Deploying ossec on 1000+ Servers

by J. Edward Durrett

ossec / hids

Deploying ossec, a host based intrusion detection system, is a multi
step process. Since it is a client/server application, the ossec manager
needs to be able to communicate with the client. Keys are used for
authentication. A key for each host is generated on the manager server
and then that key needs to be imported into the client. That process
takes a few minutes and needs to be repeated on each client. Doing that
manually on each client in a large data center is not a very efficient
use of time. Even if in a smaller shop of only a couple of dozen
clients, deployment manually is way too time consuming.

This script I developed on FreeBSD automates the process:

 
#!/bin/sh 
file=$1
last_id=`bin/manage_agents -l | awk '{print $2}' | sed -e 's/,/ /g' | sort -n |tail -1`
echo "The last id is:" $last_id
bin/manage_agents -f $file
/usr/local/etc/rc.d/ossec-hids restart
last_added_id=`bin/manage_agents -l | awk '{print $2}' | sed -e 's/,/ /g' | sort -n | tail -1`
echo "The last added id is:" $last_added_id
last_added_id=${last_added_id#}
last_id=${last_id#}
agents_added=$(($last_added_id - $last_id))
echo "The number of agents added is:" $agents_added
agent=$(($last_id + 1))
while [ $agent -le $last_added_id ]
do
agent_key=`bin/manage_agents -e $agent |cut -d : -f2`
agent_ip=`bin/manage_agents -l | grep $agent | awk '{print $6}'`
echo "Attempting SSH connetion ...."
printf 'y' | ssh $agent_ip -C '/usr/local/ossec-hids/bin/manage_agents -i' $agent_key
ssh $agent_ip -C '/usr/local/etc/rc.d/ossec-hids restart'
agent=$(( $agent + 1 ))
done

Interestingly, in sh a three digit number with a leading zero causes
problems. This syntax fixes that problem[1]:

y=${y#}

With either of these scripts, it is possible to deploy ossec on
thousands of machines at a time. There are some assumptions, namely that
ossec is already installed and ssh is properly set up to allow for
central administration.

To use the scripts, first create a comma separated file with the ips and
names of all the servers ossec is going to be run on. Then run the
script as such:

./script file_with_ips

There is a method for running the ssh commands simultaneously on all
hosts, which greatly speeds up the process. The biggest bottle neck is
the key generation on the master server.

[1] https://lists.freebsd.org/pipermail/freebsd-stable/2012-September/069630.html







Copyright (c) 2019, Jason Edward Durrett - All content on this site, unless otherwise noted, is subject to this license.

Please contact me if any errors, such as erroneous / misleading content or missing / incomplete attribution, are found.