├── Dockerfile ├── README.md ├── data_dirs.env ├── default_agent ├── init.bash └── run.bash /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM phusion/baseimage:0.9.18 2 | MAINTAINER Terence Kent 3 | 4 | # 5 | # Follow the server installation parameters specified on the OSSEC website for 6 | # ubuntu installations 7 | # 8 | RUN curl https://ossec.wazuh.com/repos/apt/conf/ossec-key.gpg.key -o ossec-key.gpg.key &&\ 9 | apt-key add ossec-key.gpg.key && rm -v ossec-key.gpg.key &&\ 10 | echo "deb http://ossec.wazuh.com/repos/apt/ubuntu trusty main" >> /etc/apt/sources.list &&\ 11 | apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -yf install expect ossec-hids \ 12 | ossec-hids=2.8.3-4trusty 13 | 14 | # 15 | # Add a default agent due to this bug 16 | # https://groups.google.com/forum/#!topic/ossec-list/qeC_h3EZCxQ 17 | # 18 | ADD default_agent /var/ossec/default_agent 19 | RUN service ossec restart &&\ 20 | /var/ossec/bin/manage_agents -f /default_agent &&\ 21 | rm /var/ossec/default_agent &&\ 22 | service ossec stop &&\ 23 | echo -n "" /var/ossec/logs/ossec.log 24 | 25 | # 26 | # Initialize the data volume configuration 27 | # 28 | ADD data_dirs.env /data_dirs.env 29 | ADD init.bash /init.bash 30 | # Sync calls are due to https://github.com/docker/docker/issues/9547 31 | RUN chmod 755 /init.bash &&\ 32 | sync && /init.bash &&\ 33 | sync && rm /init.bash 34 | 35 | # 36 | # Add the bootstrap script 37 | # 38 | ADD run.bash /run.bash 39 | RUN chmod 755 /run.bash 40 | 41 | # 42 | # Specify the data volume 43 | # 44 | VOLUME ["/var/ossec/data"] 45 | 46 | # Expose ports for sharing 47 | EXPOSE 1514/udp 1515/tcp 48 | 49 | # 50 | # Define default command. 51 | # 52 | ENTRYPOINT ["/run.bash"] 53 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ossec-server 2 | 3 | An ossec-server image with the ability to separate the ossec configuration/data from the container, meaning easy container replacements. This image is designed to be as turn key as possible, supporting out of the box: 4 | 5 | 1. Automatic enrollment for agents, using ossec-authd 6 | 2. Remote syslog forwarding for the ossec server messages 7 | 3. SMTP notifications _(requires no-auth SMTP server)_ 8 | 9 | 10 | The following directories are externalized under `/var/ossec/data` which allow the container to be replaced without configuration or data loss: `logs`, `etc`, `stats`,`rules`, and `queue`. In addition to those directories, the `bin/.process_list` file is symlink'ed to `process_list` in the data volume. 11 | 12 | ## Quick Start 13 | 14 | To get an up and running ossec server that supports auto-enrollment and sends HIDS notifications a syslog server, use. 15 | 16 | ``` 17 | docker run --name ossec-server -d -p 1514:1514/udp -p 1515:1515\ 18 | -e SYSLOG_FORWADING_ENABLED=true -e SYSLOG_FORWARDING_SERVER_IP=X.X.X.X\ 19 | -v /somepath/ossec_mnt:/var/ossec/data xetusoss/ossec-server 20 | ``` 21 | 22 | Once the system starts up, you can execute the standard ossec commands using docker. For example, to list active agents. 23 | 24 | ``` 25 | docker exec -ti ossec-server /var/ossec/bin/list_agents -a 26 | ``` 27 | 28 | ## Available Configuration Parameters 29 | 30 | * __AUTO_ENROLLMENT_ENABLED__: Specifies whether or not to enable auto-enrollment via ossec-authd. Defaults to `true`; 31 | * __AUTHD_OPTIONS__: Options to passed ossec-authd, other than -p and -g. Defaults to empty; 32 | * __SMTP_ENABLED__: Whether or not to enable SMTP notifications. Defaults to `true` if ALERTS_TO_EMAIL is specified, otherwise `false` 33 | * __SMTP_RELAY_HOST__: The relay host for SMTP messages, required for SMTP notifications. This host must support non-authenticated SMTP ([see this thread](https://ossec.uservoice.com/forums/18254-general/suggestions/803659-allow-full-confirguration-of-smtp-service-in-ossec)). No default. 34 | * __ALERTS_FROM_EMAIL__: The email address the alerts should come from. Defaults to `ossec@$HOSTNAME`. 35 | * __ALERTS_TO_EMAIL__: The destination email address for SMTP notifications, required for SMTP notifications. No default. 36 | * __SYSLOG_FORWADING_ENABLED__: Specify whether syslog forwarding is enabled or not. Defaults to `false`. 37 | * __SYSLOG_FORWARDING_SERVER_IP__: The IP for the syslog server to send messagse to, required for syslog fowarding. No default. 38 | * __SYSLOG_FORWARDING_SERVER_PORT__: The destination port for syslog messages. Default is `514`. 39 | * __SYSLOG_FORWARDING_FORMAT__: The syslog message format to use. Default is `default`. 40 | 41 | **Please note**: All the SMTP and SYSLOG configuration variables are only applicable to the first time setup. Once the container's data volume has been initialized, all the configuration options for OSSEC can be changed. 42 | 43 | ## Known Issues / Warnings 44 | 45 | #### ossec-execd is not enabled 46 | 47 | Since this is a docker container, ossec-execd really isn't a great idea anyway. Having a log server, such as graylog, react based on log entries is the recommended approach. 48 | 49 | #### A default localhost agent is added 50 | 51 | On first launch, the ossec server will not start up properly and bind to port 1514, unless at least one agent to be present in the client.keys file. To avoid that issue, a local agent is setup by default. See [this bug](https://groups.google.com/forum/#!topic/ossec-list/qeC_h3EZCxQ) with OSSEC. 52 | 53 | #### Running on OS X using Docker For Mac 54 | 55 | The [osxfs integration](https://docs.docker.com/docker-for-mac/osxfs/) used for volume binding on Mac OS X causes an issue resolving symlinks in the container. To work around this issue, just don't bind `/var/ossec/data` to a host directory. Instead, use a regular docker volume and execute a shell in the container to inspect the data. All the typical docker volume management tricks apply, of course. 56 | 57 | ``` 58 | # To start the container on OS X 59 | docker run --name ossec-server -d -p 1514:1514/udp -p 1515:1515\ 60 | -e SYSLOG_FORWADING_ENABLED=true -e SYSLOG_FORWARDING_SERVER_IP=X.X.X.X\ 61 | -v /var/ossec/data xetusoss/ossec-server 62 | ``` 63 | 64 | 65 | ## Issues / Pull Requests 66 | 67 | Since this image has become the de-facto standard for OSSEC on docker hub, I wanted to be very clear that we intend to maintain this image with the interest of the community in mind. If you have issues, please file them. If you have made changes you'd like to see included, pull requests are welcome! 68 | -------------------------------------------------------------------------------- /data_dirs.env: -------------------------------------------------------------------------------- 1 | i=0 2 | DATA_DIRS[((i++))]="etc" 3 | DATA_DIRS[((i++))]="rules" 4 | DATA_DIRS[((i++))]="logs" 5 | DATA_DIRS[((i++))]="stats" 6 | DATA_DIRS[((i++))]="queue" 7 | export DATA_DIRS -------------------------------------------------------------------------------- /default_agent: -------------------------------------------------------------------------------- 1 | 127.0.0.1,DEFAULT_LOCAL_AGENT -------------------------------------------------------------------------------- /init.bash: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # 4 | # Initialize the custom data directory layout 5 | # 6 | source /data_dirs.env 7 | 8 | cd /var/ossec 9 | for ossecdir in "${DATA_DIRS[@]}"; do 10 | mv ${ossecdir} ${ossecdir}-template 11 | ln -s data/${ossecdir} ${ossecdir} 12 | done 13 | 14 | cd bin && ln -s ../data/process_list .process_list && cd .. 15 | 16 | -------------------------------------------------------------------------------- /run.bash: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # 4 | # OSSEC container bootstrap. See the README for information of the environment 5 | # variables expected by this script. 6 | # 7 | source /data_dirs.env 8 | FIRST_TIME_INSTALLATION=false 9 | DATA_PATH=/var/ossec/data 10 | 11 | for ossecdir in "${DATA_DIRS[@]}"; do 12 | if [ ! -e "${DATA_PATH}/${ossecdir}" ] 13 | then 14 | echo "Installing ${ossecdir}" 15 | cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir} 16 | FIRST_TIME_INSTALLATION=true 17 | fi 18 | done 19 | 20 | # 21 | # Check for the process_list file. If this file is missing, it doesn't 22 | # count as a first time installation 23 | # 24 | touch ${DATA_PATH}/process_list 25 | chgrp ossec ${DATA_PATH}/process_list 26 | chmod g+rw ${DATA_PATH}/process_list 27 | 28 | # 29 | # If this is a first time installation, then do the 30 | # special configuration steps. 31 | # 32 | AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true} 33 | 34 | # 35 | # Support SMTP, if configured 36 | # 37 | SMTP_ENABLED_DEFAULT=false 38 | if [ -n "$ALERTS_TO_EMAIL" ] 39 | then 40 | SMTP_ENABLED_DEFAULT=true 41 | fi 42 | SMTP_ENABLED=${SMTP_ENABLED:-$SMTP_ENABLED_DEFAULT} 43 | 44 | if [ $FIRST_TIME_INSTALLATION == true ] 45 | then 46 | 47 | # 48 | # Support auto-enrollment if configured 49 | # 50 | if [ $AUTO_ENROLLMENT_ENABLED == true ] 51 | then 52 | if [ ! -e ${DATA_PATH}/etc/sslmanager.key ] 53 | then 54 | echo "Creating ossec-authd key and cert" 55 | openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096 56 | openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key\ 57 | -out ${DATA_PATH}/etc/sslmanager.cert -days 3650\ 58 | -subj /CN=${HOSTNAME}/ 59 | fi 60 | fi 61 | 62 | if [ $SMTP_ENABLED == true ] 63 | then 64 | if [[ -z "$SMTP_RELAY_HOST" || -z "$ALERTS_TO_EMAIL" ]] 65 | then 66 | echo "Unable to configure SMTP, SMTP_RELAY_HOST or ALERTS_TO_EMAIL not defined" 67 | SMTP_ENABLED=false 68 | else 69 | 70 | ALERTS_FROM_EMAIL=${ALERTS_FROM_EMAIL:-ossec_alerts@$HOSTNAME} 71 | echo "d-i ossec-hids/email_notification boolean yes" >> /tmp/debconf.selections 72 | echo "d-i ossec-hids/email_from string $ALERTS_FROM_EMAIL" >> /tmp/debconf.selections 73 | echo "d-i ossec-hids/email_to string $ALERTS_TO_EMAIL" >> /tmp/debconf.selections 74 | echo "d-i ossec-hids/smtp_server string $SMTP_RELAY_HOST" >> /tmp/debconf.selections 75 | fi 76 | fi 77 | 78 | if [ $SMTP_ENABLED == false ] 79 | then 80 | echo "d-i ossec-hids/email_notification boolean no" >> /tmp/debconf.selections 81 | fi 82 | 83 | if [ -e /tmp/debconf.selections ] 84 | then 85 | debconf-set-selections /tmp/debconf.selections 86 | dpkg-reconfigure -f noninteractive ossec-hids 87 | rm /tmp/debconf.selections 88 | /var/ossec/bin/ossec-control stop 89 | fi 90 | 91 | # 92 | # Support SYSLOG forwarding, if configured 93 | # 94 | SYSLOG_FORWADING_ENABLED=${SYSLOG_FORWADING_ENABLED:-false} 95 | if [ $SYSLOG_FORWADING_ENABLED == true ] 96 | then 97 | if [ -z "$SYSLOG_FORWARDING_SERVER_IP" ] 98 | then 99 | echo "Cannot setup sylog forwarding because SYSLOG_FORWARDING_SERVER_IP is not defined" 100 | else 101 | SYSLOG_FORWARDING_SERVER_PORT=${SYSLOG_FORWARDING_SERVER_PORT:-514} 102 | SYSLOG_FORWARDING_FORMAT=${SYSLOG_FORWARDING_FORMAT:-default} 103 | SYSLOG_XML_SNIPPET="\ 104 | \n\ 105 | ${SYSLOG_FORWARDING_SERVER_IP}\n\ 106 | ${SYSLOG_FORWARDING_SERVER_PORT}\n\ 107 | ${SYSLOG_FORWARDING_FORMAT}\n\ 108 | "; 109 | 110 | cat /var/ossec/etc/ossec.conf |\ 111 | perl -pe "s,,\n${SYSLOG_XML_SNIPPET}\n," \ 112 | > /var/ossec/etc/ossec.conf-new 113 | mv -f /var/ossec/etc/ossec.conf-new /var/ossec/etc/ossec.conf 114 | chgrp ossec /var/ossec/etc/ossec.conf 115 | /var/ossec/bin/ossec-control enable client-syslog 116 | fi 117 | fi 118 | fi 119 | 120 | function ossec_shutdown(){ 121 | /var/ossec/bin/ossec-control stop; 122 | if [ $AUTO_ENROLLMENT_ENABLED == true ] 123 | then 124 | kill $AUTHD_PID 125 | fi 126 | } 127 | 128 | # Trap exit signals and do a proper shutdown 129 | trap "ossec_shutdown; exit" SIGINT SIGTERM 130 | 131 | # 132 | # Startup the services 133 | # 134 | chmod -R g+rw ${DATA_PATH}/logs/ ${DATA_PATH}/stats/ ${DATA_PATH}/queue/ ${DATA_PATH}/etc/client.keys 135 | chown -R ossec:ossec /var/ossec/ 136 | /var/ossec/bin/ossec-control start 137 | if [ $AUTO_ENROLLMENT_ENABLED == true ] 138 | then 139 | echo "Starting ossec-authd..." 140 | /var/ossec/bin/ossec-authd -p 1515 -g ossec $AUTHD_OPTIONS >/dev/null 2>&1 & 141 | AUTHD_PID=$! 142 | fi 143 | sleep 15 # give ossec a reasonable amount of time to start before checking status 144 | LAST_OK_DATE=`date +%s` 145 | 146 | # 147 | # Watch the service in a while loop, exit if the service exits 148 | # 149 | # Note that ossec-execd is never expected to run here. 150 | # 151 | STATUS_CMD="service ossec status | sed '/ossec-maild/d' | sed '/ossec-execd/d' | grep ' not running' | test -z" 152 | if [ $SMTP_ENABLED == true ] 153 | then 154 | STATUS_CMD="/var/ossec/bin/ossec-control status | sed '/ossec-execd/d' | grep ' not running' | test -z" 155 | fi 156 | 157 | while true 158 | do 159 | eval $STATUS_CMD > /dev/null 160 | if (( $? != 0 )) 161 | then 162 | CUR_TIME=`date +%s` 163 | # Allow ossec to not run return an ok status for up to 15 seconds 164 | # before worring. 165 | if (( (CUR_TIME - LAST_OK_DATE) > 15 )) 166 | then 167 | echo "ossec not properly running! exiting..." 168 | ossec_shutdown 169 | exit 1 170 | fi 171 | else 172 | LAST_OK_DATE=`date +%s` 173 | fi 174 | sleep 1 175 | done 176 | --------------------------------------------------------------------------------