PerezBox

Tony Perez On Security, Business, And Life

  • Security
  • Business
  • Life
  • About
  • Contact
standard post icon

Installing OSSEC on Linux Distributions

Published in Security on January 3, 2019

The last few posts have been about deploying and configuring OSSEC as an important tool in your security suite. In this article I will provide you a script I wrote to help you quickly deploy OSSEC.

This script assumes you are deploying on a Linux distribution (e.g., Fedora, Ubuntu, CentOS, or Debian). It will force you to choose a distribution OS before it runs, this ensures it installs the appropriate dependencies based on the distribution type.

This script uses Daniel’s distribution. Edit as you wish if you want to go off the main distribution. OSSEC has the capability to be compiled and installed without the interactivity of install.sh. That is what I’m using when I echo my outputs into the etc/preloaded-vars.conf configuration file.

This install script deploys an Agent install by default, you can edit the variable accordingly for local and server deployments. Also note that the script will set the server IP using the USER_AGENT_SERVER_IP= variable in the preloaded config file. Be sure to set that or it’ll fail.

#!/bin/bash
#Author: Tony Perez
#Reviewer: Daniel Cid

#Begin installation of OSSEC: https://dcid.me/texts/my-ossec-setup-manual.html
RED='\033[0;31m'
NC='\033[0m'
bold=$(tput bold)
normal=$(tput sgr0)

#Install dependencies first

if [ "x$1" = "xcentos" ] ; then
    echo "You have selected CentOS"
    echo "Installing CentOS dependencies"
    sudo yum -y install gcc make libc-dev wget
    echo "Done with CentOS dependencies."

elif [ "x$1" = "xubuntu" ] ; then
    echo "You have selected Ubuntu"
    echo "Intalling Ubuntu dependencies"
    sudo apt-get -y install make gcc wget libc-dev
    echo "Done with Ubuntu dependencies."
elif [ "x$1" = "xdebian" ] ; then
    echo "You have selected Debian"
    echo "Installing Debian dependencies"
    sudo apt-get update
    sudo apt-get install -y build-essential inotify-tools ntp
    sudo systemctl start ntp
    echo "Debian doesn't have IPTables..will install"
    sudo apt-get install -y iptables-persistent
    sudo systemctl restart netfilter-persistent
    echo "Done with Debian dependencies."
elif [ "x$1" = "xfedora" ] ; then
    echo "You have selected Fedora"
    echo "Installing Fedora dependencies"
    sudo yum install -y bind-utils gcc make inotify-tools
    echo "Done with Fedora dependencies."
else 
    echo " "
    echo "Please pass one of the following options into the script:" 
    echo " "
    echo -e "       Run the following command: ${RED}$0 centos${NC}"
    echo -e "       Run the following command: ${RED}$0 ubuntu${NC}"
    echo -e "       Run the following command: ${RED}$0 debian${NC}"
    echo -e "       Run the following command: ${RED}$0 fedora${NC}"
    exit 1
fi

echo "Creating new Downloads directory in root"

cd /root/
mkdir Downloads
cd Downloads

echo "New Downloads directory created and set"

echo "Downloading OSSEC installation"

wget https://bitbucket.org/dcid/ossec-hids/get/tip.tar.gz

echo "Decrypting installation into Downloads folder"

tar -zxvf tip.tar.gz

echo "Switching directories to the new decrypted installation"

cd dcid-ossec-hids-*

#Setting Default OSSEC installation settings

echo "Adding default OSSEC configurations"

echo "Set language to English..."
echo USER_LANGUAGE="en" > etc/preloaded-vars.conf
echo "Confirmation messages are disabled.."
echo USER_NO_STOP="y" >> etc/preloaded-vars.conf
echo "User deployment as an AGENT install.."
echo USER_INSTALL_TYPE="agent" >> etc/preloaded-vars.conf
echo "Set the OSSEC server.."
echo USER_AGENT_SERVER_IP="[set your server IP]" >> etc/preloaded-vars.conf
echo "Set default location as /var/ossec..."
echo USER_DIR="/var/ossec" >> etc/preloaded-vars.conf
echo "Enabled Active Response..."
echo USER_ENABLE_ACTIVE_RESPONSE="y" >> etc/preloaded-vars.conf
echo "Enabled system checks..."
echo USER_ENABLE_SYSCHECK="y" >> etc/preloaded-vars.conf
echo "Enabled rootcheck..."
echo USER_ENABLE_ROOTCHECK="y" >> etc/preloaded-vars.conf
echo "Disabled email notifications..."
echo USER_ENABLE_EMAIL="n" >> etc/preloaded-vars.conf
echo "Disabled Firewall Response... "
echo USER_ENABLE_FIREWALL_RESPONSE="n" >> etc/preloaded-vars.conf

echo "Done adding defaults..."

echo "Begin the OSSEC installation..."

./install.sh

echo "OSSEC installed successfully, begin manual configuration..."

#Cleaning up mess

echo "Cleaning up mess.."

rm -rf tip.tar.gz dcid-ossec-hids-*

echo "Installation is complete.."

In future release of this script I’ll probably create constants to capture the users input to help set it on your behalf. I’m also going to see about adding more variables, I’d love to see if there is a way to set variables for the ossec.conf file by default so that everything is set at installation.

Let me know what you think. Open to recommendations. What would help you out?

Category: Security Topics: Intrusion Detection System (IDS), OSSEC, Security Tools And Technology, Web And Information Security

About Tony Perez

One of CleanBrowsing and NOC.org Founders. Formerly GoDaddy's General Manager (GM) for the Security Product Group. Responsible for the Sucuri brand, Certificate Authority (CA), Content Distribution Network (CDN), Website Application Firewall (WAF), Website Backups, Monitoring, and Incident Response products and services. The former CEO / Co-Founder of Sucuri and US Marine.

You can follow me on Twitter at @perezbox.

Tony Perez CEO Sucuri

About Tony Perez

I've spent the better part of the past 15 years dabbling in various technical industries, and these days my focus is website security and business. This blog, regardless of topic is a chronicle of my thoughts and life as I navigate those things that interest me the most.

  • Facebook
  • Twitter
  • LinkedIn
How To Block Porn

Search

Recent Posts On Security

Three Things that DNS Outages Teach Administrator

NOC Introduces a CDN. Yes, a CDN.

Feelings Have No Place in the World of Security

Unleashing the Power of Authoritative DNS

Content Filtering with CleanBrowsing

View All Security Posts

Security Posts By Topic

  • Desktop And Operating System Security
  • Drupal Security
  • End User Security
  • Intrusion Detection System (IDS)
  • Joomla Security
  • Log Management
  • OSSEC
  • Passwords And Identity Management
  • Security Tools And Technology
  • Speaking And Media
  • Vulnerabilities And Malware
  • Web Application Firewall
  • Web Hosting And Web Servers
  • Web And Information Security
  • WordPress Security
  • WordPress Plugins

Like what I have to say?

Subscribe to hear more...

I don't always have something to say, but when I do I will aim to make it insightful. Subscribe to hear my thoughts as I make them available.

PerezBox

  • Facebook
  • Twitter
  • LinkedIn

Copyright © 2022 Tony Perez, PerezBox. All Rights Reserved | Security | Privacy