Counter Error in OSSEC

On the server:
execute /var/ossec/bin/manage_agents
select 「Remove and agent」 (R)
select your agent (for example 006)
back in the main menu, select 「Add an agent」 (A)
give OSSEC the name and IP
back on the main menu, select 「Extract key for an agent」
copy the key you’re given
quit and restart OSSEC

On the agent:
execute /var/ossec/bin/manage_agents
select 「Import key from server」 (I)
paste the key
quit and restart OSSEC

【官網】
http://www.ossec.net
https://documentation.wazuh.com