/aws/

OSSEC and AWS (part 1)

2020-05-21 01:22:00

Home page

Documentation

Source


Create new EC2 instance

  • Create new key pair

    • ossec.pem
    • copy new pem key into ~/.ssh
    • chmod 400 ~/.ssh/ossec.pem
  • Launch new EC2 instance

AWSTemplateFormatVersion: 2010-09-09

Parameters:
  VPC:
    Description: VPC
    Type: 'AWS::EC2::VPC::Id'
  PublicSubnetA:
    Description: Public Subnet A
    Type: 'AWS::EC2::Subnet::Id'
  InstanceKeyName:
    Description: The EC2 Key Pair to allow SSH access to the instance
    Type: 'AWS::EC2::KeyPair::KeyName'
    Default: 'ossec'

Resources:
  Ec2Instance:
    Type: 'AWS::EC2::Instance'
    Properties:
      KeyName: !Ref InstanceKeyName
      ImageId: 'ami-062f7200baf2fa504'
      InstanceType: 'm5.large'
      Tags:
        - Key: Name
          Value: !Sub ${AWS::StackName}
      NetworkInterfaces:
        - AssociatePublicIpAddress: True
          DeviceIndex: "0"
          GroupSet:
            - !Ref InstanceSecurityGroup
          SubnetId:
            !Ref PublicSubnetA
      UserData:
        Fn::Base64:
          !Sub |
          #!/bin/bash -x
          yum update -y

  InstanceSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      VpcId: !Ref VPC
      GroupDescription: Instance access
      Tags:
        - Key: Name
          Value: !Sub ${AWS::StackName}
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: !!!YOUR_IP_ADDRESS!!!
          Description: 'Home IP'

Configure ssh and connect to EC2

vim ~/.ssh/config

Host ossec  
    HostName PUBLIC_EC2_IP
    User ec2-user
    IdentityFile ~/.ssh/ossec.pem
    Port 22

connect to EC2

ssh ossec

Install OSSEC manually

echo Setup OSSEC 
WORKSPACE=/home/ec2-user
WORKSPACE_OSSEC=${WORKSPACE}/ossec

echo Install tools
sudo yum install -y zlib-devel pcre2-devel make gcc zlib-devel pcre2-devel sqlite-devel openssl-devel libevent-devel

echo Download OSSEC
wget -O ${WORKSPACE}/ossec.tar.gz https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz

echo Extract OSSEC package
mkdir ${WORKSPACE_OSSEC} && tar -vxzf ${WORKSPACE}/ossec.tar.gz -C ${WORKSPACE_OSSEC} --strip-components 1

echo Configure install process
cp -f ${WORKSPACE_OSSEC}/etc/preloaded-vars.conf.example ${WORKSPACE_OSSEC}/etc/preloaded-vars.conf
sed -i -e 's^#USER_LANGUAGE="en"^USER_LANGUAGE="en"^' ${WORKSPACE_OSSEC}/etc/preloaded-vars.conf
sed -i -e 's^#USER_NO_STOP="y"^USER_NO_STOP="y"^' ${WORKSPACE_OSSEC}/etc/preloaded-vars.conf
sed -i -e 's^#USER_INSTALL_TYPE="local"^USER_INSTALL_TYPE="local"^' ${WORKSPACE_OSSEC}/etc/preloaded-vars.conf
sed -i -e 's^#USER_DIR="/var/ossec"^USER_DIR="/var/ossec"^' ${WORKSPACE_OSSEC}/etc/preloaded-vars.conf
sed -i -e 's^#USER_DELETE_DIR="y"^USER_DELETE_DIR="y"^' ${WORKSPACE_OSSEC}/etc/preloaded-vars.conf
sed -i -e 's^#USER_ENABLE_ACTIVE_RESPONSE="y"^USER_ENABLE_ACTIVE_RESPONSE="y"^' ${WORKSPACE_OSSEC}/etc/preloaded-vars.conf
sed -i -e 's^#USER_ENABLE_SYSCHECK="y"^USER_ENABLE_SYSCHECK="y"^' ${WORKSPACE_OSSEC}/etc/preloaded-vars.conf
sed -i -e 's^#USER_ENABLE_ROOTCHECK="y"^USER_ENABLE_ROOTCHECK="y"^' ${WORKSPACE_OSSEC}/etc/preloaded-vars.conf
sed -i -e 's^#USER_UPDATE="y"^USER_UPDATE="y"^' ${WORKSPACE_OSSEC}/etc/preloaded-vars.conf
sed -i -e 's^#USER_UPDATE_RULES="y"^USER_UPDATE_RULES="y"^' ${WORKSPACE_OSSEC}/etc/preloaded-vars.conf
sed -i -e 's^#USER_ENABLE_EMAIL="y"^USER_ENABLE_EMAIL="n"^' ${WORKSPACE_OSSEC}/etc/preloaded-vars.conf
sed -i -e 's^#USER_ENABLE_SYSLOG="y"^USER_ENABLE_SYSLOG="y"^' ${WORKSPACE_OSSEC}/etc/preloaded-vars.conf
sed -i -e 's^#USER_ENABLE_FIREWALL_RESPONSE="y"^USER_ENABLE_FIREWALL_RESPONSE="n"^' ${WORKSPACE_OSSEC}/etc/preloaded-vars.conf
sed -i -e 's^#USER_WHITE_LIST="192.168.2.1 192.168.1.0/24"^USER_WHITE_LIST="127.0.0.1"^' ${WORKSPACE_OSSEC}/etc/preloaded-vars.conf

echo Install PCRE2
wget -O ${WORKSPACE_OSSEC}/pcre2-10.32.tar.gz https://ftp.pcre.org/pub/pcre/pcre2-10.32.tar.gz
tar xzf ${WORKSPACE_OSSEC}/pcre2-10.32.tar.gz -C ${WORKSPACE_OSSEC}/src/external

echo Install OSSEC
cd ${WORKSPACE_OSSEC}
sudo PCRE2_SYSTEM=no ZLIB_SYSTEM=no ./install.sh

To start OSSEC HIDS:

sudo /var/ossec/bin/ossec-control start

To stop OSSEC HIDS:

sudo /var/ossec/bin/ossec-control stop