OSSIM-HIDS for linux

介绍

OSSIME中的HIDS是通过OSSEC来实现的,OSSEC采用服务端和客户端模式,主要通过文件完整性监视,日志监视,rootcheck和进程监视来主动监视Unix系统活动的所有方面。OSSIM中服务端已经安装完成,只需要在要监控的主机上安装客户端即可:

ossec http://ossec.github.io/

安装

准备

安装前需要准备编译环境

  • 如果是Debian,需要先执行以下命令:
1
#apt-get install build-essential

下面以在linux主机(centos7)192.168.31.97上安装客户端为例
OSSIM_IP == 192.168.31.111

安装

  • 31.97上下载客户端:

https://github.com/ossec/ossec-hids/releases

1
2
3
4
5
# cd /usr/local/src/
# wget http://www.ossec.net/files/ossec-hids-2.8.1.tar.gz  #下载客户端
# tar -zxvf ossec-hids-2.8.1.tar.gz    #解压
# cd ossec-hids-2.8.1
# ./install.sh   运行install.sh

以下是几个输入的地方:

1
2
3
4
5
6
7
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en  #使用英文安装的方式
What kind of installation do you want (server, agent, local, hybrid or help)? agent   #安装的类型
Choose where to install the OSSEC HIDS [/var/ossec]:   #安装的路径  默认就行  直接回车
What's the IP Address or hostname of the OSSEC HIDS server?: 192.168.31.111  #输入你服务端的地址
Do you want to run the integrity check daemon? (y/n) [y]:  #默认回车 
Do you want to run the rootkit detection engine? (y/n) [y]: #rootkit 检查  默认回车
Do you want to enable active response? (y/n) [y]: #默认回车

之后等待安装完毕

  • 回到ossim的操作界面(https://192.168.31.111) ,添加agent信息:

图片

注意:
如果这里是安装win的客户端的话,添加的资产的系统类型一定要修改成win的,否则无法下载客户端

可以看到如下的结果,然后点击图中标示的位置,复制得到的key:

图片

1
2
key:
MyBIb3N0LTE5Mi0xNjgtMzEtOTcgMTkyLjE2OC4zMS45NyA5YTBh0OTFlZDQ2ZTUwMmQ1MWQ2MGE3YzA2NDgxZTIzZTIyOGUxZjIzNTJlM2FkM2FkNTkxYjNiY2Fh
  • 在客户端的命令行执行manage_agents,按照提示输入key:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# /var/ossec/bin/manage_agents

****************************************
* OSSEC HIDS v2.8 Agent manager.     *
* The following options are available: *
****************************************
   (I)mport key from the server (I).
   (Q)uit.
Choose your action: I or Q: I     #输入i

* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.

Paste it here (or '\q' to quit):   MyBIb3N0LTE5Mi0xNjgtMzEtOTcgMTkyLjE2OC4zMS45NyA5YTBhODA0OTFlZDQ2ZTUwMmQ1MWQ2MGE3YzA2NDgxZTIzZTIyOGUxZjIzNTJlM2FkM2FkNTk5NYjNiY2Fh    #粘贴上key 

Agent information:
   ID:3
   Name:Host-192-168-31-97
   IP Address:192.168.31.97

Confirm adding it?(y/n): Y   #确认信息
Added.
** Press ENTER to return to the main menu.



****************************************
* OSSEC HIDS v2.8 Agent manager.     *
* The following options are available: *
****************************************
   (I)mport key from the server (I).
   (Q)uit.
Choose your action: I or Q: Q  #输入q  退出

** You must restart OSSEC for your changes to take effect.

manage_agents: Exiting ..

此时,已经完成了客户端的安装,过一段时间之后可以看到客户端的状态是active.

排错

整个安装的过程很简单,但是有些时候总是会出现各种问题:

问题1:怎么查看客户端的日志:

客户端日志的位置位于/var/ossec/logs/ossec.log,可以通过使用命令tail -40f /var/ossec/logs/ossec.log查看日志信息,在排错中会起到相当重要的作用.

问题2:为什么ossim制台一直显示agent是未连接(Disconnected)的状态:

这个时候可以先查看下客户端的日志:tail -40f /var/ossec/logs/ossec.log

然后重启下客户端进程:/var/ossec/bin/ossec-control restart

查看下进程的状态:/var/ossec/bin/ossec-control status

1
2
3
4
ossec-logcollector is running...
ossec-syscheckd is running...
ossec-agentd is running...
ossec-execd is running...

如果都运行状态,表示已经成功启动服务,在看看上面的日志输出情况,如果可以正常连接服务器,则表示成功.

1
2
3
4
5
6
7
8
9
10
11
12
2017/01/09 12:50:56 ossec-agentd: INFO: Trying to connect to server (192.168.31.111:1514).
2017/01/09 12:50:56 ossec-agentd: INFO: Using IPv4 for: 192.168.31.111 .
2017/01/09 12:50:57 ossec-agentd(4102): INFO: Connected to the server (192.168.31.111:1514).  #成功连接
2017/01/09 12:51:00 ossec-syscheckd: INFO: Started (pid: 22595).
2017/01/09 12:51:00 ossec-rootcheck: INFO: Started (pid: 22595).
2017/01/09 12:51:00 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2017/01/09 12:51:00 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2017/01/09 12:51:00 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'.
2017/01/09 12:51:00 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2017/01/09 12:51:00 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2017/01/09 12:51:00 ossec-syscheckd: INFO: Monitoring directory: '/opt/cc.txt'.
2017/01/09 12:51:00 ossec-syscheckd: INFO: Directory set for real time monitoring: '/opt/cc.txt'.

还可以在ossim服务端通过命令行的方式来查看下已经有哪些agent连接上来:

1
2
3
4
5
6
alienvault:~# /var/ossec/bin/agent_control -lc  #-lc 表示显示已经成功连接服务端的客户端列表

OSSEC HIDS agent_control. List of available agents:
   ID: 000, Name: alienvault (server), IP: 127.0.0.1, Active/Local
   ID: 2, Name: Host-192-168-31-98, IP: 192.168.31.98, Active
   ID: 3, Name: Host-192-168-31-97, IP: 192.168.31.97, Active

还可以查看服务端的1514端口的流量信息,看看是否有日志传输过来

1
ngrep -q -d any port 1514

问题3:通过命令/var/ossec/bin/agent_control -lc 已经可以看到添加 agent是Active状态,但是ossim的控制台还是Disconnected,是怎么回事.

这里貌似存在一定的延时,可以过一段时间在看看,另外可以通过以下方法来判断是否客户端真的连接到了服务端:

  • 1 运行tail -40f /var/ossec/logs/ossec.log

  • 2 在ossim的控制台点击:restart agent

图片

可以看到日志变化了,在你点击restart agent,日志中显示,客户端已经重新启动,载入你要监控的文件,就表示已经连接到了服务端,功能已经可以正常启用了.至于控制台的显示,那就是他的问题了 0.0

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
2017/01/09 13:00:36 ossec-logcollector(1225): INFO: SIGNAL Received. Exit Cleaning...
2017/01/09 13:00:36 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit Cleaning...
2017/01/09 13:00:36 ossec-agentd(1225): INFO: SIGNAL Received. Exit Cleaning...
2017/01/09 13:00:36 ossec-execd(1314): INFO: Shutdown received. Deleting responses.
2017/01/09 13:00:36 ossec-execd(1225): INFO: SIGNAL Received. Exit Cleaning...
2017/01/09 13:00:37 ossec-execd: INFO: Started (pid: 22890).
2017/01/09 13:00:37 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800
2017/01/09 13:00:37 ossec-agentd(1410): INFO: Reading authentication keys file.
2017/01/09 13:00:37 ossec-agentd: INFO: Assigning counter for agent Host-192-168-31-97: '2:2760'.
2017/01/09 13:00:37 ossec-agentd: INFO: Assigning sender counter: 54:9664
2017/01/09 13:00:37 ossec-agentd: INFO: Started (pid: 22894).
2017/01/09 13:00:37 ossec-agentd: INFO: Server IP Address: 192.168.31.111
2017/01/09 13:00:37 ossec-agentd: INFO: Trying to connect to server (192.168.31.111:1514).
2017/01/09 13:00:37 ossec-agentd: INFO: Using IPv4 for: 192.168.31.111 .
2017/01/09 13:00:38 ossec-agentd(4102): INFO: Connected to the server (192.168.31.111:1514).

服务器命令

这里还有一些服务器端的命令介绍:

/var/ossec/bin/agent_control

1
2
3
4
5
6
7
8
代理控制参数选项:
-h                         显示帮助消息
-l                         列出所有可能的代理
-lc                        列出活动的代理
-i  <agent_id>     		   获取代理的相关信息 agent_id
-r                         运行代理中的integrity/rootcheck检查,要和-u或-a 一起使用。
-a                         对所有代理起做用
-u    <agent_id>     	   <agent_id>预先指定代理ID
  • 1 比如,上面已经提到的查看活动的代理:
1
2
3
4
5
6
alienvault:~# /var/ossec/bin/agent_control -lc

OSSEC HIDS agent_control. List of available agents:
   ID: 000, Name: alienvault (server), IP: 127.0.0.1, Active/Local
   ID: 2, Name: Host-192-168-31-98, IP: 192.168.31.98, Active
   ID: 3, Name: Host-192-168-31-97, IP: 192.168.31.97, Active
  • 2 获取特定代理的信息:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
alienvault:~# /var/ossec/bin/agent_control -i 3

OSSEC HIDS agent_control. Agent information:
   Agent ID:   3
   Agent Name: Host-192-168-31-97
   IP address: 192.168.31.97
   Status:     Active

   Operating system:    Linux 2.6.24-16-#1 SMP Thu Apr 10 13..
   Client version:      OSSEC HIDS v2.8
   Last keep alive:     Mon Jan  9 13:08:46 2017

   Syscheck last started  at: Mon Jan  9 12:50:11 2017
   Rootcheck last started at: Mon Jan  9 08:35:02 2017
  • 3 查看修改的文件的时间和权限:
1
2
3
4
5
6
7
8
9
10
alienvault:# /var/ossec/bin/syscheck_control -i 3 

Integrity changes for agent 'Host-192-168-31-97 (3) - 192.168.31.97':
Changes for 2016 Dec 15:
2016 Dec 15 12:34:30,0 - /etc/ossec-init.conf
2016 Dec 15 12:38:32,0 - /etc/init.d/.depend.stop
2016 Dec 15 12:38:34,0 - /etc/init.d/.depend.start
2016 Dec 15 12:47:56,0 - /etc/ossec-init.conf
2016 Dec 15 12:51:59,0 - /etc/init.d/.depend.stop
2016 Dec 15 12:52:01,0 - /etc/init.d/.depend.start
  • 4 查看某被监控文件的信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
alienvault:# /var/ossec/bin/syscheck_control -i 3 -f /etc/ossec-init.conf

Integrity changes for agent 'Host-192-168-31-97 (3) - 192.168.31.97':
Detailed information for entries matching: '/etc/ossec-init.conf'

2016 Dec 15 12:34:30,0 - /etc/ossec-init.conf
File added to the database.
Integrity checking values:
   Size: 101
   Perm: rw-------
   Uid:  0
   Gid:  0
   Md5:  d689f85738933f1a04a8b15ec1528262
   Sha1: a9339b82857a253826c234aaf6aaafc8e0876b6c
  • 5 重新进行integrity/rootcheck检查
1
2
3
alienvault:~# /var/ossec/bin/agent_control -r -u 3

OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on agent: 3

执行完成之后,通过查看客户端的日志,也能看到重新检查的日志信息

  • 6 清除数据库
1
/var/ossec/bin/syscheck_control -u 3

ossim安全交流群:46820390

本文标题:OSSIM-HIDS for linux

文章作者:哈哈髅

发布时间:2016-01-09, 12:07:32

最后更新:2016-01-09, 13:07:32

原始链接:http://r00to1.github.io/2016/01/09/ossim_linux_agent/

许可协议: "CC BY-NC-SA 4.0" 转载请保留原文链接及作者。

文章目录
  1. 1. 介绍
  2. 2. 安装
    1. 2.1. 准备
    2. 2.2. 安装
  3. 3. 排错
    1. 3.1. 问题1:怎么查看客户端的日志:
    2. 3.2. 问题2:为什么ossim制台一直显示agent是未连接(Disconnected)的状态:
    3. 3.3. 问题3:通过命令/var/ossec/bin/agent_control -lc 已经可以看到添加 agent是Active状态,但是ossim的控制台还是Disconnected,是怎么回事.
  4. 4. 服务器命令
|