基于主机的入侵检测系统ossec安装部署-CentOS6.5
董高洁
1.ossec服务端安装
解压>>>
#tar -zxvf ossec_server.tar.gz
#cd ossec
安装>>>
#./install.sh
agent.conf初始化>>>
#touch /var/ossec/etc/shared/agent.conf
服务启动>>>
#/var/ossec/bin/ossec-control start
安装授权>>>
# openssl genrsa -out /var/ossec/etc/sslmanager.key
# openssl req -new -x509 -key
# openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365
授权监听启动>>>
# /var/ossec/bin/ossec-authd &
2.利用salt做客户端salt安装
#salt '192.168.190.101' state.sls ossec
客户端启动
#/var/ossec/bin/ossec-control start
服务端重启
#/var/ossec/bin/ossec-control restart
salt模板init.sls
/root/Downloads:
file.directory:
- user: root
- group: root
- file_mode: 644
- dir_mode: 644
- makedirs: True
- include_empty: True
- template: jinja
- backup: minion
install_packages:
pkg.latest:
- pkgs:
- openssl-devel
- gcc
- prelink
install_ossec:
cmd.run:
- name: tar zxf ossec.tar.gz && cd ossec && sh install.sh
- cwd: /root/Downloads
- unless: test -e /var/ossec/bin/ossec-control
- require:
- file: /root/Downloads/ossec.tar.gz
/var/ossec/etc/ossec.conf:
file.managed:
- source: salt://ossec/conf/etc/ossec.conf
- user: root
- group: root
- mode: 644
- template: jinja
- require:
- cmd: install_ossec
/var/ossec/etc/shared/agent.conf:
file.managed:
- source: salt://ossec/conf/etc/shared/agent.conf
- user: root
- group: root
- mode: 644
- template: jinja
- require:
- cmd: install_ossec
/var/ossec/monitor.sh:
file.managed:
- source: salt://ossec/conf/monitor.sh
- user: root
- group: root
- mode: 755
- template: jinja
- require:
- cmd: install_ossec
/root/Downloads/ossec.tar.gz:
file.managed:
- source: salt://ossec/ossec.tar.gz
- user: root
- group: root
- mode: 755
- template: jinja
- require:
- file: /root/Downloads
agentauth:
cmd.run:
- name: /var/ossec/bin/agent-auth -m 192.168.190.217 -p 1515 -A $(ifconfig | egrep -o '192.168.[0-9]{1,3}.[0-9]{1,3}' | head -n 1)
- unless: test -s /var/ossec/etc/client.keys
- require:
- cmd: install_ossec
serverstart:
cmd.run:
- name: /var/ossec/bin/ossec-control restart
- onchanges:
- file: /var/ossec/etc/ossec.conf
- require:
- cmd: install_ossec
3.rules调整
3.1添加白名单修改pam_rules.xml
<rule id="5503" level="0">
<if_sid>5500</if_sid>
<match>192.168.190.62|192.168.190.58</match>
<description>OpenVas WhiteList</description>
</rule>
3.2修改sshd_rules.xml
<rule id="5503" level="0">
<if_sid>5500</if_sid>
<match>192.168.190.62|192.168.190.58</match>
<description>OpenVas WhiteList</description>
</rule>
#120秒内发生5次则触发规则,120秒-180秒如果还触发则忽略
<rule id="5720" level="10" frequency="5" timeframe="120" ignore="60">
3.3修改syslog_rules.xml
#过滤掉大数据服务器在部署flume操作
<rule id="5905" level="0">
<if_sid>5901</if_sid>
<match>name=flume</match>
<description>New group Ignore</description>
</rule>
<rule id="5906" level="0">
<if_sid>5902</if_sid>
<match>name=flume</match>
<description>New user Ignore</description>
</rule>3.4修改ossec_rules.xml
#忽略/pro目录下的执行
<rule id="517" level="0">
<if_sid>510</if_sid>
<match>hidden from /proc</match>
<description>Ignored process hidden entries.</description>
<group>rootcheck,</group>
</rule>
#属于root用户,其他用户可以有写权限的忽略
<rule id="520" level="0">
<if_sid>510</if_sid>
<regex>/var/log/glusterfs|/usr/local/fms|/var/lib/docker|/var/tmp/ntopng|/tmp/gsyncd</regex>
<description>Ignored some files which owned by root and has write permissions.</description>
<group>rootcheck,</group>
</rule>
#监控定时执行/var/ossec/monitor.sh返回内容,有则将内容邮件通知报警
<rule id="536" level="7">
<if_sid>530</if_sid>
<match>ossec: output: '/var/ossec/monitor.sh</match>
<description>bash_connetion_check ppid_check tmp_process_check</description>
</rule>3.5修改local_rules.xml
#有regex的bash执行,属于项目自有调用,则不报警。
<group name="syslog,auditd,">
<rule id="110000" level="0" noalert="1">
<decoded_as>auditd</decoded_as>
<description>AUDITD messages grouped.</description>
</rule>
<rule id="110001" level="0">
<if_sid>110000</if_sid>
<regex>suoha|convert2mp4|ffmpeg|accessibility|"env"|data4g12e|646174613467313265|getvideoscale|646f6332737766347a79676a|video_mediainfo</regex>
<description>Java execution white list</description>
</rule>
<rule id="110010" level="10">
<if_sid>110000</if_sid>
<match>EXECVE</match>
<description>Java execution command</description>
</rule>
</group>
#疑似脚本执行,则报警
<group name="webshell">
<rule id="120000" level="10">
<match>Vulnerable</match>
<description>Suspect webshell files.</description>
</rule>
</group>4.agent端配置文件ossec.conf
<ossec_config>
<client>
<server-ip>192.168.190.217</server-ip>
</client>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>79200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_sha1sum="yes">/usr/bin,/usr/sbin</directories>
<directories check_sha1sum="yes">/bin,/sbin,/boot</directories>
<prefilter_cmd>/usr/sbin/prelink -y</prefilter_cmd>
<skip_nfs>yes</skip_nfs>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
</rootcheck>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/audit/audit.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/root/vulnerable.txt</location>
</localfile>
<localfile>
<log_format>command</log_format>
<command>/var/ossec/monitor.sh</command>
<frequency>600</frequency>
</localfile>
</ossec_config>
5.agent端启动python脚本
#!/usr/bin/env python
# encoding:utf-8
import sys
import pyinotify
import os
import subprocess
import time
import yara
SUFFIXES = [".jsp", ".jspx"]
def suffix_filter(filename):
return os.path.splitext(filename)[1] not in SUFFIXES
def detect_ssdeep(pathname):
try:
f = open('/root/vulnerable.txt','a')
changetime = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())
f.write(changetime + " FileChange " + pathname + "\n")
#print "/usr/bin/ssdeep -t 60 -bm /var/ossec/hash.txt " + pathname
result = subprocess.Popen("/usr/bin/ssdeep -t 60 -bm /var/ossec/hash.txt " + pathname, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
out, err = result.communicate()
if "matches" in out:
f.write(changetime + " Vulnerable(ssdeep) " + pathname + "\n")
except Exception as e:
print "[-] %s" % (str(e))
finally:
f.close()
def detect_yara(pathname):
try:
rules = yara.compile(filepath='/var/ossec/Rules')
matches = rules.match(pathname, timeout=60)
if matches:
f = open('/root/vulnerable.txt','a')
changetime = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())
f.write(changetime + " Vulnerable(yara) " + pathname + "\n")
f.close()
except Exception as e:
print "[-] %s" % (str(e))
class EventHandler(pyinotify.ProcessEvent):
def __call__(self, event):
if not suffix_filter(event.name):
super(EventHandler, self).__call__(event)
def process_IN_CREATE(self, event):
#print "Create Jsp File : %s" % (event.pathname)
detect_ssdeep(event.pathname)
detect_yara(event.pathname)
def main(path, exclude_dir):
wm = pyinotify.WatchManager()
mask = pyinotify.IN_CREATE
#mask = pyinotify.ALL_EVENTS
wm.add_watch(path, mask, exclude_filter=pyinotify.ExcludeFilter(exclude_dir), rec=True, auto_add=True)
eh = EventHandler()
notifier = pyinotify.Notifier(wm, eh)
notifier.loop()
if __name__ == "__main__":
path = '/web/project/'
exclude_dir = ['/web/project/cdel_jxjy_upfiles', '/web/project/huabeisai_files'] # mount dir
main(path, exclude_dir)6.monitor.sh
#!/bin/bash
update_jboss_pid(){
if [ ! -e "/tmp/pid_old.txt" ]; then
touch "/tmp/pid_old.txt"
fi
#Update monitor jboss ppid
pidnew=`ps aux | grep "Bootstrap start" | grep -v grep | awk '{print $2} ' | xargs`
pidold=`cat /tmp/pid_old.txt`
if [ "$pidnew" != "$pidold" ]; then
echo $pidnew > /tmp/pid_old.txt
sed -i "/arch/d" /etc/audit/audit.rules
ps axu | grep "Bootstrap start" | grep -v grep | awk '{print $2,$11}' | while read pid javabin
do
#Check if the jdk is 32bit(arch=b32) or 64bit(arch=b64).
ver=`$javabin -version 2>&1`
echo $ver | grep 64-Bit > /dev/null
if [ $? -eq 0 ];then
echo "-a exit,always -F arch=b64 -F ppid=${pid} -S execve -k webshell" >> /etc/audit/audit.rules
else
echo "-a exit,always -F arch=b32 -F ppid=${pid} -S execve -k webshell" >> /etc/audit/audit.rules
fi
done
#If u modify audit.rules u need restart service auditd
/etc/init.d/auditd restart >> /dev/null
fi
}
bash_connetion_check(){
netstat -antlp | grep ESTABLISHED | egrep '/(bash|sh)' | grep -v 10050
}
ppid_check(){
ps -ef | grep bash | grep -v grep | awk '{if($8 ~ "^-?bash"){print $3}}' | while read ppid
do
ls -al /proc/$ppid/exe | egrep -v "(/bin/login|/usr/sbin/sshd|/bin/su|/usr/bin/tmux|/usr/bin/gnome-terminal)"
done
}
tmp_process_check(){
ls /proc/ -tr | grep -v "[a-z]" | while read line
do
if [ -d "/proc/$line" ];then
file /proc/$line/exe | grep "symbolic link to" >> /dev/null
if [ $? -eq 0 ];then
ls -al /proc/$line/exe | awk '{print $11}' | egrep '^/(tmp|var/tmp|dev/shm)'
fi
fi
done
}
update_jboss_pid
bash_connetion_check
tmp_process_check【官方文档】
类似资料: