Skip to content
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.

OSSEC agent needs to be integrated into NSM scripts #140

Closed
GoogleCodeExporter opened this issue Mar 24, 2015 · 10 comments
Closed

OSSEC agent needs to be integrated into NSM scripts #140

GoogleCodeExporter opened this issue Mar 24, 2015 · 10 comments

Comments

@GoogleCodeExporter
Copy link

Update nsm_sensor_ps-*

Upgrade script should:
install the new NSM scripts
kill the running ossec_agent
nsm_sensor_ps-start --only-ossec-agent

Original issue reported on code.google.com by doug.bu...@gmail.com on 2 Nov 2011 at 10:20

@GoogleCodeExporter
Copy link
Author

[deleted comment]

@GoogleCodeExporter
Copy link
Author

Added the following to nsm_sensor_ps-start:


# Bro and OSSEC agent need to exist outside of the for-loop

if [ -z "$SKIP_OSSEC_AGENT" ]; then
    echo_msg 0 "Starting: HIDS"
    process_start "/etc/nsm/ossec/ossec_agent.tcl" "-o -f /var/ossec/logs/alerts/alerts.log -i 127.0.0.1 -p 5 -c /etc/nsm/ossec/ossec_agent.conf" "$PROCESS_PID_DIR/ossec_agent.pid" "$PRO
CESS_LOG_DIR/ossec_agent.log" "ossec_agent (sguil)"
fi

if [ -z "$SKIP_BRO" ] && grep -v "^#" /etc/nsm/sensortab>/dev/null ; then
    echo_msg 0 "Starting: Bro"
    /usr/local/bin/broctl start
fi

Original comment by doug.bu...@gmail.com on 24 Jan 2012 at 1:04

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

Added the following to nsm_sensor_ps-stop:


# Bro and OSSEC agent need to exist outside of the for-loop

if [ -z "$SKIP_OSSEC_AGENT" ]; then
        echo_msg 0 "Stopping: HIDS"
        process_stop "/etc/nsm/ossec/ossec_agent.tcl" "$PROCESS_PID_DIR/ossec_agent.pid" "ossec_agent (sguil)"
fi

if [ -z "$SKIP_BRO" ] && grep -v "^#" /etc/nsm/sensortab>/dev/null ; then
        echo_msg 0 "Stopping: Bro"
        /usr/local/bin/broctl stop
fi

Original comment by doug.bu...@gmail.com on 24 Jan 2012 at 1:04

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

Added the following to the end of nsm_sensor_ps-status:


# Bro and OSSEC agent need to exist outside of the for-loop

if [ -z "$SKIP_OSSEC_AGENT" ]; then
        echo_msg 0 "Status: HIDS"
        process_status "/etc/nsm/ossec/ossec_agent.tcl" "$PROCESS_PID_DIR/ossec_agent.pid" "ossec_agent (sguil)"
fi

if [ -z "$SKIP_BRO" ] && grep -v "^#" /etc/nsm/sensortab>/dev/null ; then
        echo_msg 0 "Status: Bro"
        /usr/local/bin/broctl status
fi

Original comment by doug.bu...@gmail.com on 24 Jan 2012 at 1:05

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

Added the following to the end of /usr/local/sbin/nsm_sensor_ps-restart:

# Bro and OSSEC agent need to exist outside of the for-loop

if [ -z "$SKIP_OSSEC_AGENT" ]; then
        [ "$ACTION" == "process_restart" ] && echo_msg 0 "Restarting: HIDS"
        $ACTION "/etc/nsm/ossec/ossec_agent.tcl" "-o -f /var/ossec/logs/alerts/alerts.log -i 127.0.0.1 -p 5 -c /etc/nsm/ossec/ossec_agent.conf" "$PROCESS_PID_DIR/ossec_agent.pid" "$PROCESS_L
OG_DIR/ossec_agent.log" "ossec_agent (sguil)"
fi

if [ -z "$SKIP_BRO" ] && [ "$ACTION" == "process_restart" ] && grep -v "^#" 
/etc/nsm/sensortab>/dev/null ; then
        echo_msg 0 "Restarting: Bro"
        /usr/local/bin/broctl stop
        /usr/local/bin/broctl start
fi

Original comment by doug.bu...@gmail.com on 24 Jan 2012 at 1:05

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

Removed ossec_agent from /etc/init/securityonion.conf

Original comment by doug.bu...@gmail.com on 24 Jan 2012 at 1:06

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

Packaged NSM scripts:
/usr/local/lib/ruby/gems/1.9.1/gems/fpm-0.3.11/bin/fpm -s dir -t deb -n 
securityonion-nsmnow-admin-scripts -v 20120124 /etc/init.d/nsm* 
/usr/share/nsmnow/ /usr/local/sbin/nsm* /usr/local/lib/nsmnow/ 
/etc/cron.d/sensor-* /etc/cron.d/nsm* /etc/cron.d/bro* 
/etc/init/securityonion.conf

Original comment by doug.bu...@gmail.com on 24 Jan 2012 at 1:06

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

Removed ossec_agent from /usr/local/bin/setup and packaged:
/usr/local/lib/ruby/gems/1.9.1/gems/fpm-0.3.11/bin/fpm -s dir -t deb -n 
securityonion-setup -v 20120124 /usr/local/bin/setup

Original comment by doug.bu...@gmail.com on 24 Jan 2012 at 1:06

  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

Published:
http://securityonion.blogspot.com/2012/01/security-onion-20120124-now-available.
html

Original comment by doug.bu...@gmail.com on 24 Jan 2012 at 1:07

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****

@GoogleCodeExporter
Copy link
Author

Added the following to security-onion-upgrade.sh:


sed -i 's| |=|g' $CONF
source $CONF
if [ "$VERSION" = "20120123" ]; then
        NEW="20120124"
        echo "**********************************************"   | $LOGGER
        echo "* Upgrading from $VERSION to $NEW."               | $LOGGER
        echo "**********************************************"   | $LOGGER
        DIR="/nsm/backup/$NEW"
        mkdir -p $DIR                                           | $LOGGER
        cd $DIR

    echo "* Installing new NSM scripts"         | $LOGGER
    FILE=securityonion-nsmnow-admin-scripts_"$NEW"_i386.deb
    wget -q http://sourceforge.net/projects/security-onion/files/$NEW/$FILE -O $FILE | $LOGGER
    dpkg -i $FILE                       | $LOGGER

    echo "* Installing new Setup script"            | $LOGGER
    FILE=securityonion-setup_"$NEW"_i386.deb
    wget -q http://sourceforge.net/projects/security-onion/files/$NEW/$FILE -O $FILE | $LOGGER
    dpkg -i $FILE                       | $LOGGER

    ps aux |grep "ossec_agen[t]" |awk '{print $2}' |while read PID; do kill $PID; done
    nsm_sensor_ps-start --only-ossec-agent >> $LOG
    sleep 3
    ps aux |grep "ossec_agen[t]" |awk '{print $2}' |while read PID; do kill $PID; done
    nsm_sensor_ps-start --only-ossec-agent >> $LOG

        sed -i "s|VERSION=$VERSION|VERSION=$NEW|g" $CONF        | $LOGGER
        echo "* Upgrade to $NEW complete."                      | $LOGGER
        echo 
fi

Original comment by doug.bu...@gmail.com on 24 Jan 2012 at 1:07

  • Added labels: ****
  • Removed labels: ****

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant