PerezBox

Tony Perez On Security, Business, And Life

standard post icon

Installing OSSEC on Linux Distributions

Published in Security on

The last few posts have been about deploying and configuring OSSEC as an important tool in your security suite. In this article I will provide you a script I wrote to help you quickly deploy OSSEC.

This script assumes you are deploying on a Linux distribution (e.g., Fedora, Ubuntu, CentOS, or Debian). It will force you to choose a distribution OS before it runs, this ensures it installs the appropriate dependencies based on the distribution type.

This script uses Daniel’s distribution. Edit as you wish if you want to go off the main distribution. OSSEC has the capability to be compiled and installed without the interactivity of install.sh. That is what I’m using when I echo my outputs into the etc/preloaded-vars.conf configuration file.

This install script deploys an Agent install by default, you can edit the variable accordingly for local and server deployments. Also note that the script will set the server IP using the USER_AGENT_SERVER_IP= variable in the preloaded config file. Be sure to set that or it’ll fail.

#!/bin/bash
#Author: Tony Perez
#Reviewer: Daniel Cid

#Begin installation of OSSEC: https://dcid.me/texts/my-ossec-setup-manual.html
RED='\033[0;31m'
NC='\033[0m'
bold=$(tput bold)
normal=$(tput sgr0)

#Install dependencies first

if [ "x$1" = "xcentos" ] ; then
    echo "You have selected CentOS"
    echo "Installing CentOS dependencies"
    sudo yum -y install gcc make libc-dev wget
    echo "Done with CentOS dependencies."

elif [ "x$1" = "xubuntu" ] ; then
    echo "You have selected Ubuntu"
    echo "Intalling Ubuntu dependencies"
    sudo apt-get -y install make gcc wget libc-dev
    echo "Done with Ubuntu dependencies."
elif [ "x$1" = "xdebian" ] ; then
    echo "You have selected Debian"
    echo "Installing Debian dependencies"
    sudo apt-get update
    sudo apt-get install -y build-essential inotify-tools ntp
    sudo systemctl start ntp
    echo "Debian doesn't have IPTables..will install"
    sudo apt-get install -y iptables-persistent
    sudo systemctl restart netfilter-persistent
    echo "Done with Debian dependencies."
elif [ "x$1" = "xfedora" ] ; then
    echo "You have selected Fedora"
    echo "Installing Fedora dependencies"
    sudo yum install -y bind-utils gcc make inotify-tools
    echo "Done with Fedora dependencies."
else 
    echo " "
    echo "Please pass one of the following options into the script:" 
    echo " "
    echo -e "       Run the following command: ${RED}$0 centos${NC}"
    echo -e "       Run the following command: ${RED}$0 ubuntu${NC}"
    echo -e "       Run the following command: ${RED}$0 debian${NC}"
    echo -e "       Run the following command: ${RED}$0 fedora${NC}"
    exit 1
fi

echo "Creating new Downloads directory in root"

cd /root/
mkdir Downloads
cd Downloads

echo "New Downloads directory created and set"

echo "Downloading OSSEC installation"

wget https://bitbucket.org/dcid/ossec-hids/get/tip.tar.gz

echo "Decrypting installation into Downloads folder"

tar -zxvf tip.tar.gz

echo "Switching directories to the new decrypted installation"

cd dcid-ossec-hids-*

#Setting Default OSSEC installation settings

echo "Adding default OSSEC configurations"

echo "Set language to English..."
echo USER_LANGUAGE="en" > etc/preloaded-vars.conf
echo "Confirmation messages are disabled.."
echo USER_NO_STOP="y" >> etc/preloaded-vars.conf
echo "User deployment as an AGENT install.."
echo USER_INSTALL_TYPE="agent" >> etc/preloaded-vars.conf
echo "Set the OSSEC server.."
echo USER_AGENT_SERVER_IP="[set your server IP]" >> etc/preloaded-vars.conf
echo "Set default location as /var/ossec..."
echo USER_DIR="/var/ossec" >> etc/preloaded-vars.conf
echo "Enabled Active Response..."
echo USER_ENABLE_ACTIVE_RESPONSE="y" >> etc/preloaded-vars.conf
echo "Enabled system checks..."
echo USER_ENABLE_SYSCHECK="y" >> etc/preloaded-vars.conf
echo "Enabled rootcheck..."
echo USER_ENABLE_ROOTCHECK="y" >> etc/preloaded-vars.conf
echo "Disabled email notifications..."
echo USER_ENABLE_EMAIL="n" >> etc/preloaded-vars.conf
echo "Disabled Firewall Response... "
echo USER_ENABLE_FIREWALL_RESPONSE="n" >> etc/preloaded-vars.conf

echo "Done adding defaults..."

echo "Begin the OSSEC installation..."

./install.sh

echo "OSSEC installed successfully, begin manual configuration..."

#Cleaning up mess

echo "Cleaning up mess.."

rm -rf tip.tar.gz dcid-ossec-hids-*

echo "Installation is complete.."

In future release of this script I’ll probably create constants to capture the users input to help set it on your behalf. I’m also going to see about adding more variables, I’d love to see if there is a way to set variables for the ossec.conf file by default so that everything is set at installation.

Let me know what you think. Open to recommendations. What would help you out?

About Tony Perez

One of CleanBrowsing and NOC.org Founders. Formerly GoDaddy's General Manager (GM) for the Security Product Group. Responsible for the Sucuri brand, Certificate Authority (CA), Content Distribution Network (CDN), Website Application Firewall (WAF), Website Backups, Monitoring, and Incident Response products and services. The former CEO / Co-Founder of Sucuri and US Marine.

You can follow me on Twitter at @perezbox.