contrib/ossec-configure

   1 #!/bin/sh
   2
   3 # Global Variables
   4 OSSEC_HOME="/var/ossec/"
   5 OSSEC_CONF_FILE="$OSSEC_HOME/etc/ossec.conf"
   6 RULES_TEMPLATE="$OSSEC_HOME/etc/templates/rules.template"
   7 SYSCHECK_TEMPLATE="$OSSEC_HOME/etc/templates/syscheck.template"
   8 HOST_DENY_TEMPLATE="$OSSEC_HOME/etc/templates/ar-host-deny.template"
   9 FIREWALL_DROP_TEMPLATE="$OSSEC_HOME/etc/templates/ar-firewall-drop.template"
  10 DISABLE_ACCOUNT_TEMPLATE="$OSSEC_HOME/etc/templates/ar-disable-account.template"
  11 ROUTENULL_TEMPLATE="$OSSEC_HOME/etc/templates/ar-routenull.template"
  12 SYSLOG_TEMPLATE="$OSSEC_HOME//etc/templates/syslog-logs.template"
  13 SNORT_TEMPLATE="$OSSEC_HOME/etc/templates/snort-logs.template"
  14 APACHE_TEMPLATE="$OSSEC_HOME/etc/templates/apache-logs.template"
  15 PGSQL_TEMPLATE="$OSSEC_HOME/etc/templates/pgsql-logs.template"
  16 ACTIVE_RESPONSE_TEMPLATE="$OSSEC_HOME/etc/templates/active-response.template"
  17
  18 HOSTNAME=$(hostname)
  19
  20 # Module specific functions
  21
  22 # Input validation function
  23 # check_input <msg> <valid responses regex> <default>
  24 # if <default> is passed on as null, then there is no default
  25 # Example: check_input  "Some question (yes/no) " "yes|no"  "yes"
  26 function check_input {
  27   message=$1
  28   validate=$2
  29   default=$3
  30
  31   while [ $? -ne 1 ]; do
  32     echo -n "$message "
  33     read INPUTTEXT < /dev/tty
  34     if [ "$INPUTTEXT" == "" -a "$default" != "" ]; then
  35       INPUTTEXT=$default
  36       return 1
  37     fi
  38     echo $INPUTTEXT | egrep -q "$validate" && return 1
  39     echo "Invalid input"
  40   done
  41 }
  42
  43
  44 # Main
  45 echo
  46 echo "OSSEC Configuration utility v0.1"
  47 echo
  48
  49 echo "<ossec_config>" > ${OSSEC_CONF_FILE}.new
  50
  51 # Back up config file
  52 cp ${OSSEC_CONF_FILE} ${OSSEC_CONF_FILE}.bak
  53
  54 # Set language
  55
  56 # grabs System/User/Host
  57
  58 # Ossec installed?
  59
  60 # server/agent/local or help
  61 check_input "1- What kind of installation do you want? (server, agent, local) [Default: server]:" "server|agent|local" "server"
  62 OSSEC_TYPE=$INPUTTEXT
  63 echo
  64
  65 echo "2- Setting up the configuration environment."
  66 echo
  67
  68 # email notification
  69 echo "3- Configuring the OSSEC HIDS."
  70 echo
  71 check_input "  3.1- Do you want e-mail notification? (y/n) [Default: y]:" "y|n" "y"
  72 EMAIL_NOTIFICATION=$INPUTTEXT
  73
  74 echo "  <global>" >>  ${OSSEC_CONF_FILE}.new
  75 if [ "$EMAIL_NOTIFICATION" == "y" ]; then
  76   # Get default email address
  77   echo -n "   - What's your e-mail address? "
  78   read EMAIL_ADDRESS < /dev/tty
  79   echo "    <email_notification>yes</email_notification>" >> ${OSSEC_CONF_FILE}.new
  80   echo "    <email_to>$EMAIL_ADDRESS</email_to>" >> ${OSSEC_CONF_FILE}.new
  81
  82   # find local smtp server, use it?
  83
  84   # else enter it manually
  85   echo -n "   - What's your SMTP server ip/host? "
  86   read SMTP_SERVER < /dev/tty
  87   echo "    <smtp_server>$SMTP_SERVER</smtp_server>"  >> ${OSSEC_CONF_FILE}.new
  88   echo "    <email_from>ossecm@$HOSTNAME</email_from>" >> ${OSSEC_CONF_FILE}.new
  89 else
  90   echo "    <email_notification>no</email_notification>" >> ${OSSEC_CONF_FILE}.new
  91 fi
  92 echo "  </global>" >> ${OSSEC_CONF_FILE}.new
  93 echo "" >> ${OSSEC_CONF_FILE}.new
  94
  95
  96
  97 # update the rules?
  98 cat $RULES_TEMPLATE >> ${OSSEC_CONF_FILE}.new
  99 echo "" >> ${OSSEC_CONF_FILE}.new
 100 echo
 101
 102
 103
 104 # where is ossec
 105
 106 # run integrity check daemon?
 107 check_input "  3.2- Do you want to run the integrity check daemon? (y/n) [y]:" "y|n" "y"
 108 INTEGRITY_CHECK=$INPUTTEXT
 109 if [ "$INTEGRITY_CHECK" == "y" ]; then
 110   echo "" >> ${OSSEC_CONF_FILE}.new
 111   cat $SYSCHECK_TEMPLATE >> ${OSSEC_CONF_FILE}.new
 112   echo "" >> ${OSSEC_CONF_FILE}.new
 113 fi
 114 echo
 115
 116 # run rootkit detection engine?
 117 check_input "  3.3- Do you want to run the rootkit detection engine? (y/n) [y]:" "y|n" "y"
 118 ROOTCHECK=$INPUTTEXT
 119 if [ "$ROOTCHECK" == "y" ]; then
 120   echo "" >> ${OSSEC_CONF_FILE}.new
 121   echo "  <rootcheck>" >> ${OSSEC_CONF_FILE}.new
 122   echo "    <rootkit_files>$OSSEC_HOME/etc/shared/rootkit_files.txt</rootkit_files>" >> ${OSSEC_CONF_FILE}.new
 123   echo "    <rootkit_trojans>$OSSEC_HOME/etc/shared/rootkit_trojans.txt</rootkit_trojans>" >> ${OSSEC_CONF_FILE}.new
 124   echo "    <system_audit>$OSSEC_HOME/etc/shared/system_audit_rcl.txt</system_audit>" >> ${OSSEC_CONF_FILE}.new
 125   echo "    <system_audit>$OSSEC_HOME/etc/shared/cis_rhel_linux_rcl.txt</system_audit>" >> ${OSSEC_CONF_FILE}.new
 126   echo "    <system_audit>$OSSEC_HOME/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>" >> ${OSSEC_CONF_FILE}.new
 127   echo "  </rootcheck>" >> ${OSSEC_CONF_FILE}.new
 128   echo "" >> ${OSSEC_CONF_FILE}.new
 129 else
 130   echo "" >> ${OSSEC_CONF_FILE}.new
 131   echo "  <rootcheck>" >> ${OSSEC_CONF_FILE}.new
 132   echo "    <disabled>yes</disabled>" >> ${OSSEC_CONF_FILE}.new
 133   echo "  </rootcheck>" >> ${OSSEC_CONF_FILE}.new
 134 fi
 135 echo
 136
 137
 138 # enable active response
 139 echo "  3.4- Active response allows you to execute a specific
 140        command based on the events received. For example,
 141        you can block an IP address or disable access for
 142        a specific user.
 143        More information at:
 144        http://www.ossec.net/en/manual.html#active-response
 145
 146 "
 147 check_input "   - Do you want to enable active response? (y/n) [y]:" "y|n" "y"
 148 ACTIVE_RESPONSE=$INPUTTEXT
 149 if [ "$ACTIVE_RESPONSE" == "y" ]; then
 150   echo "     - Active response enabled.
 151
 152    - By default, we can enable the host-deny and the
 153      firewall-drop responses. The first one will add
 154      a host to the /etc/hosts.deny and the second one
 155      will block the host on iptables (if linux) or on
 156      ipfilter (if Solaris, FreeBSD or NetBSD).
 157    - They can be used to stop SSHD brute force scans,
 158      portscans and some other forms of attacks. You can
 159      also add them to block on snort events, for example.
 160
 161   "
 162   check_input "   - Do you want to enable the firewall-drop response? (y/n) [y]:" "y|n" "y"
 163   FIREWALL_DROP=$INPUTTEXT
 164
 165   if [ "$FIREWALL_DROP" == "y" ]; then
 166     echo "  <global>" >> ${OSSEC_CONF_FILE}.new
 167     echo "    <white_list>127.0.0.1</white_list>" >> ${OSSEC_CONF_FILE}.new
 168     echo "    <white_list>^localhost.localdomain$</white_list>" >> ${OSSEC_CONF_FILE}.new
 169     # Add stuff to whitelist, default w/ local IP
 170     for ip in `awk '/nameserver/ {print $2}' /etc/resolv.conf`; do
 171       echo "    <white_list>$ip</white_list>" >> ${OSSEC_CONF_FILE}.new
 172     done
 173
 174     check_input "   - Do you want to add more IPs to the white list? (y/n)? [n]:" "y|n" "n"
 175     if [ "$INPUTTEXT" == "y" ]; then
 176       echo -n "   - IPs (space separated): "
 177       read WHITELIST_IPS < /dev/tty
 178
 179       for ip in $WHITELIST_IPS; do
 180         echo "<white_list>$ip</white_list>" >> ${OSSEC_CONF_FILE}.new
 181       done
 182     fi
 183
 184     echo "  </global>" >> ${OSSEC_CONF_FILE}.new
 185
 186   fi
 187
 188
 189 fi
 190 echo
 191
 192 # enable remote syslog?
 193 check_input "  3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]:" "y|n" "y"
 194 if [ "$INPUTTEXT" == "y" ]; then
 195   echo "  <remote>"  >> ${OSSEC_CONF_FILE}.new
 196   echo "    <connection>syslog</connection>" >> ${OSSEC_CONF_FILE}.new
 197   echo "  </remote>" >> ${OSSEC_CONF_FILE}.new
 198
 199   echo "  <remote>"  >> ${OSSEC_CONF_FILE}.new
 200   echo "    <connection>secure</connection>" >> ${OSSEC_CONF_FILE}.new
 201   echo "  </remote>" >> ${OSSEC_CONF_FILE}.new
 202 fi
 203
 204 # Email/log alerts
 205 echo "  <alerts>" >> ${OSSEC_CONF_FILE}.new
 206 echo "    <log_alert_level>1</log_alert_level>" >>${OSSEC_CONF_FILE}.new
 207 if [ "$EMAIL_NOTIFICATION" == "y" ]; then
 208   echo "    <email_alert_level>7</email_alert_level>" >> ${OSSEC_CONF_FILE}.new
 209 fi
 210 echo "  </alerts>" >> ${OSSEC_CONF_FILE}.new
 211
 212 if [ "$ACTIVE_RESPONSE" == "y" ]; then
 213   # Add commands in here
 214   echo "" >> ${OSSEC_CONF_FILE}.new
 215   cat ${HOST_DENY_TEMPLATE} >> ${OSSEC_CONF_FILE}.new
 216   echo "" >> ${OSSEC_CONF_FILE}.new
 217   cat ${FIREWALL_DROP_TEMPLATE} >> ${OSSEC_CONF_FILE}.new
 218   echo "" >> ${OSSEC_CONF_FILE}.new
 219   cat ${DISABLE_ACCOUNT_TEMPLATE} >> ${OSSEC_CONF_FILE}.new
 220   echo "" >> ${OSSEC_CONF_FILE}.new
 221   cat ${ROUTENULL_TEMPLATE} >> ${OSSEC_CONF_FILE}.new
 222   echo "" >> ${OSSEC_CONF_FILE}.new
 223
 224   if [ "$FIREWALL_DROP" = "y" ]; then
 225     echo "" >> ${OSSEC_CONF_FILE}.new
 226     cat ${ACTIVE_RESPONSE_TEMPLATE} >> ${OSSEC_CONF_FILE}.new
 227     echo "" >> ${OSSEC_CONF_FILE}.new
 228   fi
 229
 230 fi
 231
 232 # detect log files
 233 echo "" >> ${OSSEC_CONF_FILE}.new
 234 echo
 235
 236 # Syslog
 237 for i in `cat $SYSLOG_TEMPLATE`; do
 238   if [ -f $i ] ; then
 239     echo "    -- $i (syslog)"
 240     echo "" >> ${OSSEC_CONF_FILE}.new
 241     echo "  <localfile>" >> ${OSSEC_CONF_FILE}.new
 242     echo "    <log_format>syslog</log_format>" >> ${OSSEC_CONF_FILE}.new
 243     echo "    <location>$i</location>" >> ${OSSEC_CONF_FILE}.new
 244     echo "  </localfile>" >> ${OSSEC_CONF_FILE}.new
 245
 246   fi
 247 done
 248
 249 # Snort
 250 SNORT_FILES=`cat ${SNORT_TEMPLATE}`
 251 for i in ${SNORT_FILES}; do
 252     ls $i > /dev/null 2>&1
 253     if [ $? = 0 ]; then
 254         echo "" >> ${OSSEC_CONF_FILE}.new
 255         echo "  <localfile>" >> ${OSSEC_CONF_FILE}.new
 256
 257         head -n 1 $i|grep "\[**\] "|grep -v "Classification:" > /dev/null
 258         if [ $? = 0 ]; then
 259             echo "    <log_format>snort-full</log_format>" >> ${OSSEC_CONF_FILE}.new
 260             echo "    -- $i (snort-full file)"
 261         else
 262             echo "    <log_format>snort-fast</log_format>" >> ${OSSEC_CONF_FILE}.new
 263             echo "    -- $i (snort-fast file)"
 264         fi
 265         echo "    <location>$i</location>" >>${OSSEC_CONF_FILE}.new
 266         echo "  </localfile>" >> ${OSSEC_CONF_FILE}.new
 267     fi
 268 done
 269
 270 # Apache
 271 APACHE_FILES=`cat ${APACHE_TEMPLATE}`
 272 for i in ${APACHE_FILES}; do
 273     ls $i > /dev/null 2>&1
 274     if [ $? = 0 ]; then
 275       echo "" >> ${OSSEC_CONF_FILE}.new
 276       echo "  <localfile>" >> ${OSSEC_CONF_FILE}.new
 277       echo "    <log_format>apache</log_format>" >> ${OSSEC_CONF_FILE}.new
 278       echo "    <location>$i</location>" >>${OSSEC_CONF_FILE}.new
 279       echo "  </localfile>" >> ${OSSEC_CONF_FILE}.new
 280
 281       echo "    -- $i (apache log)"
 282     fi
 283 done
 284
 285 # Postgres
 286 PGSQL_FILES=`cat ${PGSQL_TEMPLATE}`
 287 for i in ${PGSQL_FILES}; do
 288     ls $i > /dev/null 2>&1
 289     if [ $? = 0 ]; then
 290       echo "" >> ${OSSEC_CONF_FILE}.new
 291       echo "  <localfile>" >> ${OSSEC_CONF_FILE}.new
 292       echo "    <log_format>postgresql_log</log_format>" >> ${OSSEC_CONF_FILE}.new
 293       echo "    <location>$i</location>" >>${OSSEC_CONF_FILE}.new
 294       echo "  </localfile>" >> ${OSSEC_CONF_FILE}.new
 295
 296       echo "    -- $i (postgresql log)"
 297     fi
 298 done
 299
 300 #
 301
 302 echo "</ossec_config>" >> ${OSSEC_CONF_FILE}.new
 303 mv ${OSSEC_CONF_FILE} ${OSSEC_CONF_FILE}.bak
 304 mv ${OSSEC_CONF_FILE}.new ${OSSEC_CONF_FILE}
 305 echo "Configuration complete."
 306 echo
 307