-
Notifications
You must be signed in to change notification settings - Fork 2
install_osProtect_on_Ubuntu_10.04LTS
sudo adduser osprotect
... you will be asked to enter a password
sudo usermod -a -G sudo osprotect
... makes the osprotect user a sudouser
Note: for security reasons, the user "osprotect" should be removed from sudouser's after installation by editing:
sudo nano /etc/group ... find this line: "sudo:x:27:osprotect", delete it(ctrl+k in nano), then save(ctrl+x)
Ensure the osprotect user is set up properly:
root@somebox:~# exit
Log back in using osprotect user:
ssh osprotect@CHANGE_ME
Ensure you're a sudouser:
sudo find / -name "auth.log"
/var/log/auth.log ... should be displayed
Logged in as root or a sudo user do:
sudo aptitude -y install curl wget nmap nbtscan
sudo aptitude -y install autoconf automake bison build-essential flex git-core libapr1-dev libaprutil1-dev libc6-dev libcurl4-openssl-dev libexpat1 libffi-dev libpcap-ruby libpcap0.8-dev libpcre3-dev libreadline6 libreadline6-dev libssl-dev libtool libxml2 libxml2-dev libxslt-dev libxslt1-dev libxslt1.1 libyaml-dev ncurses-dev openssl ssl-cert subversion zlib1g zlib1g-dev
sudo aptitude -y install mysql mysql-server libmysqlclient16-dev libmysqlclient16
mysql_secure_installation
Note: you will be prompted to enter a password for the mysql root user, which will be needed later when using the mysql client.
mysql -u root -p
create user 'osprotect'@'%' IDENTIFIED BY 'CHANGE_ME';
grant all on snort.* to 'osprotect' identified by 'CHANGE_ME';
flush privileges;
Find the unix socket (usually it's /var/run/mysqld/mysqld.sock), or make other configuration changes:
sudo nano /etc/mysql/my.cnf
The unix socket is used in the rails app config/database.yml file to connect to MySQL, instead of using a slower TCP/IP connection.
Consult a system administrator, or the wiki installation instructions for more information.
sudo bash -s stable < <(curl -s https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer)
Note that using sudo will install RVM/Ruby system-wide, i.e. for all users/apps, which is usually desired.
sudo adduser osprotect rvm
rvmsudo rvm get head
A global setting is needed to trust all .rvmrc files in the rails apps, so edit the /etc/rvmrc file:
sudo nano /etc/rvmrc
... then add the following line:
rvm_trust_rvmrcs_flag=1
... then save.
Without this change, processes such as Passenger, cron, etc. will silently hang which are difficult errors to detect.
rvm install ruby-2.0.0
rvm --default use 2.0.0
sudo nano /etc/environment ... add:
RAILS_ENV=production
... then save, then:
source /etc/environment
ruby -v
gem -v
rvm gemset use global
rvm gemset name <-- to verify the gemset name is set to global
gem install bundler --no-ri --no-rdoc
gem install foreman --no-ri --no-rdoc
gem install passenger --no-ri --no-rdoc
gem list
Sometimes the rails app may need a JavaScript runtime, and a simple way is to install Node.js:
sudo aptitude install python-software-properties
sudo add-apt-repository ppa:chris-lea/node.js
sudo aptitude update
sudo aptitude install nodejs
Ensure that node is in the path, which is usually /usr/local/bin or /usr/bin/node:
echo $PATH
node --version
sudo aptitude install apache2 apache2.2-common apache2-mpm-prefork apache2-utils apache2-prefork-dev
Passenger is a gem that was installed during the Ruby installation done previously.
rvmsudo passenger-install-apache2-module
sudo nano /etc/apache2/apache2.conf
then add these lines ... just a guideline and varies based on your environment:
LoadModule passenger_module /usr/local/rvm/gems/ruby-2.0.0@global/gems/passenger-3.0.11/ext/apache2/mod_passenger.so
PassengerRoot /usr/local/rvm/gems/ruby-2.0.0@global/gems/passenger-3.0.11
PassengerRuby /usr/local/rvm/wrappers/ruby-2.0.0-p125@global/ruby
Create a new sites file:
sudo nano /etc/apache2/sites-available/osprotect
then enter the following and save:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /home/osprotect/app/public
RailsEnv production
RailsBaseURI /
<Directory /home/osprotect/app/public>
AllowOverride all
Options -MultiViews
</Directory>
</VirtualHost>
sudo a2ensite osprotect
sudo a2dissite default
sudo mv default zzzz_default
sudo mv default zzzz_default-ssl
... this just makes osprotect first alphabetically.
sudo aptitude install telnet postfix
... when prompted, choose "Internet Site" and leave the "system mail name" at the default.
Ensure Postfix and Sendmail are working do:
/usr/sbin/sendmail your_email_account@gmail.com
FROM: me
SUBJECT: hi
this is only a test
. <press Enter twice>
... then check your inbox for the email.
cd
mkdir ~/src
cd ~/src
wget http://redis.googlecode.com/files/redis-2.4.6.tar.gz
tar -xvzf redis-2.4.6.tar.gz
cd redis-2.4.6
sudo make
sudo make install
sudo mkdir /etc/redis
sudo mkdir /var/redis
sudo cp redis.conf /etc/redis/
sudo mkdir /var/log/redis
sudo nano /etc/init/redis-server.conf
... then enter the following:
description "redis server"
start on runlevel [2345]
stop on shutdown
exec /usr/local/bin/redis-server /etc/redis/redis.conf
respawn
... then save. The above will automatically start Redis when the server is rebooted, as well as restarting redis if it should be killed or dies.
sudo service redis-server start
redis-cli ping
ssh osprotect@CHANGE_ME
... note: this is the user that the rails app will use when executing.
git clone git://github.com/clonesec/osProtect.git app
cd app
As a safeguard for any PDF documents created by users, ensure that the shared folder is located outside of the app folder, so any future releases/deployments will not delete any existing PDF documents:
pwd ... should display /home/osprotect/app, that is you are within the rails app folder, or your installation directory
mkdir -p /home/osprotect/apps/osProtect/shared/reports ... this is outside of the rails app folder
... if you are deploying using Capistrano, the above mkdir still applies.
edit config/app_config.yml to set reports folder:
reports_path: /home/osprotect/apps/osProtect/shared/reports
The best practice is to use a deployment tool such as Capistrano, and the osProtect repository on Github includes both a Capfile and config/deploy.rb files to help you get started.
bundle install --deployment --without assets development test
nano Procfile
... this should be correct already, but ensure it contains these 2 lines:
worker: bundle exec rake resque:work QUEUE=*
scheduler: bundle exec rake resque:scheduler
rvmsudo bundle exec foreman export upstart /etc/init -a osprotect -d /home/osprotect/app -u osprotect -c worker=3,scheduler=1
... now view the results in the /etc/init folder:
ls /etc/init
... the output should be similar to:
osprotect.conf
osprotect-scheduler.conf
osprotect-scheduler-1.conf
osprotect-worker.conf
osprotect-worker-1.conf
osprotect-worker-2.conf
osprotect-worker-3.conf
sudo nano /etc/init/osprotect.conf
... then add the following line to the top of the file:
start on runlevel [2345]
... then save, and now anytime the server is rebooted the osprotect services will start.
This is a light weight and fast Sinatra API application that provides the osProtect web interface with access to the rules files on a sensor server.
(1) copy to an apps folder that is not within/under the osProtect folder, as this is a standalone app that handles search requests from osProtect, and you don't want it deleted/changed on each deploy of the osProtect rails app.
Note that most sensor servers will not have the osProtect rails app installed, as it's not needed, but each sensor server where you want to edit the rules does require the rules sentinel software to be installed as this provides the API that allows rules editing.
(2) ensure everything is installed on each sensor server:
note: everything in this step has already been done if you are installing on the same server as the osProtect rails app
sudo aptitude -y install curl wget nmap nbtscan
sudo aptitude -y install autoconf automake bison build-essential flex git-core libapr1-dev libaprutil1-dev libc6-dev libcurl4-openssl-dev libexpat1 libffi-dev libpcap-ruby libpcap0.8-dev libpcre3-dev libreadline6 libreadline6-dev libssl-dev libtool libxml2 libxml2-dev libxslt-dev libxslt1-dev libxslt1.1 libyaml-dev ncurses-dev openssl ssl-cert subversion zlib1g zlib1g-dev
sudo bash -s stable < <(curl -s https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer)
sudo adduser osprotect rvm
... logout then login again
rvm --version
rvmsudo rvm get head
sudo nano /etc/rvmrc
... add: rvm_trust_rvmrcs_flag=1
rvm install ruby-2.0.0
rvm --default use 2.0.0
sudo nano /etc/environment
... add:
RAILS_ENV=production
RACK_ENV=production
... logout then login again
echo $RAILS_ENV
echo $RACK_ENV
ruby -v
gem -v
cd ~/apps ... or whatever the sentinel user's home directory is
gem install bundler --no-ri --no-rdoc
gem install foreman --no-ri --no-rdoc
gem list
(3) ensure the RACK_ENV=production is set in ~/.bashrc and /etc/environment
(4) at this point, the osprotect_sentinel app needs to be copied to the sensor server (via scp, rsync, etc.), and probably to the osprotect user's home directory ... i.e. /home/osprotect/apps/osprotect_sentinel seems appropriate
(5) ensure .rvmrc is using the correct gemset
cd /home/osprotect/apps/osprotect_sentinel
rvm gemset name ... should be osprotect_sentinel
(6) ensure allow_requests_from_ip is set to the IP address of the osProtect web server
cd /home/osprotect/apps/osprotect_sentinel
nano config/settings.yml
... for the allow_requests_from_ip setting, enter the IP address of the osProtect web server
(7) install the gems for the sentinel app:
bundle install
(8) use Foreman to create the Upstart rulessentinel workers starting with port 8500:
Note that Foreman's "-a" setting may not contain underscore's.
cd /home/osprotect/apps/osprotect_sentinel
rvmsudo bundle exec foreman export upstart /etc/init -a rulessentinel -u osprotect -c worker=1 -p 8500
... to start everything when server boots up do:
sudo nano /etc/init/rulessentinel.conf
... add to top of file:
start on runlevel [2345]
... to start the rules sentinel worker:
sudo service rulessentinel start
(9) repeat steps (1) thru (8) for each sensor server that's capturing events
Note that in the Administration feature of the osProtect rails web app there is a Rules interface which allows you to manage rules locations and rules files.
mysql -u root -p
create user 'osprotect'@'%' IDENTIFIED BY 'CHANGE_ME';
grant all on snort.* to 'osprotect' identified by 'CHANGE_ME';
flush privileges;
exit
nano config/database.yml
... ensure settings are correct:
production:
adapter: mysql2
encoding: utf8
reconnect: false
pool: 5
database: snort
username: osprotect
password: CHANGE_ME <-- *** the password you set in the previous step
socket: /var/run/mysqld/mysqld.sock
bundle exec rake db:migrate
nano db/seeds.rb
... be sure to replace CHANGE_ME with a password of your choice
bundle exec rake db:seed
nano config/resque.yml
... usually no changes are required.
nano config/app_config.yml
... edit as appropriate for your installation ... details here.
nano config/schedule.yml
... edit to match the settings in config/app_config.yml.
nano config/environments/production.rb
... add or change the following lines:
config.action_mailer.delivery_method = :sendmail
config.action_mailer.default_url_options = { :host => "CHANGE_ME" }
bundle exec rake assets:precompile
... note: this usually runs a long time(1 or 2 minutes).
sudo service osprotect start
... wait a few seconds for these to start up, to verify:
ps aux | grep osprotect
sudo service apache2 restart
touch tmp/restart.txt
visit http://CHANGE_ME/ in a web browser