====== Сервис OSSEC ======
* [[https://ru.wikipedia.org/wiki/OSSEC|OSSEC — Википедия]]
* [[https://habr.com/ru/post/262479/|Инструкция: внедряем HIDS OSSEC]]
* [[http://www.ossec.net/downloads.html|OSSEC Downloads]]
===== Debian =====
==== Подключение репозитория =====
# wget -q -O - https://updates.atomicorp.com/installers/atomic | bash
# apt install apt-transport-https
# apt update
==== Установка и запуск сервера ====
lan# apt install ossec-hids-server
lan# /var/ossec/bin/agent_control -l
...
==== Настройка сервера для подключения агента ====
lan# /var/ossec/bin/manage_agents
...
(A)dd an agent (A).
...
Agent information:
ID:001
Name:server
IP Address:192.168.X.10
...
(E)xtract key for an agent (E).
...
lan# /var/ossec/bin/ossec-control restart
lan# ss -panu | grep 1514
==== Установка, запуск и подключение агента ====
=== Windows ===
* [[https://www.ossec.net/docs/docs/manual/installation/installation-windows.html|Windows Agent Installation]]
=== Debian ===
server# apt install ossec-hids-agent
server# vim /var/ossec/etc/ossec.conf
192.168.100+X.10
...
server# /var/ossec/bin/manage_agents
...
(I)mport key from the server (I).
...
server# /var/ossec/bin/ossec-control start
==== Проверка подключения агента ====
lan# /var/ossec/bin/agent_control -i 001
...
==== Контроль целостности файлов ====
server# cat /var/ossec/etc/ossec.conf
...
300
no
/usr/local/sbin
...
server# /var/ossec/bin/ossec-control restart
==== Просмотр отчетов ====
* [[https://www.ossec.net/docs/docs/programs/ossec-reportd.html|ossec-reportd]]
* [[https://www.ossec.net/docs/manual/output/reports-email-output.html|Daily E-Mail Reports]]
lan# cat /var/ossec/logs/alerts/alerts.log
lan# cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f level 7
lan# cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f group authentication -r user srcip