1.ossec服务端安装
解压>>>
#tar -zxvf ossec_server.tar.gz
#cd ossec
安装>>>
#./install.sh
agent.conf初始化>>>
#touch /var/ossec/etc/shared/agent.conf
服务启动>>>
#/var/ossec/bin/ossec-control start
安装授权>>>
# openssl genrsa -out /var/ossec/etc/sslmanager.key
# openssl req -new -x509 -key
# openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365
授权监听启动>>>
# /var/ossec/bin/ossec-authd &
2.利用salt做客户端salt安装
#salt '192.168.190.101' state.sls ossec
客户端启动
#/var/ossec/bin/ossec-control start
服务端重启
#/var/ossec/bin/ossec-control restart
salt模板init.sls
/root/Downloads:
file.directory:
- user: root
- group: root
- file_mode: 644
- dir_mode: 644
- makedirs: True
- include_empty: True
- template: jinja
- backup: minion
install_packages:
pkg.latest:
- pkgs:
- openssl-devel
- gcc
- prelink
install_ossec:
cmd.run:
- name: tar zxf ossec.tar.gz && cd ossec && sh install.sh
- cwd: /root/Downloads
- unless: test -e /var/ossec/bin/ossec-control
- require:
- file: /root/Downloads/ossec.tar.gz
/var/ossec/etc/ossec.conf:
file.managed:
- source: salt://ossec/conf/etc/ossec.conf
- user: root
- group: root
- mode: 644
- template: jinja
- require:
- cmd: install_ossec
/var/ossec/etc/shared/agent.conf:
file.managed:
- source: salt://ossec/conf/etc/shared/agent.conf
- user: root
- group: root
- mode: 644
- template: jinja
- require:
- cmd: install_ossec
/var/ossec/monitor.sh:
file.managed:
- source: salt://ossec/conf/monitor.sh
- user: root
- group: root
- mode: 755
- template: jinja
- require:
- cmd: install_ossec
/root/Downloads/ossec.tar.gz:
file.managed:
- source: salt://ossec/ossec.tar.gz
- user: root
- group: root
- mode: 755
- template: jinja
- require:
- file: /root/Downloads
agentauth:
cmd.run:
- name: /var/ossec/bin/agent-auth -m 192.168.190.217 -p 1515 -A $(ifconfig | egrep -o '192.168.[0-9]{1,3}.[0-9]{1,3}' | head -n 1)
- unless: test -s /var/ossec/etc/client.keys
- require:
- cmd: install_ossec
serverstart:
cmd.run:
- name: /var/ossec/bin/ossec-control restart
- onchanges:
- file: /var/ossec/etc/ossec.conf
- require:
- cmd: install_ossec
3.rules调整
3.1添加白名单修改pam_rules.xml
5500
192.168.190.62|192.168.190.58
OpenVas WhiteList
3.2修改sshd_rules.xml
5500
192.168.190.62|192.168.190.58
OpenVas WhiteList
#120秒内发生5次则触发规则,120秒-180秒如果还触发则忽略
3.3修改syslog_rules.xml
#过滤掉大数据服务器在部署flume操作
5901
name=flume
New group Ignore
5902
name=flume
New user Ignore
3.4修改ossec_rules.xml
#忽略/pro目录下的执行
510
hidden from /proc
Ignored process hidden entries.
rootcheck,
#属于root用户,其他用户可以有写权限的忽略
510
/var/log/glusterfs|/usr/local/fms|/var/lib/docker|/var/tmp/ntopng|/tmp/gsyncd
Ignored some files which owned by root and has write permissions.
rootcheck,
#监控定时执行/var/ossec/monitor.sh返回内容,有则将内容邮件通知报警
530
ossec: output: '/var/ossec/monitor.sh
bash_connetion_check ppid_check tmp_process_check
3.5修改local_rules.xml
#有regex的bash执行,属于项目自有调用,则不报警。
auditd
AUDITD messages grouped.
110000
suoha|convert2mp4|ffmpeg|accessibility|"env"|data4g12e|646174613467313265|getvideoscale|646f6332737766347a79676a|video_mediainfo
Java execution white list
110000
EXECVE
Java execution command
#疑似脚本执行,则报警
Vulnerable
Suspect webshell files.
4.agent端配置文件ossec.conf
192.168.190.217
79200
/usr/bin,/usr/sbin
/bin,/sbin,/boot
/usr/sbin/prelink -y
yes
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt
syslog
/var/log/secure
syslog
/var/log/audit/audit.log
syslog
/root/vulnerable.txt
command
/var/ossec/monitor.sh
600
5.agent端启动python脚本
#!/usr/bin/env python
# encoding:utf-8
import sys
import pyinotify
import os
import subprocess
import time
import yara
SUFFIXES = [".jsp", ".jspx"]
def suffix_filter(filename):
return os.path.splitext(filename)[1] not in SUFFIXES
def detect_ssdeep(pathname):
try:
f = open('/root/vulnerable.txt','a')
changetime = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())
f.write(changetime + " FileChange " + pathname + "\n")
#print "/usr/bin/ssdeep -t 60 -bm /var/ossec/hash.txt " + pathname
result = subprocess.Popen("/usr/bin/ssdeep -t 60 -bm /var/ossec/hash.txt " + pathname, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
out, err = result.communicate()
if "matches" in out:
f.write(changetime + " Vulnerable(ssdeep) " + pathname + "\n")
except Exception as e:
print "[-] %s" % (str(e))
finally:
f.close()
def detect_yara(pathname):
try:
rules = yara.compile(filepath='/var/ossec/Rules')
matches = rules.match(pathname, timeout=60)
if matches:
f = open('/root/vulnerable.txt','a')
changetime = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())
f.write(changetime + " Vulnerable(yara) " + pathname + "\n")
f.close()
except Exception as e:
print "[-] %s" % (str(e))
class EventHandler(pyinotify.ProcessEvent):
def __call__(self, event):
if not suffix_filter(event.name):
super(EventHandler, self).__call__(event)
def process_IN_CREATE(self, event):
#print "Create Jsp File : %s" % (event.pathname)
detect_ssdeep(event.pathname)
detect_yara(event.pathname)
def main(path, exclude_dir):
wm = pyinotify.WatchManager()
mask = pyinotify.IN_CREATE
#mask = pyinotify.ALL_EVENTS
wm.add_watch(path, mask, exclude_filter=pyinotify.ExcludeFilter(exclude_dir), rec=True, auto_add=True)
eh = EventHandler()
notifier = pyinotify.Notifier(wm, eh)
notifier.loop()
if __name__ == "__main__":
path = '/web/project/'
exclude_dir = ['/web/project/cdel_jxjy_upfiles', '/web/project/huabeisai_files'] # mount dir
main(path, exclude_dir)
6.monitor.sh
#!/bin/bash
update_jboss_pid(){
if [ ! -e "/tmp/pid_old.txt" ]; then
touch "/tmp/pid_old.txt"
fi
#Update monitor jboss ppid
pidnew=`ps aux | grep "Bootstrap start" | grep -v grep | awk '{print $2} ' | xargs`
pidold=`cat /tmp/pid_old.txt`
if [ "$pidnew" != "$pidold" ]; then
echo $pidnew > /tmp/pid_old.txt
sed -i "/arch/d" /etc/audit/audit.rules
ps axu | grep "Bootstrap start" | grep -v grep | awk '{print $2,$11}' | while read pid javabin
do
#Check if the jdk is 32bit(arch=b32) or 64bit(arch=b64).
ver=`$javabin -version 2>&1`
echo $ver | grep 64-Bit > /dev/null
if [ $? -eq 0 ];then
echo "-a exit,always -F arch=b64 -F ppid=${pid} -S execve -k webshell" >> /etc/audit/audit.rules
else
echo "-a exit,always -F arch=b32 -F ppid=${pid} -S execve -k webshell" >> /etc/audit/audit.rules
fi
done
#If u modify audit.rules u need restart service auditd
/etc/init.d/auditd restart >> /dev/null
fi
}
bash_connetion_check(){
netstat -antlp | grep ESTABLISHED | egrep '/(bash|sh)' | grep -v 10050
}
ppid_check(){
ps -ef | grep bash | grep -v grep | awk '{if($8 ~ "^-?bash"){print $3}}' | while read ppid
do
ls -al /proc/$ppid/exe | egrep -v "(/bin/login|/usr/sbin/sshd|/bin/su|/usr/bin/tmux|/usr/bin/gnome-terminal)"
done
}
tmp_process_check(){
ls /proc/ -tr | grep -v "[a-z]" | while read line
do
if [ -d "/proc/$line" ];then
file /proc/$line/exe | grep "symbolic link to" >> /dev/null
if [ $? -eq 0 ];then
ls -al /proc/$line/exe | awk '{print $11}' | egrep '^/(tmp|var/tmp|dev/shm)'
fi
fi
done
}
update_jboss_pid
bash_connetion_check
tmp_process_check
【官方文档】
http://ossec-docs.readthedocs.io/en/latest/index.html