Table of Contents

Сервис OSSEC

Debian

Подключение репозитория

# wget -q -O - https://updates.atomicorp.com/installers/atomic | bash

# apt install apt-transport-https

# apt update

Установка и запуск сервера

lan# apt install ossec-hids-server

lan# /var/ossec/bin/agent_control -l
...

Настройка сервера для подключения агента

lan# /var/ossec/bin/manage_agents
...
   (A)dd an agent (A).
...
Agent information:
   ID:001
   Name:server
   IP Address:192.168.X.10
...
   (E)xtract key for an agent (E).
...

lan# /var/ossec/bin/ossec-control restart

lan# ss -panu | grep 1514

Установка, запуск и подключение агента

Windows

Debian

server# apt install ossec-hids-agent

server# vim /var/ossec/etc/ossec.conf
<ossec_config>
  <client>
    <server-ip>192.168.100+X.10</server-ip>
...
server# /var/ossec/bin/manage_agents
...
   (I)mport key from the server (I).
...

server# /var/ossec/bin/ossec-control start

Проверка подключения агента

lan# /var/ossec/bin/agent_control -i 001
...

Контроль целостности файлов

server# cat /var/ossec/etc/ossec.conf
...
  <syscheck>
    <!-- Frequency that syscheck is executed (default every 2 hours) -->
    <frequency>300</frequency>
    <auto_ignore>no</auto_ignore> <!-- may not be needed -->
    <directories check_all="yes">/usr/local/sbin</directories>
...
server# /var/ossec/bin/ossec-control restart

Просмотр отчетов

lan# cat /var/ossec/logs/alerts/alerts.log

lan# cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f level 7

lan# cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f group authentication -r user srcip