User Tools
сервис_ossec
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
сервис_ossec [2019/03/15 16:07] val |
сервис_ossec [2025/10/16 15:37] (current) val [Установка, запуск и подключение агента] |
||
|---|---|---|---|
| Line 2: | Line 2: | ||
| * [[https://ru.wikipedia.org/wiki/OSSEC|OSSEC — Википедия]] | * [[https://ru.wikipedia.org/wiki/OSSEC|OSSEC — Википедия]] | ||
| - | + | * [[https://habr.com/ru/post/262479/|Инструкция: внедряем HIDS OSSEC]] | |
| - | * [[http://forum.lissyara.su/viewtopic.php?t=9588|www.lissyara.su - статья об OSSEC]] | + | |
| - | * [[http://ossec-docs.readthedocs.io/en/latest/manual/agent/agent-management.html|Managing Agents]] | + | |
| - | * [[http://ossec-docs.readthedocs.io/en/latest/faq/syscheck.html|Syscheck: FAQ - How to force an immediate syscheck scan?]] | + | |
| * [[http://www.ossec.net/downloads.html|OSSEC Downloads]] | * [[http://www.ossec.net/downloads.html|OSSEC Downloads]] | ||
| ===== Debian ===== | ===== Debian ===== | ||
| - | ==== Подключение ===== | + | ==== Подключение репозитория ===== |
| <code> | <code> | ||
| # wget -q -O - https://updates.atomicorp.com/installers/atomic | bash | # wget -q -O - https://updates.atomicorp.com/installers/atomic | bash | ||
| Line 21: | Line 17: | ||
| ==== Установка и запуск сервера ==== | ==== Установка и запуск сервера ==== | ||
| <code> | <code> | ||
| - | # apt install ossec-hids-server | + | lan# apt install ossec-hids-server |
| - | # /var/ossec/bin/ossec-control start | + | lan# cat /var/ossec/etc/ossec.conf |
| - | возможно, лучше | + | </code><code> |
| - | # systemctl status ossec.service | + | ... |
| + | <email_notification>yes</email_notification> | ||
| + | <email_to>root@corpX.un</email_to> | ||
| + | <smtp_server>server.corpX.un</smtp_server> | ||
| + | <email_from>ossecm@corpX.un</email_from> | ||
| + | </global> | ||
| + | ... | ||
| + | </code> | ||
| - | # ss -panu | grep 1514 | + | ==== Настройка сервера для подключения агента ==== |
| + | <code> | ||
| + | lan# /var/ossec/bin/manage_agents | ||
| + | ... | ||
| + | (A)dd an agent (A). | ||
| + | ... | ||
| + | Agent information: | ||
| + | ID:001 | ||
| + | Name:server | ||
| + | IP Address:192.168.X.10 | ||
| + | ... | ||
| + | (E)xtract key for an agent (E). | ||
| + | ... | ||
| + | |||
| + | lan# /var/ossec/bin/ossec-control restart | ||
| + | |||
| + | lan# ss -panu | grep 1514 | ||
| </code> | </code> | ||
| - | ==== Установка и запуск агента ==== | + | ==== Установка, запуск и подключение агента ==== |
| + | |||
| + | === Windows === | ||
| + | |||
| + | * [[https://www.ossec.net/docs/docs/manual/installation/installation-windows.html|Windows Agent Installation]] | ||
| - | Похоже, нельзя ставить вместе с сервером. | + | === Debian === |
| <code> | <code> | ||
| - | # apt install ossec-hids-agent | + | server# apt install ossec-hids-agent |
| - | # vim /var/ossec/etc/ossec.conf | + | server# vim /var/ossec/etc/ossec.conf |
| + | </code><code> | ||
| <ossec_config> | <ossec_config> | ||
| <client> | <client> | ||
| - | <server-ip>192.168.155.10</server-ip> | + | <server-ip>192.168.100+X.10</server-ip> |
| ... | ... | ||
| + | </code><code> | ||
| + | server# /var/ossec/bin/manage_agents | ||
| + | ... | ||
| + | (I)mport key from the server (I). | ||
| + | ... | ||
| + | |||
| + | server# /var/ossec/bin/ossec-control start | ||
| + | |||
| + | server# tail -f /var/ossec/logs/ossec.log | ||
| </code> | </code> | ||
| - | ==== Подключение агента ==== | + | ==== Проверка подключения агента ==== |
| - | С двух сторон запускаем: | + | |
| <code> | <code> | ||
| - | # /var/ossec/bin/manage_agents | + | lan# /var/ossec/bin/agent_control -i 001 |
| + | ... | ||
| </code> | </code> | ||
| + | ==== Контроль целостности файлов ==== | ||
| + | <code> | ||
| + | server# cat /var/ossec/etc/ossec.conf | ||
| + | </code><code> | ||
| + | ... | ||
| + | <syscheck> | ||
| + | <!-- Frequency that syscheck is executed (default every 2 hours) --> | ||
| + | <frequency>300</frequency> | ||
| + | <auto_ignore>no</auto_ignore> <!-- may not be needed --> | ||
| + | <directories check_all="yes">/usr/local/sbin</directories> | ||
| + | ... | ||
| + | </code><code> | ||
| + | server# /var/ossec/bin/ossec-control restart | ||
| + | </code> | ||
| + | |||
| ==== Просмотр отчетов ==== | ==== Просмотр отчетов ==== | ||
| - | https://ossec-docs.readthedocs.io/en/latest/programs/ossec-reportd.html | + | * [[https://www.ossec.net/docs/docs/programs/ossec-reportd.html|ossec-reportd]] |
| + | * [[https://www.ossec.net/docs/manual/output/reports-email-output.html|Daily E-Mail Reports]] | ||
| <code> | <code> | ||
| - | # cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f level 1 | + | lan# cat /var/ossec/logs/alerts/alerts.log |
| + | |||
| + | lan# cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f level 7 | ||
| + | |||
| + | lan# cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f group authentication -r user srcip | ||
| </code> | </code> | ||
сервис_ossec.1552655221.txt.gz · Last modified: 2019/03/15 16:07 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
