├── Dockerfile
├── README.md
├── data_dirs.env
├── default_agent
├── init.sh
├── ossec-server.sh
└── ossec.conf


/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM centos:latest
 2 | MAINTAINER Support <support@atomicorp.com>
 3 | 
 4 | 
 5 | ADD default_agent /var/ossec/default_agent
 6 | # copy base config
 7 | ADD ossec.conf /var/ossec/etc/
 8 | # Initialize the data volume configuration
 9 | ADD data_dirs.env /data_dirs.env
10 | ADD init.sh /init.sh
11 | 
12 | 
13 | 
14 | #
15 | # Add the bootstrap script
16 | #
17 | ADD ossec-server.sh /ossec-server.sh
18 | 
19 | RUN \
20 | 	yum -y update && \
21 | 	yum -y install wget useradd postfix && \
22 | 	yum clean all && \
23 | 	cd /root; NON_INT=1 wget -q -O - https://updates.atomicorp.com/installers/atomic |sh && \
24 | 	yum -y install ossec-hids-server && \
25 | 	chmod 755 /ossec-server.sh && \
26 | 	chmod 755 /init.sh && \
27 |   	sync && /init.sh &&\
28 |   	sync && rm /init.sh
29 | 
30 | #
31 | # Specify the data volume 
32 | #
33 | VOLUME ["/var/ossec/data"]
34 | 
35 | # Expose ports for sharing
36 | EXPOSE 1514/udp 1515/tcp
37 | 
38 | #
39 | # Define default command.
40 | #
41 | ENTRYPOINT ["/ossec-server.sh"]
42 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | **Description**
 2 | 
 3 | OSSEC HIDS Server v2.9.4
 4 | 
 5 | Based on Centos 7, this is the official OSSEC project docker container. Note: this can be easily adapted for RHEL 7 for FIPS-140-2 compliance. 
 6 | 
 7 | By default this container will create a volume to store configuration, log and agent key data 
 8 | under /var/ossec/data.  Additionally it is configured with a local instance of postfix to 
 9 | send alert notifications.
10 | 
11 | 
12 | 
13 |   
14 | **Launch:**
15 | 
16 |         docker run -d -p 1514:1514/udp -p 1515:1515/tcp --name ossec-server <image>
17 | 
18 | 
19 | **Launch with a specified Volume:**
20 | 
21 | 
22 | 	docker volume create ossec-data
23 | 
24 | 
25 |         docker run -d -p 1514:1514/udp -p 1515:1515/tcp -v ossec-data:/var/ossec/data --name ossec-server atomicorp/ossec-docker
26 | 
27 | 
28 | **Stopping:**
29 | 
30 |        docker stop ossec-server
31 | 
32 | **Re-start:**
33 | 
34 |        docker start ossec-server
35 | 
36 | 
37 | **Attach to running:**
38 | 
39 |         docker exec -it ossec-server  bash
40 | 
41 | **About**
42 | 
43 | Atomicorp is your OSSEC expert which developed a set of tools and rules for managing and securing the OSSEC host intrusion detection system. Our Atomic Secured OSSEC secures your entire system and its applications and includes a cognitive self healing system that will automatically fix vulnerabilities and problems on the system before damage and intrusions can occur.
44 | 
45 | We provide comprehensive services and support for OSSEC… We can Plan your Enterprise Monitoring Strategy for deployment, configuration, optimization, and even training your team to work with the open source software. 
46 | Atomicorp is your comprehensive support team and we provide Threat Intelligence feeds for the OSSEC engine. For assistance with your OSSEC deployment contact us at OSSEC Help. 
47 | 
48 | 
49 | **Thanks:**
50 | 
51 |         Dan Parriott, too many things to list!
52 | 
53 |         Xetus OSS for the original OSSEC Docker project: https://github.com/xetus-oss/docker-ossec-server
54 | 
55 | 
56 | 


--------------------------------------------------------------------------------
/data_dirs.env:
--------------------------------------------------------------------------------
1 | i=0
2 | DATA_DIRS[((i++))]="etc"
3 | DATA_DIRS[((i++))]="rules"
4 | DATA_DIRS[((i++))]="logs"
5 | DATA_DIRS[((i++))]="stats"
6 | DATA_DIRS[((i++))]="queue"
7 | export DATA_DIRS
8 | 


--------------------------------------------------------------------------------
/default_agent:
--------------------------------------------------------------------------------
1 | 127.0.0.1,DEFAULT_LOCAL_AGENT
2 | 


--------------------------------------------------------------------------------
/init.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | #
 4 | # Initialize the custom data directory layout
 5 | #
 6 | source /data_dirs.env
 7 | 
 8 | cd /var/ossec
 9 | for ossecdir in "${DATA_DIRS[@]}"; do
10 |   mv ${ossecdir} ${ossecdir}-template
11 |   ln -s $(realpath --relative-to=$(dirname ${ossecdir}) data)/${ossecdir} ${ossecdir}
12 | done
13 | 


--------------------------------------------------------------------------------
/ossec-server.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | #
 4 | # OSSEC container bootstrap. See the README for information of the environment
 5 | # variables expected by this script.
 6 | #
 7 | FIRST_TIME_INSTALLATION=false
 8 | DATA_PATH=/var/ossec/data
 9 | 
10 | DATA_DIRS="etc rules logs stats queue"
11 | for ossecdir in $DATA_DIRS; do
12 | 	if [ ! -e "${DATA_PATH}/${ossecdir}" ]; then
13 |     		echo "Installing ${ossecdir}"
14 | 		mkdir -p ${DATA_PATH}/${ossecdir}
15 |     		cp -a /var/ossec/${ossecdir}-template/* ${DATA_PATH}/${ossecdir}/ 2>/dev/null
16 |     		FIRST_TIME_INSTALLATION=true
17 |   	fi
18 | done
19 | 
20 | 
21 | if [ ! -f ${DATA_PATH}/etc/sslmanager.key ]; then
22 | 	openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096
23 | 	openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key -out ${DATA_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/
24 | fi
25 | 
26 | #
27 | # Check for the process_list file. If this file is missing, it doesn't
28 | # count as a first time installation
29 | #
30 | touch ${DATA_PATH}/process_list
31 | chgrp ossec ${DATA_PATH}/process_list
32 | chmod g+rw ${DATA_PATH}/process_list
33 | 
34 | #
35 | # If this is a first time installation, then do the  
36 | # special configuration steps.
37 | #
38 | AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
39 | 
40 | 
41 | function ossec_shutdown(){
42 |   /var/ossec/bin/ossec-control stop;
43 |   if [ $AUTO_ENROLLMENT_ENABLED == true ]
44 |   then
45 |      kill $AUTHD_PID
46 |   fi
47 | }
48 | 
49 | # Trap exit signals and do a proper shutdown
50 | trap "ossec_shutdown; exit" SIGINT SIGTERM
51 | 
52 | #
53 | # Startup the services
54 | #
55 | chmod -R g+rw ${DATA_PATH}/logs/ ${DATA_PATH}/stats/ ${DATA_PATH}/queue/ 
56 | 
57 | if [ $AUTO_ENROLLMENT_ENABLED == true ]; then
58 |   echo "Starting ossec-authd..."
59 |   /var/ossec/bin/ossec-authd -p 1515 -g ossec $AUTHD_OPTIONS >/dev/null 2>&1 &
60 |   AUTHD_PID=$!
61 | fi
62 | sleep 15 # give ossec a reasonable amount of time to start before checking status
63 | LAST_OK_DATE=`date +%s`
64 | 
65 | # Add a dummy agent so remoted can start
66 | if [ ! -s /var/ossec/etc/client.keys ] ; then
67 | 	/var/ossec/bin/manage_agents -f /var/ossec/default_agent
68 | fi
69 | 
70 | # Start services
71 | /usr/sbin/postfix start
72 | /var/ossec/bin/ossec-control start
73 | 
74 | # Return startup events to console
75 | tail -f /var/ossec/logs/ossec.log
76 | 


--------------------------------------------------------------------------------
/ossec.conf:
--------------------------------------------------------------------------------
  1 | <ossec_config>
  2 | 
  3 |   	<global>
  4 | 		<email_notification>yes</email_notification>
  5 | 		<email_to>root@localhost</email_to>
  6 | 		<smtp_server>127.0.0.1</smtp_server>
  7 | 		<helo_server>localhost</helo_server>
  8 | 		<email_from>ossec@localhost</email_from>
  9 | 		<email_maxperhour>1</email_maxperhour>
 10 | 		<!--
 11 | 		<jsonout_output>yes</jsonout_output> 
 12 | 		-->
 13 | 	</global>
 14 | 
 15 | 
 16 | 	<rules>
 17 | 	    <include>rules_config.xml</include>
 18 | 	    <include>pam_rules.xml</include>
 19 | 	    <include>sshd_rules.xml</include>
 20 | 	    <include>telnetd_rules.xml</include>
 21 | 	    <include>syslog_rules.xml</include>
 22 | 	    <include>arpwatch_rules.xml</include>
 23 | 	    <include>symantec-av_rules.xml</include>
 24 | 	    <include>symantec-ws_rules.xml</include>
 25 | 	    <include>pix_rules.xml</include>
 26 | 	    <include>named_rules.xml</include>
 27 | 	    <include>smbd_rules.xml</include>
 28 | 	    <include>vsftpd_rules.xml</include>
 29 | 	    <include>pure-ftpd_rules.xml</include>
 30 | 	    <include>proftpd_rules.xml</include>
 31 | 	    <include>ms_ftpd_rules.xml</include>
 32 | 	    <include>ftpd_rules.xml</include>
 33 | 	    <include>hordeimp_rules.xml</include>
 34 | 	    <include>roundcube_rules.xml</include>
 35 | 	    <include>wordpress_rules.xml</include>
 36 | 	    <include>cimserver_rules.xml</include>
 37 | 	    <include>vpopmail_rules.xml</include>
 38 | 	    <include>vmpop3d_rules.xml</include>
 39 | 	    <include>courier_rules.xml</include>
 40 | 	    <include>web_rules.xml</include>
 41 | 	    <include>web_appsec_rules.xml</include>
 42 | 	    <include>apache_rules.xml</include>
 43 | 	    <include>nginx_rules.xml</include>
 44 | 	    <include>php_rules.xml</include>
 45 | 	    <include>mysql_rules.xml</include>
 46 | 	    <include>postgresql_rules.xml</include>
 47 | 	    <include>ids_rules.xml</include>
 48 | 	    <include>squid_rules.xml</include>
 49 | 	    <include>firewall_rules.xml</include>
 50 | 	    <include>apparmor_rules.xml</include>
 51 | 	    <include>cisco-ios_rules.xml</include>
 52 | 	    <include>netscreenfw_rules.xml</include>
 53 | 	    <include>sonicwall_rules.xml</include>
 54 | 	    <include>postfix_rules.xml</include>
 55 | 	    <include>sendmail_rules.xml</include>
 56 | 	    <include>imapd_rules.xml</include>
 57 | 	    <include>mailscanner_rules.xml</include>
 58 | 	    <include>dovecot_rules.xml</include>
 59 | 	    <include>ms-exchange_rules.xml</include>
 60 | 	    <include>racoon_rules.xml</include>
 61 | 	    <include>vpn_concentrator_rules.xml</include>
 62 | 	    <include>spamd_rules.xml</include>
 63 | 	    <include>msauth_rules.xml</include>
 64 | 	    <include>mcafee_av_rules.xml</include>
 65 | 	    <include>trend-osce_rules.xml</include>
 66 | 	    <include>ms-se_rules.xml</include>
 67 | 	    <!-- <include>policy_rules.xml</include> -->
 68 | 	    <include>zeus_rules.xml</include>
 69 | 	    <include>solaris_bsm_rules.xml</include>
 70 | 	    <include>vmware_rules.xml</include>
 71 | 	    <include>ms_dhcp_rules.xml</include>
 72 | 	    <include>asterisk_rules.xml</include>
 73 | 	    <include>ossec_rules.xml</include>
 74 | 	    <include>attack_rules.xml</include>
 75 | 	    <include>openbsd_rules.xml</include>
 76 | 	    <include>clam_av_rules.xml</include>
 77 | 	    <include>dropbear_rules.xml</include>
 78 | 	    <include>sysmon_rules.xml</include>
 79 | 	    <include>opensmtpd_rules.xml</include>
 80 | 	    <include>local_rules.xml</include>
 81 | 	</rules>
 82 | 
 83 | 	  
 84 | 	<syscheck>
 85 | 		<auto_ignore>no</auto_ignore>
 86 | 		<alert_new_files>yes</alert_new_files>
 87 | 
 88 | 		<!-- Internal Directory monitoring -->
 89 | 		<directories realtime="yes" check_all="yes" report_changes="yes">/etc</directories>
 90 | 		<directories realtime="yes" check_all="yes" report_changes="yes">/var/ossec/active-response</directories>
 91 | 		<directories realtime="yes" check_all="yes" report_changes="yes">/var/ossec/etc</directories>
 92 | 		<directories realtime="yes" check_all="yes" report_changes="yes">/var/ossec/agentless</directories>
 93 | 		<directories realtime="yes" check_all="yes">/bin</directories>
 94 | 		<directories realtime="yes" check_all="yes">/lib64</directories>
 95 | 		<directories realtime="yes" check_all="yes">/sbin</directories>
 96 | 		<directories realtime="yes" check_all="yes">/usr/bin</directories>
 97 | 		<ignore>/etc/mtab</ignore>
 98 | 		<ignore>/var/tmp</ignore>
 99 | 		<ignore>/var/ossec/queue</ignore>
100 | 		<ignore>/var/ossec/logs</ignore>
101 | 		<ignore>/var/ossec/stats</ignore>
102 | 		<ignore>/var/ossec/var</ignore>
103 | 		<ignore>/var/ossec/etc/rules.d</ignore>
104 | 		<ignore>/etc/mnttab</ignore>
105 | 		<ignore>/etc/grsec/learning.logs</ignore>
106 | 		<ignore>/etc/hosts.deny</ignore>
107 | 		<ignore>/etc/mail/statistics</ignore>
108 | 		<ignore>/etc/random-seed</ignore>
109 | 		<ignore>/etc/adjtime</ignore>
110 | 		<ignore>/etc/httpd/logs</ignore>
111 | 		<ignore>/etc/utmpx</ignore>
112 | 		<ignore>/etc/wtmpx</ignore>
113 | 		<ignore>/etc/cups/certs</ignore>
114 | 		<ignore>/etc/httpd/modsecurity.d/</ignore>
115 | 		<ignore>/etc/httpd/logs/</ignore>
116 | 		<ignore>/etc/httpd/domlogs/</ignore>
117 | 		<ignore>/etc/vfilters/</ignore>
118 | 		<ignore>/var/ossec/bin/.process_list</ignore>
119 | 		<ignore>/etc/prelink.cache</ignore>
120 | 		<ignore>/etc/prelink.cache</ignore>
121 | 		<ignore>/var/ossec/active-response/ossec-hids-responses.log</ignore>
122 | 		<frequency>86400</frequency>
123 | 	</syscheck>
124 | 
125 | 
126 |   	<rootcheck>
127 |     		<frequency>86400</frequency>
128 |     		<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
129 |     		<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
130 |     		<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
131 |     		<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
132 |     		<system_audit>/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt</system_audit>
133 |  		<skip_nfs>yes</skip_nfs>
134 |   	</rootcheck>
135 | 
136 |   	<remote>
137 |     		<connection>secure</connection>
138 |     		<port>1514</port>
139 |     		<protocol>udp</protocol>
140 |   	</remote> 
141 | 
142 |   	<alerts>
143 |     		<log_alert_level>3</log_alert_level>
144 |     		<email_alert_level>7</email_alert_level>
145 |    	</alerts>
146 | 
147 | 	<global>
148 |     		<white_list>127.0.0.1</white_list>
149 |     		<white_list>^localhost.localdomain$</white_list>
150 | 	</global>
151 | 
152 |   
153 | 
154 | <!-- Active Response Config -->
155 |   <command>
156 | 	<name>disable-account</name>
157 | 	<executable>disable-account.sh</executable>
158 | 	<expect>user</expect>
159 | 	<timeout_allowed>yes</timeout_allowed>
160 |   </command>
161 | 
162 |   <command>
163 |     <name>restart-ossec</name>
164 |     <executable>restart-ossec.sh</executable>
165 |     <expect></expect>
166 |   </command>
167 | 
168 |   <command>
169 |     <name>firewall-drop</name>
170 |     <executable>firewall-drop.sh</executable>
171 |     <expect>srcip</expect>
172 |     <timeout_allowed>yes</timeout_allowed>
173 |   </command>
174 |   <command>
175 |     <name>host-deny</name>
176 |     <executable>host-deny.sh</executable>
177 |     <expect>srcip</expect>
178 |     <timeout_allowed>yes</timeout_allowed>
179 |   </command>
180 | 
181 |   <command>
182 |     <name>route-null</name>
183 |     <executable>route-null.sh</executable>
184 |     <expect>srcip</expect>
185 |     <timeout_allowed>yes</timeout_allowed>
186 |   </command>
187 | 
188 |   <command>
189 |     <name>win_route-null</name>
190 |     <executable>route-null.cmd</executable>
191 |     <expect>srcip</expect>
192 |     <timeout_allowed>yes</timeout_allowed>
193 |   </command>
194 | 
195 | 
196 | 
197 | </ossec_config>
198 | 


--------------------------------------------------------------------------------