Trying to automate the initial OSSEC installation steps

I haven't got around to packaging OSSEC for Debian yet - mainly because I haven't decided how to handle the fact that OSSEC uses a server->agent model that depends on the generation/importing of unique keys for communication (not unlike Puppet with SSL certificates), from an automation/Puppet perspective.

To my knowledge, one person Nicolas Zin is doing something along these lines over on Github but I haven't had time to look at how he's solving this. Likewise for this 'pkg-ossec-devel' mailing list I saw on Debian's Alioth; perhaps people are already working on bringing this into Debian.

In the meantime, I found early on that the manual task of downloading OSSEC tarballs, checking md5sums, extracting and running the OSSEC install.sh on each agent, to be a bit painstakingly slow and repetitive. Here is a shell script that at least automates those steps:

#!/bin/bash

# Variables
VERSION=2.7.1
CHECKSUM="ossec-hids-${VERSION}-checksum.txt"
TARBALL="ossec-hids-${VERSION}.tar.gz"


echo "Downloading packages and checksums"
wget http://www.ossec.net/files/${TARBALL}
wget http://www.ossec.net/files/${CHECKSUM}

echo "These are the checksums from the file"
cat $CHECKSUM
OSSEC_MD5=$(md5sum $TARBALL | awk {'print $1'})
OSSEC_SHA=$(sha1sum $TARBALL | awk {'print $1'})

echo "checking for matching md5/sha sums"
grep $OSSEC_MD5 $CHECKSUM
if [ $? -eq 1 ]; then
  echo "md5sum didn't match"!
  exit 1
fi

grep $OSSEC_SHA $CHECKSUM
if [ $? -eq 1 ]; then
  echo "sha1sum didn't match"!
  exit 1
fi

# sums matched, extract and run install
tar zxfv $TARBALL
builtin cd ossec-hids-${VERSION}
sudo bash install.sh

Note that it only extracts and kicks off the installer if the md5sum/sha1sums matched.

Next time OSSEC releases a new version, simply edit the VERSION variable and re-run the script.. OSSEC's install.sh will ask if you want to upgrade the existing installation.

At the very least, this could be useful to run over CSSHx or similar, to bulk-upgrade a whole heap of agents.

My next step is to try and package OSSEC for Debian based on a compiled 'binary only' version of OSSEC, which contains preseeded settings per the source code's etc/preloaded-vars.conf (see this howto). And then, Puppet!

Tags: