-
Notifications
You must be signed in to change notification settings - Fork 2
rules_sentinel
This is a light weight and fast Sinatra API application that provides the osProtect web interface with access to the rules files on sensor servers.
(1) copy to an apps folder that is not within/under the osProtect folder, as this is a standalone app that handles search requests from osProtect, and you don't want it deleted/changed on each deploy of the osProtect rails app.
Note that most sensor servers will not have the osProtect rails app installed, as it's not needed, but each sensor server where you want to edit the rules does require the rules sentinel software to be installed as this provides the API that allows rules editing.
(2) ensure everything is installed on each sensor server:
note: everything in this step has already been done if you are installing on the same server as the osProtect rails app
sudo aptitude -y install curl wget nmap nbtscan
sudo aptitude -y install autoconf automake bison build-essential flex git-core libapr1-dev libaprutil1-dev libc6-dev libcurl4-openssl-dev libexpat1 libffi-dev libpcap-ruby libpcap0.8-dev libpcre3-dev libreadline6 libreadline6-dev libssl-dev libtool libxml2 libxml2-dev libxslt-dev libxslt1-dev libxslt1.1 libyaml-dev ncurses-dev openssl ssl-cert subversion zlib1g zlib1g-dev
sudo bash -s stable < <(curl -s https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer)
sudo adduser osprotect rvm
... logout then login again
rvm --version
rvmsudo rvm get head
sudo nano /etc/rvmrc
... add: rvm_trust_rvmrcs_flag=1
rvm install ruby-2.0.0
rvm --default use 2.0.0
sudo nano /etc/environment
... add:
RAILS_ENV=production
RACK_ENV=production
... logout then login again
echo $RAILS_ENV
echo $RACK_ENV
ruby -v
gem -v
cd ~/apps ... or whatever the sentinel user's home directory is
gem install bundler --no-ri --no-rdoc
gem install foreman --no-ri --no-rdoc
gem list
(3) ensure the RACK_ENV=production is set in ~/.bashrc and /etc/environment
(4) at this point, the osprotect_sentinel app needs to be copied to the sensor server (via scp, rsync, etc.), and probably to the osprotect user's home directory ... i.e. /home/osprotect/apps/osprotect_sentinel seems appropriate
(5) ensure .rvmrc is using the correct gemset
cd /home/osprotect/apps/osprotect_sentinel
rvm gemset name ... should be osprotect_sentinel
(6) ensure allow_requests_from_ip is set to the IP address of the osProtect web server
cd /home/osprotect/apps/osprotect_sentinel
nano config/settings.yml
... for the allow_requests_from_ip setting, enter the IP address of the osProtect web server
(7) install the gems for the sentinel app:
bundle install
(8) use Foreman to create the Upstart rulessentinel workers starting with port 8500:
Note that Foreman's "-a" setting may not contain underscore's.
cd /home/osprotect/apps/osprotect_sentinel
rvmsudo bundle exec foreman export upstart /etc/init -a rulessentinel -u osprotect -c worker=1 -p 8500
... to start everything when server boots up do:
sudo nano /etc/init/rulessentinel.conf
... add to top of file:
start on runlevel [2345]
... to start the rules sentinel worker:
sudo service rulessentinel start
(9) repeat steps (1) thru (8) for each sensor server that's capturing events
Note that in the Administration feature of the osProtect rails web app there is a Rules interface which allows you to manage rules locations and rules files.