We are big fans of OSSEC at Trunc. We maintain probably one of the largest active deployments across our many different NOC properties. Below we are going to share a script we use internally to quickly deploy OSSEC across different Linux distributions.
This script assumes you are deploying on a Linux distribution (e.g., Fedora, Ubuntu, CentOS, or Debian). It will force you to choose a distribution OS before it runs, this ensures it installs the appropriate dependencies based on the distribution type.
This script uses Daniel’s distribution. Edit as you wish if you want to go off the main distribution.
OSSEC can be compiled, and installed, without the interactivity of install.sh, using preloaded variables. That is what I’m using when I echo my outputs into the etc/preloaded-vars.conf configuration file. You can download this code directly from Github here.
#!/bin/bash
# Created by: Tony Perez
# Version 1.0
#####################################################
#####################################################
# Description:
# This script will configure an OSSEC Agent. It is designed to work with an OSSEC manager.
# This script will:
# - Check for dependencies based on OS type
# - Will create appropriate folders, default directory is /root
# - This uses the Daniel's OSSEC build
# - This script will install OSSEC using preload variables.
# - Will ask you to define the Manager before doing the install.
# - All variables are created in the install directory ../etc/preloaded-vars.conf
# - This will not start OSSEC, you have to start manually once configured.
#
echo "Hi, this script is going to install the OSSEC product with an Agent configuration.."
echo "Please be sure to watch for the prompt to enter the Manager IP."
echo "All other settings are set in preloaded-vars.conf to streamline the deployment."
#Begin installation of OSSEC: https://dcid.me/texts/my-ossec-setup-manual.html
RED='\033[0;31m'
NC='\033[0m'
bold=$(tput bold)
normal=$(tput sgr0)
#Install dependencies first
if [ "x$1" = "xcentos" ] ; then
echo "You have selected CentOS"
echo "Installing CentOS dependencies"
sudo yum -y install gcc make libc-dev wget
echo "Done with CentOS dependencies."
elif [ "x$1" = "xubuntu" ] ; then
echo "You have selected Ubuntu"
echo "Intalling Ubuntu dependencies"
sudo apt install -y gcc make libevent-dev zlib1g-dev libssl-dev libpcre2-dev wget unzip tar
echo "Done with Ubuntu dependencies."
elif [ "x$1" = "xdebian" ] ; then
echo "You have selected Debian"
echo "Installing Debian dependencies"
sudo apt-get update
sudo apt-get install -y build-essential inotify-tools ntp
sudo systemctl start ntp
echo "Debian doesn't have IPTables..will install"
sudo apt-get install -y iptables-persistent
sudo systemctl restart netfilter-persistent
echo "Done with Debian dependencies."
elif [ "x$1" = "xfederoa" ] ; then
echo "You have selected Federoa"
echo "Installing Fedora dependencies"
sudo yum install -y bind-utils gcc make inotify-tools
echo "Done with Fedora dependencies."
else
echo " "
echo "Please pass one of the following options into the script:"
echo " "
echo -e " Run the following command: ${RED}$0 centos${NC}"
echo -e " Run the following command: ${RED}$0 ubuntu${NC}"
echo -e " Run the following command: ${RED}$0 debian${NC}"
echo -e " Run the following command: ${RED}$0 fedora${NC}"
exit 1
fi
echo "Creating new Downloads directory in root"
cd /root/
mkdir /root/Downloads
cd /root/Downloads
PWD="/root/Downloads"
echo "New Downloads directory created and set"
echo "Downloading OSSEC installation"
wget https://github.com/dcid/ossec-hids/archive/refs/heads/master.zip
echo "Decrypting installation into Downloads folder"
unzip master.zip
echo "Switching directories to the new decrypted installation"
downloaddir="/root/Downloads/ossec-hids-master"
#Setting Default OSSEC installation settings
echo "Adding default OSSEC configurations values:"
echo "Enter manager IP:"
read managerIP
echo "Set language to English..."
echo "USER_LANGUAGE="en"" > $downloaddir/etc/preloaded-vars.conf
echo "Disabled confirmation messages..."
echo "USER_NO_STOP="y"" >> $downloaddir/etc/preloaded-vars.conf
echo "User deployment as an AGENT install.."
echo "USER_INSTALL_TYPE="agent"" >> $downloaddir/etc/preloaded-vars.conf
echo "Set the OSSEC server.."
echo "USER_AGENT_SERVER_IP="$managerIP"" >> $downloaddir/etc/preloaded-vars.conf
echo "Set default location as /var/log/ossec..."
echo "USER_DIR="/var/ossec"" >> $downloaddir/etc/preloaded-vars.conf
echo "Enabled Active Response..."
echo "USER_ENABLE_ACTIVE_RESPONSE="y"" >> $downloaddir/etc/preloaded-vars.conf
echo "Enabled system checks..."
echo "USER_ENABLE_SYSCHECK="y"" >> $downloaddir/etc/preloaded-vars.conf
echo "Enabled rootcheck..."
echo "USER_ENABLE_ROOTCHECK="y"" >> $downloaddir/etc/preloaded-vars.conf
echo "Disabled email notifications..."
echo "USER_ENABLE_EMAIL="n"" >> $downloaddir/etc/preloaded-vars.conf
echo "Enabled Firewall Response... "
echo USER_ENABLE_FIREWALL_RESPONSE="y" >> etc/preloaded-vars.conf
echo "Done adding defaults..."
echo "Begin the OSSEC installation..."
cd $downloaddir
./install.sh
echo "OSSEC installed successfully, begin manual configuration..."
#Cleaning up mess
echo "Cleaning up mess.."
rm /root/Downloads/master.zip
echo "Installation is complete.."
Direct any questions to support@noc.org.