* 原创作者:R00to1,本文属FreeBuf原创奖励计划,未经许可禁止转载
一、介绍
OSSIME的HIDS是通过OSSEC来实现的,OSSEC采用服务端和客户端模式,主要通过文件完整性监视,日志监视,rootcheck和进程监视来主动监视Unix系统活动的所有方面。OSSIM中服务端已经安装完成,只需要在要监控的主机上安装客户端即可:
ossec http://ossec.github.io/
二、安装
2.1、准备
安装前需要准备编译环境
如果是Debian,需要先执行以下命令:
#apt-get install build-essential下面以在linux主机(centos7)192.168.31.97上安装客户端为例OSSIM_IP == 192.168.31.111
2.2、安装
在31.97上下载客户端:
https://github.com/ossec/ossec-hids/releases
# cd /usr/local/src/
# wget http://www.ossec.net/files/ossec-hids-2.8.1.tar.gz #下载客户端
# tar -zxvf ossec-hids-2.8.1.tar.gz #解压
# cd ossec-hids-2.8.1
# ./install.sh 运行install.sh
以下是几个输入的地方:
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: en #使用英文安装的方式
What kind of installation do you want (server, agent, local, hybrid or help)? agent #安装的类型
Choose where to install the OSSEC HIDS [/var/ossec]: #安装的路径 默认就行 直接回车
What’s the IP Address or hostname of the OSSEC HIDS server?: 192.168.31.111 #输入你服务端的地址
Do you want to run the integrity check daemon? (y/n) [y]: #默认回车
Do you want to run the rootkit detection engine? (y/n) [y]: #rootkit 检查 默认回车
Do you want to enable active response? (y/n) [y]: #默认回车
之后等待安装完毕
回到ossim的操作界面([https://192.168.31.111](https://192.168.31.111)) ,添加agent信息:
注意:如果这里是安装win的客户端的话,添加的资产的系统类型一定要修改成win的,否则无法下载客户端
可以看到如下的结果,然后点击图中标示的位置,复制得到的key:
key:
MyBIb3N0LTE5Mi0xNjgtMzEtOTcgMTkyLjE2OC4zMS45NyA5YTBh0OTFlZDQ2ZTUwMmQ1MWQ2MGE3YzA2NDgxZTIzZTIyOGUxZjIzNTJlM2FkM2FkNTkxYjNiY2Fh
在客户端的命令行执行manage_agents,按照提示输入key:
# /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: I #输入i
* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.
Paste it here (or ‘\q’ to quit): MyBIb3N0LTE5Mi0xNjgtMzEtOTcgMTkyLjE2OC4zMS45NyA5YTBhODA0OTFlZDQ2ZTUwMmQ1MWQ2MGE3YzA2NDgxZTIzZTIyOGUxZjIzNTJlM2FkM2FkNTk5NYjNiY2Fh #粘贴上key
Agent information:
ID:3
Name:Host-192-168-31-97
IP Address:192.168.31.97
Confirm adding it?(y/n): Y #确认信息
Added.
** Press ENTER to return to the main menu.
****************************************
* OSSEC HIDS v2.8 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: Q #输入q 退出
** You must restart OSSEC for your changes to take effect.
manage_agents: Exiting ..
此时,已经完成了客户端的安装,过一段时间之后可以看到客户端的状态是active.
三、排错
整个安装的过程很简单,但是有些时候总是会出现各种问题:
问题1:怎么查看客户端的日志:
客户端日志的位置位于/var/ossec/logs/ossec.log,可以通过使用命令tail -40f /var/ossec/logs/ossec.log查看日志信息,在排错中会起到相当重要的作用.
问题2:为什么ossim制台一直显示agent是未连接(Disconnected)的状态:
这个时候可以先查看下客户端的日志:tail -40f /var/ossec/logs/ossec.log
然后重启下客户端进程:/var/ossec/bin/ossec-control restart
查看下进程的状态:/var/ossec/bin/ossec-control status
ossec-logcollector is running…
ossec-syscheckd is running…
ossec-agentd is running…
ossec-execd is running…
如果都运行状态,表示已经成功启动服务,在看看上面的日志输出情况,如果可以正常连接服务器,则表示成功.
2017/01/09 12:50:56 ossec-agentd: INFO: Trying to connect to server (192.168.31.111:1514).
2017/01/09 12:50:56 ossec-agentd: INFO: Using IPv4 for: 192.168.31.111 .
2017/01/09 12:50:57 ossec-agentd(4102): INFO: Connected to the server (192.168.31.111:1514). #成功连接
2017/01/09 12:51:00 ossec-syscheckd: INFO: Started (pid: 22595).
2017/01/09 12:51:00 ossec-rootcheck: INFO: Started (pid: 22595).
2017/01/09 12:51:00 ossec-syscheckd: INFO: Monitoring directory: ‘/etc’.
2017/01/09 12:51:00 ossec-syscheckd: INFO: Monitoring directory: ‘/usr/bin’.
2017/01/09 12:51:00 ossec-syscheckd: INFO: Monitoring directory: ‘/usr/sbin’.
2017/01/09 12:51:00 ossec-syscheckd: INFO: Monitoring directory: ‘/bin’.
2017/01/09 12:51:00 ossec-syscheckd: INFO: Monitoring directory: ‘/sbin’.
2017/01/09 12:51:00 ossec-syscheckd: INFO: Monitoring directory: ‘/opt/cc.txt’.
2017/01/09 12:51:00 ossec-syscheckd: INFO: Directory set for real time monitoring: ‘/opt/cc.txt’.
还可以在ossim服务端通过命令行的方式来查看下已经有哪些agent连接上来:
alienvault:~# /var/ossec/bin/agent_control -lc #-lc 表示显示已经成功连接服务端的客户端列表
OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: alienvault (server), IP: 127.0.0.1, Active/Local
ID: 2, Name: Host-192-168-31-98, IP: 192.168.31.98, Active
ID: 3, Name: Host-192-168-31-97, IP: 192.168.31.97, Active
还可以查看服务端的1514端口的流量信息,看看是否有日志传输过来
ngrep -q -d any port 1514问题3:通过命令/var/ossec/bin/agent_control -lc 已经可以看到添加 agent是Active状态,但是ossim的控制台还是Disconnected,是怎么回事.
这里貌似存在一定的延时,可以过一段时间在看看,另外可以通过以下方法来判断是否客户端真的连接到了服务端:
1 运行tail -40f /var/ossec/logs/ossec.log
2 在ossim的控制台点击:restart agent
可以看到日志变化了,在你点击restart agent,日志中显示,客户端已经重新启动,载入你要监控的文件,就表示已经连接到了服务端,功能已经可以正常启用了.至于控制台的显示,那就是他的问题了 0.0
2017/01/09 13:00:36 ossec-logcollector(1225): INFO: SIGNAL Received. Exit Cleaning…
2017/01/09 13:00:36 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit Cleaning…
2017/01/09 13:00:36 ossec-agentd(1225): INFO: SIGNAL Received. Exit Cleaning…
2017/01/09 13:00:36 ossec-execd(1314): INFO: Shutdown received. Deleting responses.
2017/01/09 13:00:36 ossec-execd(1225): INFO: SIGNAL Received. Exit Cleaning…
2017/01/09 13:00:37 ossec-execd: INFO: Started (pid: 22890).
2017/01/09 13:00:37 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800
2017/01/09 13:00:37 ossec-agentd(1410): INFO: Reading authentication keys file.
2017/01/09 13:00:37 ossec-agentd: INFO: Assigning counter for agent Host-192-168-31-97: ‘2:2760’.
2017/01/09 13:00:37 ossec-agentd: INFO: Assigning sender counter: 54:9664
2017/01/09 13:00:37 ossec-agentd: INFO: Started (pid: 22894).
2017/01/09 13:00:37 ossec-agentd: INFO: Server IP Address: 192.168.31.111
2017/01/09 13:00:37 ossec-agentd: INFO: Trying to connect to server (192.168.31.111:1514).
2017/01/09 13:00:37 ossec-agentd: INFO: Using IPv4 for: 192.168.31.111 .
2017/01/09 13:00:38 ossec-agentd(4102): INFO: Connected to the server (192.168.31.111:1514).
四、服务器命令
这里还有一些服务器端的命令介绍:
/var/ossec/bin/agent_control代理控制参数选项:
-h 显示帮助消息
-l 列出所有可能的代理
-lc 列出活动的代理
-i <agent_id> 获取代理的相关信息 agent_id
-r 运行代理中的integrity/rootcheck检查,要和-u或-a 一起使用。
-a 对所有代理起做用
-u <agent_id> <agent_id>预先指定代理ID号
1 比如,上面已经提到的查看活动的代理:
alienvault:~# /var/ossec/bin/agent_control -lc
OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: alienvault (server), IP: 127.0.0.1, Active/Local
ID: 2, Name: Host-192-168-31-98, IP: 192.168.31.98, Active
ID: 3, Name: Host-192-168-31-97, IP: 192.168.31.97, Active
2 获取特定代理的信息:
alienvault:~# /var/ossec/bin/agent_control -i 3
OSSEC HIDS agent_control. Agent information:
Agent ID: 3
Agent Name: Host-192-168-31-97
IP address: 192.168.31.97
Status: Active
Operating system: Linux 2.6.24-16-#1 SMP Thu Apr 10 13..
Client version: OSSEC HIDS v2.8
Last keep alive: Mon Jan 9 13:08:46 2017
Syscheck last started at: Mon Jan 9 12:50:11 2017
Rootcheck last started at: Mon Jan 9 08:35:02 2017
3 查看修改的文件的时间和权限:
alienvault:# /var/ossec/bin/syscheck_control -i 3
Integrity changes for agent ‘Host-192-168-31-97 (3) – 192.168.31.97’:
Changes for 2016 Dec 15:
2016 Dec 15 12:34:30,0 – /etc/ossec-init.conf
2016 Dec 15 12:38:32,0 – /etc/init.d/.depend.stop
2016 Dec 15 12:38:34,0 – /etc/init.d/.depend.start
2016 Dec 15 12:47:56,0 – /etc/ossec-init.conf
2016 Dec 15 12:51:59,0 – /etc/init.d/.depend.stop
2016 Dec 15 12:52:01,0 – /etc/init.d/.depend.start
4 查看某被监控文件的信息
alienvault:# /var/ossec/bin/syscheck_control -i 3 -f /etc/ossec-init.conf
Integrity changes for agent ‘Host-192-168-31-97 (3) – 192.168.31.97’:
Detailed information for entries matching: ‘/etc/ossec-init.conf’
2016 Dec 15 12:34:30,0 – /etc/ossec-init.conf
File added to the database.
Integrity checking values:
Size: 101
Perm: rw——-
Uid: 0
Gid: 0
Md5: d689f85738933f1a04a8b15ec1528262
Sha1: a9339b82857a253826c234aaf6aaafc8e0876b6c
5 重新进行integrity/rootcheck检查
alienvault:~# /var/ossec/bin/agent_control -r -u 3
OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on agent: 3
执行完成之后,通过查看客户端的日志,也能看到重新检查的日志信息
6 清除数据库
/var/ossec/bin/syscheck_control -u 3ossim安全交流:46820390
* 原创作者:R00to1,本文属FreeBuf原创奖励计划,未经许可禁止转载
暂无评论内容