4 OSSEC_HOME="/var/ossec/"
5 OSSEC_CONF_FILE="$OSSEC_HOME/etc/ossec.conf"
6 RULES_TEMPLATE="$OSSEC_HOME/etc/templates/rules.template"
7 SYSCHECK_TEMPLATE="$OSSEC_HOME/etc/templates/syscheck.template"
8 HOST_DENY_TEMPLATE="$OSSEC_HOME/etc/templates/ar-host-deny.template"
9 FIREWALL_DROP_TEMPLATE="$OSSEC_HOME/etc/templates/ar-firewall-drop.template"
10 DISABLE_ACCOUNT_TEMPLATE="$OSSEC_HOME/etc/templates/ar-disable-account.template"
11 ROUTENULL_TEMPLATE="$OSSEC_HOME/etc/templates/ar-routenull.template"
12 SYSLOG_TEMPLATE="$OSSEC_HOME//etc/templates/syslog-logs.template"
13 SNORT_TEMPLATE="$OSSEC_HOME/etc/templates/snort-logs.template"
14 APACHE_TEMPLATE="$OSSEC_HOME/etc/templates/apache-logs.template"
15 PGSQL_TEMPLATE="$OSSEC_HOME/etc/templates/pgsql-logs.template"
16 ACTIVE_RESPONSE_TEMPLATE="$OSSEC_HOME/etc/templates/active-response.template"
20 # Module specific functions
22 # Input validation function
23 # check_input <msg> <valid responses regex> <default>
24 # if <default> is passed on as null, then there is no default
25 # Example: check_input "Some question (yes/no) " "yes|no" "yes"
26 function check_input {
31 while [ $? -ne 1 ]; do
33 read INPUTTEXT < /dev/tty
34 if [ "$INPUTTEXT" == "" -a "$default" != "" ]; then
38 echo $INPUTTEXT | egrep -q "$validate" && return 1
46 echo "OSSEC Configuration utility v0.1"
49 echo "<ossec_config>" > ${OSSEC_CONF_FILE}.new
52 cp ${OSSEC_CONF_FILE} ${OSSEC_CONF_FILE}.bak
56 # grabs System/User/Host
60 # server/agent/local or help
61 check_input "1- What kind of installation do you want? (server, agent, local) [Default: server]:" "server|agent|local" "server"
65 echo "2- Setting up the configuration environment."
69 echo "3- Configuring the OSSEC HIDS."
71 check_input " 3.1- Do you want e-mail notification? (y/n) [Default: y]:" "y|n" "y"
72 EMAIL_NOTIFICATION=$INPUTTEXT
74 echo " <global>" >> ${OSSEC_CONF_FILE}.new
75 if [ "$EMAIL_NOTIFICATION" == "y" ]; then
76 # Get default email address
77 echo -n " - What's your e-mail address? "
78 read EMAIL_ADDRESS < /dev/tty
79 echo " <email_notification>yes</email_notification>" >> ${OSSEC_CONF_FILE}.new
80 echo " <email_to>$EMAIL_ADDRESS</email_to>" >> ${OSSEC_CONF_FILE}.new
82 # find local smtp server, use it?
84 # else enter it manually
85 echo -n " - What's your SMTP server ip/host? "
86 read SMTP_SERVER < /dev/tty
87 echo " <smtp_server>$SMTP_SERVER</smtp_server>" >> ${OSSEC_CONF_FILE}.new
88 echo " <email_from>ossecm@$HOSTNAME</email_from>" >> ${OSSEC_CONF_FILE}.new
90 echo " <email_notification>no</email_notification>" >> ${OSSEC_CONF_FILE}.new
92 echo " </global>" >> ${OSSEC_CONF_FILE}.new
93 echo "" >> ${OSSEC_CONF_FILE}.new
98 cat $RULES_TEMPLATE >> ${OSSEC_CONF_FILE}.new
99 echo "" >> ${OSSEC_CONF_FILE}.new
106 # run integrity check daemon?
107 check_input " 3.2- Do you want to run the integrity check daemon? (y/n) [y]:" "y|n" "y"
108 INTEGRITY_CHECK=$INPUTTEXT
109 if [ "$INTEGRITY_CHECK" == "y" ]; then
110 echo "" >> ${OSSEC_CONF_FILE}.new
111 cat $SYSCHECK_TEMPLATE >> ${OSSEC_CONF_FILE}.new
112 echo "" >> ${OSSEC_CONF_FILE}.new
116 # run rootkit detection engine?
117 check_input " 3.3- Do you want to run the rootkit detection engine? (y/n) [y]:" "y|n" "y"
119 if [ "$ROOTCHECK" == "y" ]; then
120 echo "" >> ${OSSEC_CONF_FILE}.new
121 echo " <rootcheck>" >> ${OSSEC_CONF_FILE}.new
122 echo " <rootkit_files>$OSSEC_HOME/etc/shared/rootkit_files.txt</rootkit_files>" >> ${OSSEC_CONF_FILE}.new
123 echo " <rootkit_trojans>$OSSEC_HOME/etc/shared/rootkit_trojans.txt</rootkit_trojans>" >> ${OSSEC_CONF_FILE}.new
124 echo " <system_audit>$OSSEC_HOME/etc/shared/system_audit_rcl.txt</system_audit>" >> ${OSSEC_CONF_FILE}.new
125 echo " <system_audit>$OSSEC_HOME/etc/shared/cis_rhel_linux_rcl.txt</system_audit>" >> ${OSSEC_CONF_FILE}.new
126 echo " <system_audit>$OSSEC_HOME/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>" >> ${OSSEC_CONF_FILE}.new
127 echo " </rootcheck>" >> ${OSSEC_CONF_FILE}.new
128 echo "" >> ${OSSEC_CONF_FILE}.new
130 echo "" >> ${OSSEC_CONF_FILE}.new
131 echo " <rootcheck>" >> ${OSSEC_CONF_FILE}.new
132 echo " <disabled>yes</disabled>" >> ${OSSEC_CONF_FILE}.new
133 echo " </rootcheck>" >> ${OSSEC_CONF_FILE}.new
138 # enable active response
139 echo " 3.4- Active response allows you to execute a specific
140 command based on the events received. For example,
141 you can block an IP address or disable access for
144 http://www.ossec.net/en/manual.html#active-response
147 check_input " - Do you want to enable active response? (y/n) [y]:" "y|n" "y"
148 ACTIVE_RESPONSE=$INPUTTEXT
149 if [ "$ACTIVE_RESPONSE" == "y" ]; then
150 echo " - Active response enabled.
152 - By default, we can enable the host-deny and the
153 firewall-drop responses. The first one will add
154 a host to the /etc/hosts.deny and the second one
155 will block the host on iptables (if linux) or on
156 ipfilter (if Solaris, FreeBSD or NetBSD).
157 - They can be used to stop SSHD brute force scans,
158 portscans and some other forms of attacks. You can
159 also add them to block on snort events, for example.
162 check_input " - Do you want to enable the firewall-drop response? (y/n) [y]:" "y|n" "y"
163 FIREWALL_DROP=$INPUTTEXT
165 if [ "$FIREWALL_DROP" == "y" ]; then
166 echo " <global>" >> ${OSSEC_CONF_FILE}.new
167 echo " <white_list>127.0.0.1</white_list>" >> ${OSSEC_CONF_FILE}.new
168 echo " <white_list>^localhost.localdomain$</white_list>" >> ${OSSEC_CONF_FILE}.new
169 # Add stuff to whitelist, default w/ local IP
170 for ip in `awk '/nameserver/ {print $2}' /etc/resolv.conf`; do
171 echo " <white_list>$ip</white_list>" >> ${OSSEC_CONF_FILE}.new
174 check_input " - Do you want to add more IPs to the white list? (y/n)? [n]:" "y|n" "n"
175 if [ "$INPUTTEXT" == "y" ]; then
176 echo -n " - IPs (space separated): "
177 read WHITELIST_IPS < /dev/tty
179 for ip in $WHITELIST_IPS; do
180 echo "<white_list>$ip</white_list>" >> ${OSSEC_CONF_FILE}.new
184 echo " </global>" >> ${OSSEC_CONF_FILE}.new
192 # enable remote syslog?
193 check_input " 3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]:" "y|n" "y"
194 if [ "$INPUTTEXT" == "y" ]; then
195 echo " <remote>" >> ${OSSEC_CONF_FILE}.new
196 echo " <connection>syslog</connection>" >> ${OSSEC_CONF_FILE}.new
197 echo " </remote>" >> ${OSSEC_CONF_FILE}.new
199 echo " <remote>" >> ${OSSEC_CONF_FILE}.new
200 echo " <connection>secure</connection>" >> ${OSSEC_CONF_FILE}.new
201 echo " </remote>" >> ${OSSEC_CONF_FILE}.new
205 echo " <alerts>" >> ${OSSEC_CONF_FILE}.new
206 echo " <log_alert_level>1</log_alert_level>" >>${OSSEC_CONF_FILE}.new
207 if [ "$EMAIL_NOTIFICATION" == "y" ]; then
208 echo " <email_alert_level>7</email_alert_level>" >> ${OSSEC_CONF_FILE}.new
210 echo " </alerts>" >> ${OSSEC_CONF_FILE}.new
212 if [ "$ACTIVE_RESPONSE" == "y" ]; then
213 # Add commands in here
214 echo "" >> ${OSSEC_CONF_FILE}.new
215 cat ${HOST_DENY_TEMPLATE} >> ${OSSEC_CONF_FILE}.new
216 echo "" >> ${OSSEC_CONF_FILE}.new
217 cat ${FIREWALL_DROP_TEMPLATE} >> ${OSSEC_CONF_FILE}.new
218 echo "" >> ${OSSEC_CONF_FILE}.new
219 cat ${DISABLE_ACCOUNT_TEMPLATE} >> ${OSSEC_CONF_FILE}.new
220 echo "" >> ${OSSEC_CONF_FILE}.new
221 cat ${ROUTENULL_TEMPLATE} >> ${OSSEC_CONF_FILE}.new
222 echo "" >> ${OSSEC_CONF_FILE}.new
224 if [ "$FIREWALL_DROP" = "y" ]; then
225 echo "" >> ${OSSEC_CONF_FILE}.new
226 cat ${ACTIVE_RESPONSE_TEMPLATE} >> ${OSSEC_CONF_FILE}.new
227 echo "" >> ${OSSEC_CONF_FILE}.new
233 echo "" >> ${OSSEC_CONF_FILE}.new
237 for i in `cat $SYSLOG_TEMPLATE`; do
239 echo " -- $i (syslog)"
240 echo "" >> ${OSSEC_CONF_FILE}.new
241 echo " <localfile>" >> ${OSSEC_CONF_FILE}.new
242 echo " <log_format>syslog</log_format>" >> ${OSSEC_CONF_FILE}.new
243 echo " <location>$i</location>" >> ${OSSEC_CONF_FILE}.new
244 echo " </localfile>" >> ${OSSEC_CONF_FILE}.new
250 SNORT_FILES=`cat ${SNORT_TEMPLATE}`
251 for i in ${SNORT_FILES}; do
252 ls $i > /dev/null 2>&1
254 echo "" >> ${OSSEC_CONF_FILE}.new
255 echo " <localfile>" >> ${OSSEC_CONF_FILE}.new
257 head -n 1 $i|grep "\[**\] "|grep -v "Classification:" > /dev/null
259 echo " <log_format>snort-full</log_format>" >> ${OSSEC_CONF_FILE}.new
260 echo " -- $i (snort-full file)"
262 echo " <log_format>snort-fast</log_format>" >> ${OSSEC_CONF_FILE}.new
263 echo " -- $i (snort-fast file)"
265 echo " <location>$i</location>" >>${OSSEC_CONF_FILE}.new
266 echo " </localfile>" >> ${OSSEC_CONF_FILE}.new
271 APACHE_FILES=`cat ${APACHE_TEMPLATE}`
272 for i in ${APACHE_FILES}; do
273 ls $i > /dev/null 2>&1
275 echo "" >> ${OSSEC_CONF_FILE}.new
276 echo " <localfile>" >> ${OSSEC_CONF_FILE}.new
277 echo " <log_format>apache</log_format>" >> ${OSSEC_CONF_FILE}.new
278 echo " <location>$i</location>" >>${OSSEC_CONF_FILE}.new
279 echo " </localfile>" >> ${OSSEC_CONF_FILE}.new
281 echo " -- $i (apache log)"
286 PGSQL_FILES=`cat ${PGSQL_TEMPLATE}`
287 for i in ${PGSQL_FILES}; do
288 ls $i > /dev/null 2>&1
290 echo "" >> ${OSSEC_CONF_FILE}.new
291 echo " <localfile>" >> ${OSSEC_CONF_FILE}.new
292 echo " <log_format>postgresql_log</log_format>" >> ${OSSEC_CONF_FILE}.new
293 echo " <location>$i</location>" >>${OSSEC_CONF_FILE}.new
294 echo " </localfile>" >> ${OSSEC_CONF_FILE}.new
296 echo " -- $i (postgresql log)"
302 echo "</ossec_config>" >> ${OSSEC_CONF_FILE}.new
303 mv ${OSSEC_CONF_FILE} ${OSSEC_CONF_FILE}.bak
304 mv ${OSSEC_CONF_FILE}.new ${OSSEC_CONF_FILE}
305 echo "Configuration complete."