The last few posts have been about deploying and configuring OSSEC as an important tool in your security suite. In this article I will provide you a script I wrote to help you quickly deploy OSSEC.
This script assumes you are deploying on a Linux distribution (e.g., Fedora, Ubuntu, CentOS, or Debian). It will force you to choose a distribution OS before it runs, this ensures it installs the appropriate dependencies based on the distribution type.
This script uses Daniel’s distribution. Edit as you wish if you want to go off the main distribution. OSSEC has the capability to be compiled and installed without the interactivity of install.sh. That is what I’m using when I echo my outputs into the etc/preloaded-vars.conf configuration file.
This install script deploys an Agent install by default, you can edit the variable accordingly for local and server deployments. Also note that the script will set the server IP using the USER_AGENT_SERVER_IP= variable in the preloaded config file. Be sure to set that or it’ll fail.
#!/bin/bash #Author: Tony Perez #Reviewer: Daniel Cid #Begin installation of OSSEC: https://dcid.me/texts/my-ossec-setup-manual.html RED='\033[0;31m' NC='\033[0m' bold=$(tput bold) normal=$(tput sgr0) #Install dependencies first if [ "x$1" = "xcentos" ] ; then echo "You have selected CentOS" echo "Installing CentOS dependencies" sudo yum -y install gcc make libc-dev wget echo "Done with CentOS dependencies." elif [ "x$1" = "xubuntu" ] ; then echo "You have selected Ubuntu" echo "Intalling Ubuntu dependencies" sudo apt-get -y install make gcc wget libc-dev echo "Done with Ubuntu dependencies." elif [ "x$1" = "xdebian" ] ; then echo "You have selected Debian" echo "Installing Debian dependencies" sudo apt-get update sudo apt-get install -y build-essential inotify-tools ntp sudo systemctl start ntp echo "Debian doesn't have IPTables..will install" sudo apt-get install -y iptables-persistent sudo systemctl restart netfilter-persistent echo "Done with Debian dependencies." elif [ "x$1" = "xfedora" ] ; then echo "You have selected Fedora" echo "Installing Fedora dependencies" sudo yum install -y bind-utils gcc make inotify-tools echo "Done with Fedora dependencies." else echo " " echo "Please pass one of the following options into the script:" echo " " echo -e " Run the following command: ${RED}$0 centos${NC}" echo -e " Run the following command: ${RED}$0 ubuntu${NC}" echo -e " Run the following command: ${RED}$0 debian${NC}" echo -e " Run the following command: ${RED}$0 fedora${NC}" exit 1 fi echo "Creating new Downloads directory in root" cd /root/ mkdir Downloads cd Downloads echo "New Downloads directory created and set" echo "Downloading OSSEC installation" wget https://bitbucket.org/dcid/ossec-hids/get/tip.tar.gz echo "Decrypting installation into Downloads folder" tar -zxvf tip.tar.gz echo "Switching directories to the new decrypted installation" cd dcid-ossec-hids-* #Setting Default OSSEC installation settings echo "Adding default OSSEC configurations" echo "Set language to English..." echo USER_LANGUAGE="en" > etc/preloaded-vars.conf echo "Confirmation messages are disabled.." echo USER_NO_STOP="y" >> etc/preloaded-vars.conf echo "User deployment as an AGENT install.." echo USER_INSTALL_TYPE="agent" >> etc/preloaded-vars.conf echo "Set the OSSEC server.." echo USER_AGENT_SERVER_IP="[set your server IP]" >> etc/preloaded-vars.conf echo "Set default location as /var/ossec..." echo USER_DIR="/var/ossec" >> etc/preloaded-vars.conf echo "Enabled Active Response..." echo USER_ENABLE_ACTIVE_RESPONSE="y" >> etc/preloaded-vars.conf echo "Enabled system checks..." echo USER_ENABLE_SYSCHECK="y" >> etc/preloaded-vars.conf echo "Enabled rootcheck..." echo USER_ENABLE_ROOTCHECK="y" >> etc/preloaded-vars.conf echo "Disabled email notifications..." echo USER_ENABLE_EMAIL="n" >> etc/preloaded-vars.conf echo "Disabled Firewall Response... " echo USER_ENABLE_FIREWALL_RESPONSE="n" >> etc/preloaded-vars.conf echo "Done adding defaults..." echo "Begin the OSSEC installation..." ./install.sh echo "OSSEC installed successfully, begin manual configuration..." #Cleaning up mess echo "Cleaning up mess.." rm -rf tip.tar.gz dcid-ossec-hids-* echo "Installation is complete.."
In future release of this script I’ll probably create constants to capture the users input to help set it on your behalf. I’m also going to see about adding more variables, I’d love to see if there is a way to set variables for the ossec.conf file by default so that everything is set at installation.
Let me know what you think. Open to recommendations. What would help you out?