114 lines
3.2 KiB
Python
114 lines
3.2 KiB
Python
|
"""
|
||
|
|
Command-builder module for managing OSSEC HIDS on a Linux VPS.
|
||
|
|
Each function returns a bash command string. OSSEC installs to /var/ossec.
|
||
|
|
"""
|
||
|
|
|
||
|
|
|
||
|
|
def status_cmd():
|
||
|
|
return (
|
||
|
|
"echo '=== OSSEC Status ===' && "
|
||
|
|
"/var/ossec/bin/ossec-control status && "
|
||
|
|
"echo && echo '=== OSSEC Version ===' && "
|
||
|
|
"/var/ossec/bin/ossec-control info 2>/dev/null || "
|
||
|
|
"cat /var/ossec/etc/ossec-init.conf 2>/dev/null || echo 'Version unknown' && "
|
||
|
|
"echo && echo '=== Active Processes ===' && "
|
||
|
|
"ps aux | grep '[o]ssec'"
|
||
|
|
)
|
||
|
|
|
||
|
|
|
||
|
|
def install_cmd():
|
||
|
|
return (
|
||
|
|
"apt-get update && "
|
||
|
|
"apt-get install -y build-essential make gcc libevent-dev libpcre2-dev libz-dev libssl-dev && "
|
||
|
|
"cd /tmp && "
|
||
|
|
"wget -O ossec-hids-3.7.0.tar.gz https://github.com/ossec/ossec-hids/archive/refs/tags/3.7.0.tar.gz && "
|
||
|
|
"tar xzf ossec-hids-3.7.0.tar.gz && "
|
||
|
|
"cd ossec-hids-3.7.0 && "
|
||
|
|
"OSSEC_LANGUAGE=en OSSEC_TYPE=local OSSEC_NOTIFY=n OSSEC_SYSCHECK=y "
|
||
|
|
"OSSEC_ROOTCHECK=y OSSEC_ACTIVE_RESPONSE=y ./install.sh && "
|
||
|
|
"/var/ossec/bin/ossec-control start && "
|
||
|
|
"echo 'OSSEC 3.7.0 installed and started.'"
|
||
|
|
)
|
||
|
|
|
||
|
|
|
||
|
|
def start_cmd():
|
||
|
|
return "/var/ossec/bin/ossec-control start"
|
||
|
|
|
||
|
|
|
||
|
|
def stop_cmd():
|
||
|
|
return "/var/ossec/bin/ossec-control stop"
|
||
|
|
|
||
|
|
|
||
|
|
def restart_cmd():
|
||
|
|
return "/var/ossec/bin/ossec-control restart"
|
||
|
|
|
||
|
|
|
||
|
|
def alerts_cmd(lines=50):
|
||
|
|
return f"tail -n {lines} /var/ossec/logs/alerts/alerts.log"
|
||
|
|
|
||
|
|
|
||
|
|
def alerts_today_cmd():
|
||
|
|
return (
|
||
|
|
"grep \"$(date +'%Y %b %d')\" /var/ossec/logs/alerts/alerts.log || "
|
||
|
|
"echo 'No alerts for today.'"
|
||
|
|
)
|
||
|
|
|
||
|
|
|
||
|
|
def log_cmd(lines=50):
|
||
|
|
return f"tail -n {lines} /var/ossec/logs/ossec.log"
|
||
|
|
|
||
|
|
|
||
|
|
def syscheck_cmd():
|
||
|
|
return (
|
||
|
|
"echo '=== Syscheck Results ===' && "
|
||
|
|
"ls -la /var/ossec/queue/syscheck/ && "
|
||
|
|
"echo && echo '=== Recent Integrity Changes ===' && "
|
||
|
|
"for f in /var/ossec/queue/syscheck/*; do "
|
||
|
|
"echo \"--- $f ---\" && tail -20 \"$f\" 2>/dev/null; done"
|
||
|
|
)
|
||
|
|
|
||
|
|
|
||
|
|
def config_cmd():
|
||
|
|
return "cat /var/ossec/etc/ossec.conf"
|
||
|
|
|
||
|
|
|
||
|
|
def config_save_cmd(content):
|
||
|
|
escaped = content.replace("'", "'\\''")
|
||
|
|
return (
|
||
|
|
"cp /var/ossec/etc/ossec.conf /var/ossec/etc/ossec.conf.bak.$(date +%Y%m%d%H%M%S) && "
|
||
|
|
f"echo '{escaped}' > /var/ossec/etc/ossec.conf && "
|
||
|
|
"/var/ossec/bin/ossec-control restart && "
|
||
|
|
"echo 'Config saved and OSSEC restarted.'"
|
||
|
|
)
|
||
|
|
|
||
|
|
|
||
|
|
def rules_cmd():
|
||
|
|
return "ls -la /var/ossec/rules/*.xml"
|
||
|
|
|
||
|
|
|
||
|
|
def active_response_cmd():
|
||
|
|
return (
|
||
|
|
"echo '=== Active Response Config ===' && "
|
||
|
|
"grep -A5 '<active-response>' /var/ossec/etc/ossec.conf && "
|
||
|
|
"echo && echo '=== Recent Blocks ===' && "
|
||
|
|
"cat /var/ossec/logs/active-responses.log 2>/dev/null | tail -30 || "
|
||
|
|
"echo 'No active response log found.'"
|
||
|
|
)
|
||
|
|
|
||
|
|
|
||
|
|
def agent_list_cmd():
|
||
|
|
return "/var/ossec/bin/agent_control -l"
|
||
|
|
|
||
|
|
|
||
|
|
def uninstall_cmd():
|
||
|
|
return (
|
||
|
|
"/var/ossec/bin/ossec-control stop 2>/dev/null; "
|
||
|
|
"rm -rf /var/ossec && "
|
||
|
|
"userdel ossec 2>/dev/null; "
|
||
|
|
"userdel ossecm 2>/dev/null; "
|
||
|
|
"userdel ossecr 2>/dev/null; "
|
||
|
|
"userdel ossece 2>/dev/null; "
|
||
|
|
"groupdel ossec 2>/dev/null; "
|
||
|
|
"echo 'OSSEC uninstalled.'"
|
||
|
|
)
|