OSSEC 是一个可扩展、多平台、开源的基于主机的入侵检测系统 (HIDS)
OSSEC 拥有强大的关联和分析引擎,集成了日志分析、文件完整性监控、Windows 注册表监控、集中策略执行、rootkit 检测、实时警报和主动响应。它可以在大多数操作系统上运行,包括 Linux、OpenBSD、FreeBSD、MacOS、Solaris 和 Windows。
一、OSSEC Server服务端搭建
1、CentOS7操作系统基础环境配置
hostnamectl set-hostname ossecserver systemctl restart rsyslog sed -i 's/enable/disabled/g' /etc/selinux/config setenforce 0
2、安装mariadb
yum install mariadb-server systemctl start mariadb systemctl enable mariadb mysql_secure_installation netstat -anp | grep 3306
mysql -uroot -pMySQL_2022 create database ossec; grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec@localhost; set password for ossec@localhost=PASSWORD('password'); flush privileges;
3、安装OSSEC-Server并导入MySQL schema
yum localinstall *.rpm
cd /usr/share/ossec/contrib/ mysql -uroot -p ossec < mysql.schema
/var/ossec/bin/ossec-control enable database cd /var/ossec/bin ./ossec-configure
4、配置文件中添加output数据库配置
cd /var/ossec/etc/ vim ossec-server.conf <database_output> <hostname>127.0.0.1</hostname> <username>ossec</username> <password>password</password> <database>ossec</database> <type>mysql</type> </database_output>
cd /var/ossec/bin ./ossec-control restart
5、添加客户端并生成Key
./manage_agents
二、OSSEC Agent客户端安装及配置
1、安装OSSEC-Agent
yum localinstall *.rpm
2、修改配置文件并启动客户端
cd /var/ossec/etc/ vim ossec-agent.conf vim internal_options.conf cd /var/ossec/bin touch /var/ossec/queue/rids/sender ./manage_agent ./ossec-control restart
3、服务端确认Agent是否上线
/var/ossec/bin ./agent_control -lc
三、OSSEC-WUI Web服务启动
vi /etc/php.ini systemctl restart httpd systemctl enable httpd
四、配置CEF日志转发到Graylog
1、参考文章
https://github.com/Graylog2/graylog-guide-ossec
2、OSSEC-Server服务端添加syslog_output
vim /var/ossec/etc/ossec.conf 添加如下行 <syslog_output> <server>192.168.31.232</server> <port>12000</port> <format>cef</format> </syslog_output>
/var/ossec/bin/ossec-control enable client-syslog /var/ossec/bin/ossec-control restart
五、HIDS功能测试
1、例如暴力破解攻击测试
可以看到已经自动进行了封堵
2、系统完整性测试
六、Tips
1、验证MariaDB数据库是否正常对接
SELECT id,server_id,rule_id,level,timestamp,location_id,src_ip,dst_ip,src_port,dst_port,alerti
2、配置文件排错时参考如下链接
https://ossec-list.narkive.com/bJiYSQh2/errors-in-ossec-clients https://www.ossec.net/docs/