In this article we are already assume that you have basic skill of Ansible automation tools knowledge and also OSSEC knowledge.
This article will bring you along to make ansible automate ossec agent installation with Playbooks.
On the Ansible Server we will need to create below folder to store all the playbooks and variable.
Ansible Server
cd /etc/ansible/roles/ sudo mkdir ossec-client
Alright, we have now created the main folder of this article, we will move on step by step.
We will now create a yaml playbook that recognise by ansible :
sudo touch main.yaml sudo vi main.yaml
After vi we have to put the below content being a starter of the ansible playbooks.
--- - hosts: ossecclient2 become: yes tasks: - name: Installs Developement Tools apt: pkg=build-essential state=installed - name: Install Python apt: pkg=python state=installed
Then save the first and we will continue the other part with explanation.
So on the top we added the hosts to be configure become ossec agent, hostname are ossecclient2, it would be different with yours.
you have to specific your own hostname in /etc/ansible/hosts like below:
sudo vi /etc/ansible/hosts
With this setting only your ansible playbooks will know who are the ossecclient2 and the ssh specific port number.
ossecclient2 ansible_ssh_host=192.168.0.2 # ansible_port=22
Save and quit the file.
Before we heading back to main.yaml, we have to create another yaml for store our variable name it vars.yaml
sudo vi vars.yaml
and set yours variable accordingly.
--- become: yes ossec_url: https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz ossec_path: /opt/ossec-hids-2.8.3.tar.gz ossec_path2: /opt/ossec-hids-2.8.3 ossec_manage_agent_input: /opt/ossec_manage_agent_input.txt extract_path: /opt ossec_server_ip: 192.168.0.3 #ossec server ip address j2_path: /etc/ansible/roles/ossec-client/templates/ossec_client_input.j2 client_key_path: /etc/ansible/roles/ossec-client/templates/client2.keys remote_client_key_path: /var/ossec/etc/client2.keys
Save and quit vars.yaml, please changes the ossec_server_ip to your own ossec server ip address.
We will back to the main.yaml.
vi main.yaml
add the following to the playbooks.
- include_vars: /etc/ansible/roles/ossec-client/vars.yaml - name: Download OssecClient get_url: url="{{ossec_url}}" dest="{{ossec_path}}" - name: Extract Ossec server code unarchive: copy=no src="{{ossec_path}}" dest="{{extract_path}}" - name: Copy the Ossec_input file template: src="{{j2_path}}" dest="{{ossec_path2}}/ossec_client_input.txt" - name: Install Ossec-agent shell: sudo bash /opt/ossec-hids-2.8.3/install.sh < /opt/ossec-hids-2.8.3/ossec_client_input.txt - name: Copy Client key to remote agent copy: src="{{client_key_path}}" dest="{{remote_client_key_path}}" owner=root group=ossec mode=0440 - name: Copy Shorewall Rules to remote agent copy: src="{{rules_path}}" dest="{{remote_rules_path}}" owner=root group=root mode=0744 - name: Extract only the key for current client shell: grep "{{ansible_default_ipv4.address}}" /var/ossec/etc/client2.keys > /var/ossec/etc/client.keys - name: changes permission of client key shell: chown root.ossec /var/ossec/etc/client.keys && chmod 440 /var/ossec/etc/client.keys - name: Delete other client keys file: name="{{remote_client_key_path}}" state=absent - name: Delete ossec_client_input.txt file: name="{{ossec_path2}}/ossec_client_input.txt" state=absent - name: Start Ossec Client shell: sudo bash /var/ossec/bin/ossec-control restart
Save and quit the file.
Now we have to create another folder and name it templates for storing all the templates file for ossec-client.
sudo mkdir /etc/ansible/roles/ossec-client/templates/
and create a j2 file to automate the Q&A section when installing the ossec agent:
sudo vi /etc/ansible/roles/ossec-client/templates/ossec_client_input.j2
and put the below content into the .j2 file without modifying anything.
en agent /var/ossec {{ ossec_server_ip }} y y y
Save and quit the file.
and we will create another file for store the client_key for the client and server communication.
create a file name it client2_keys
sudo touch client2_keys
Save and quit the file.
OK, until this step we have already done all the step in the templates folder.
cd /etc/ansible/roles/ossec-client
We have to create one bash shell to edit all the file we have to edit everytime we configure a new ossec client before we run the playbooks.
sudo vi file2edit
Copy and paste below content to file2edit bash shell file
#!/bin/bash file=main.yaml vi $file vim /etc/ansible/roles/ossec-client/templates/client2.keys
Save and quit and make it executable with below command:
sudo chmod 755 file2edit
So everytime before you run the main.yaml you have to run the file2edit with below command make sure you have edit the hosts to the right hosts, and put in the correct key for the ossec_client.
once you run the file2edit with below command:
sudo bash file2edit
you will be editing the main.yaml hosts, changes to the servername that you want to configure the ossec client.
and save it and quit, and you will jump to another file client2_keys.
in here please open up another terminal and connect to the ossec server.
OSSEC SERVER
Run below command on the Ossec server
cd /var/ossec/bin
sudo ./manage_agent
you will see something like below:
****************************************
* OSSEC HIDS v2.8.3 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: A
– Adding a new agent (use ‘q’ to return to the main menu).
Please provide the following:
* A name for the new agent:ossecclient2
* The IP Address of the new agent: 192.168.0.2
* An ID for the new agent[1]:
Agent information:
ID:1
Name:ossecclient2
IP Address:192.168.0.2
Confirm adding it?(y/n): y
Agent added.
That already done adding the client information on the server, next step we will get the raw key data.
cd /var/ossec/etc/
tail -n1 client_keys
1 ossecclietn2 192.168.0.2 ca2d6ade89547822d22329d67f87ac1d5c8b3d48e100a746cdaf101ba81010d1
copy the key and quit the file.
and restart ossec server with below command:
service ossec restart
ANSIBLE SERVER
Go back to the to your Ansible server and paste this key to the client2_keys and save it.
OK, we have done all the thing on OSSEC server and had input information in Ansible server.
Now we use below command to run ansible playbooks on ansible server.
ansible-playbook main.yaml
and you will see the result like below:
PLAY [ossecclient2] *****************************************************************
TASK [setup] *******************************************************************
ok: [ossecclient2]
TASK [Installs Developement Tools] *********************************************
ok: [ossecclient2]
TASK [Install Python] **********************************************************
ok: [ossecclient2]
TASK [include_vars] ************************************************************
ok: [ossecclient2]
TASK [Download OssecClient] ****************************************************
changed: [ossecclient2]
TASK [Extract Ossec server code] ***********************************************
changed: [ossecclient2]
TASK [Copy the Ossec_input file] ***********************************************
changed: [ossecclient2]
After ansible done, please run below command on ossecclient2 to verify it is connected to the server succesfully
OSSEC CLIENT (ossecclient2)
tail -f /var/ossec/logs/ossec.log
and you will see something like below:
2017/04/20 08:26:11 ossec-agentd(4102): INFO: Connected to the server (192.168.0.3:1514)
If you cant even saw the message above, it will be your firewall issue, you must allow udp 1514 in server and client as well.
If you cant get it working with above tutorial, here the source:
Download Nowuntar with below command:
tar xvf ossec-client.tar.gz
Share this to your friends, if you found out that this article is useful
any problem with this article or anything that not state here, please let us know by commenting at the bottom of the article.
We will try our best to resolve your problem as soon as possible.
Leave a Reply
Want to join the discussion?Feel free to contribute!