基于主机的入侵检测系统ossec安装部署-CentOS6.5

1.ossec服务端安装
解压>>>
#tar -zxvf ossec_server.tar.gz
#cd ossec
安装>>>
#./install.sh
agent.conf初始化>>>
#touch /var/ossec/etc/shared/agent.conf
服务启动>>>
#/var/ossec/bin/ossec-control start
安装授权>>>
# openssl genrsa -out /var/ossec/etc/sslmanager.key
# openssl req -new -x509 -key 
# openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365

授权监听启动>>>
# /var/ossec/bin/ossec-authd &

2.利用salt做客户端salt安装
#salt '192.168.190.101' state.sls ossec
客户端启动
#/var/ossec/bin/ossec-control start
服务端重启
#/var/ossec/bin/ossec-control restart

salt模板init.sls

/root/Downloads:
  file.directory:
    - user: root
    - group: root
    - file_mode: 644
    - dir_mode: 644
    - makedirs: True
    - include_empty: True
    - template: jinja
    - backup: minion

install_packages:
  pkg.latest:
    - pkgs:
      - openssl-devel
      - gcc
      - prelink

install_ossec:
  cmd.run:
    - name: tar zxf ossec.tar.gz && cd ossec && sh install.sh 
    - cwd: /root/Downloads
    - unless: test -e /var/ossec/bin/ossec-control 
    - require:
      - file: /root/Downloads/ossec.tar.gz 

/var/ossec/etc/ossec.conf:
  file.managed:
    - source: salt://ossec/conf/etc/ossec.conf
    - user: root
    - group: root
    - mode: 644 
    - template: jinja
    - require:
      - cmd: install_ossec 

/var/ossec/etc/shared/agent.conf:
  file.managed:
    - source: salt://ossec/conf/etc/shared/agent.conf
    - user: root
    - group: root
    - mode: 644
    - template: jinja
    - require:
      - cmd: install_ossec

/var/ossec/monitor.sh:
  file.managed:
    - source: salt://ossec/conf/monitor.sh
    - user: root
    - group: root
    - mode: 755 
    - template: jinja
    - require:
      - cmd: install_ossec

/root/Downloads/ossec.tar.gz:
  file.managed:
    - source: salt://ossec/ossec.tar.gz
    - user: root
    - group: root
    - mode: 755
    - template: jinja
    - require:
      - file: /root/Downloads

agentauth:
  cmd.run:
    - name: /var/ossec/bin/agent-auth -m 192.168.190.217 -p 1515 -A $(ifconfig | egrep -o '192.168.[0-9]{1,3}.[0-9]{1,3}' | head -n 1)
    - unless: test -s /var/ossec/etc/client.keys
    - require:
      - cmd: install_ossec

serverstart:
  cmd.run:
    - name: /var/ossec/bin/ossec-control restart
    - onchanges: 
      - file: /var/ossec/etc/ossec.conf
    - require:
      - cmd: install_ossec

3.rules调整

3.1添加白名单修改pam_rules.xml

   
       5500
       192.168.190.62|192.168.190.58
       OpenVas WhiteList
    

3.2修改sshd_rules.xml

   
       5500
       192.168.190.62|192.168.190.58
       OpenVas WhiteList
    

  #120秒内发生5次则触发规则,120秒-180秒如果还触发则忽略
  

3.3修改syslog_rules.xml

#过滤掉大数据服务器在部署flume操作
  
    5901
    name=flume
    New group Ignore
  

  
    5902
    name=flume
    New user Ignore
  

3.4修改ossec_rules.xml

  #忽略/pro目录下的执行
  
     510
     hidden from /proc
     Ignored process hidden entries.
     rootcheck,
  
 #属于root用户,其他用户可以有写权限的忽略
  
     510
     /var/log/glusterfs|/usr/local/fms|/var/lib/docker|/var/tmp/ntopng|/tmp/gsyncd
     Ignored some files which owned by root and has write permissions.
     rootcheck,
  
  #监控定时执行/var/ossec/monitor.sh返回内容,有则将内容邮件通知报警
  
    530
    ossec: output: '/var/ossec/monitor.sh
    bash_connetion_check ppid_check tmp_process_check
  

3.5修改local_rules.xml

#有regex的bash执行,属于项目自有调用,则不报警。

  
    auditd
    AUDITD messages grouped.
  
  
    110000
    suoha|convert2mp4|ffmpeg|accessibility|"env"|data4g12e|646174613467313265|getvideoscale|646f6332737766347a79676a|video_mediainfo
    Java execution white list
  
  
    110000
    EXECVE
    Java execution command
  



#疑似脚本执行,则报警

  
      Vulnerable
      Suspect webshell files.
  

4.agent端配置文件ossec.conf


  
    192.168.190.217
  

  
    
    79200
    
    /usr/bin,/usr/sbin
    /bin,/sbin,/boot
    /usr/sbin/prelink -y
    yes
  

  
    /var/ossec/etc/shared/rootkit_files.txt
    /var/ossec/etc/shared/rootkit_trojans.txt
  
  

  
    syslog
    /var/log/secure
  

  
    syslog
    /var/log/audit/audit.log
  

  
    syslog
    /root/vulnerable.txt
  

  
    command
    /var/ossec/monitor.sh
    600
  


 

5.agent端启动python脚本

#!/usr/bin/env python
# encoding:utf-8

import sys
import pyinotify
import os
import subprocess
import time
import yara

SUFFIXES = [".jsp", ".jspx"]

def suffix_filter(filename):
    return os.path.splitext(filename)[1] not in SUFFIXES

def detect_ssdeep(pathname):
    try:
        f = open('/root/vulnerable.txt','a')
        changetime = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())
        f.write(changetime + " FileChange " + pathname + "\n")
        #print "/usr/bin/ssdeep -t 60 -bm /var/ossec/hash.txt " + pathname
        result = subprocess.Popen("/usr/bin/ssdeep -t 60 -bm /var/ossec/hash.txt " + pathname, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
        out, err = result.communicate()
        if "matches" in out: 
            f.write(changetime + " Vulnerable(ssdeep) " + pathname + "\n")
    except Exception as e:
        print "[-] %s" % (str(e))
    finally:
        f.close()

def detect_yara(pathname):
    try:
        rules = yara.compile(filepath='/var/ossec/Rules')
        matches = rules.match(pathname, timeout=60) 
        if matches:
            f = open('/root/vulnerable.txt','a')
            changetime = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())
            f.write(changetime + " Vulnerable(yara) " + pathname + "\n")
            f.close()
    except Exception as e:
        print "[-] %s" % (str(e))

class EventHandler(pyinotify.ProcessEvent):
    def __call__(self, event):
        if not suffix_filter(event.name):
            super(EventHandler, self).__call__(event)

    def process_IN_CREATE(self, event):
        #print "Create Jsp File : %s" % (event.pathname)
        detect_ssdeep(event.pathname)
        detect_yara(event.pathname)

def main(path, exclude_dir):
    wm = pyinotify.WatchManager()
    mask = pyinotify.IN_CREATE
    #mask = pyinotify.ALL_EVENTS
    wm.add_watch(path, mask, exclude_filter=pyinotify.ExcludeFilter(exclude_dir), rec=True, auto_add=True)
    eh = EventHandler()
    notifier = pyinotify.Notifier(wm, eh)
    notifier.loop()

if __name__ == "__main__":
    path = '/web/project/'
    exclude_dir = ['/web/project/cdel_jxjy_upfiles', '/web/project/huabeisai_files'] # mount dir
    main(path, exclude_dir)

6.monitor.sh

#!/bin/bash

update_jboss_pid(){
	if [ ! -e "/tmp/pid_old.txt" ]; then 
		touch "/tmp/pid_old.txt" 
	fi
	#Update monitor jboss ppid
	pidnew=`ps aux | grep "Bootstrap start" | grep -v grep | awk '{print $2} ' | xargs`
	pidold=`cat /tmp/pid_old.txt`
	if [ "$pidnew" != "$pidold" ]; then
		echo $pidnew > /tmp/pid_old.txt
		sed -i "/arch/d" /etc/audit/audit.rules
		ps axu | grep "Bootstrap start" | grep -v grep | awk '{print $2,$11}' | while read pid javabin
		do
			#Check if the jdk is 32bit(arch=b32) or 64bit(arch=b64).
	        ver=`$javabin -version 2>&1`
	        echo $ver | grep 64-Bit > /dev/null
	        if [ $? -eq 0 ];then
	    		echo "-a exit,always -F arch=b64 -F ppid=${pid} -S execve -k webshell" >> /etc/audit/audit.rules
	        else
	    		echo "-a exit,always -F arch=b32 -F ppid=${pid} -S execve -k webshell" >> /etc/audit/audit.rules
	        fi
		done
		#If u modify audit.rules u need restart service auditd
		/etc/init.d/auditd restart >> /dev/null
	fi	
}

bash_connetion_check(){
	netstat -antlp | grep ESTABLISHED | egrep '/(bash|sh)' | grep -v 10050
}

ppid_check(){
	ps -ef | grep bash | grep -v grep | awk '{if($8 ~ "^-?bash"){print $3}}' | while read ppid
	do
		ls -al /proc/$ppid/exe | egrep -v "(/bin/login|/usr/sbin/sshd|/bin/su|/usr/bin/tmux|/usr/bin/gnome-terminal)"
	done
}

tmp_process_check(){
	ls /proc/ -tr | grep -v "[a-z]" | while read line
	do
		if [ -d "/proc/$line" ];then
			file /proc/$line/exe | grep "symbolic link to" >> /dev/null
			if [ $? -eq 0 ];then
				ls -al /proc/$line/exe | awk '{print $11}' | egrep '^/(tmp|var/tmp|dev/shm)' 
			fi
		fi
	done
}
update_jboss_pid
bash_connetion_check
tmp_process_check

【官方文档】

http://ossec-docs.readthedocs.io/en/latest/index.html

你可能感兴趣的:(安全)