Contents
- 1 Cisco Configuration
- 2 RANCID
- 2.1 Install the software
- 2.2 Apply the following patches that address some issues with lock files.
- 2.3 Add the rancid user and group
- 2.4 Prepare the RANCID environment
- 2.5 Set proper permissions and ownership
- 2.6 Initialize the CVS repository
- 2.7 Create the device list
- 2.8 Run rancid
- 2.9 Create additional scripts
- 2.10 Create the cron jobs
- 3 ViewVC
- 4 OSSEC
This post describes the installation and configuration of the following software on FreeBSD.
RANCID is a utility for backing-up network devices configuration.
ViewVC is a browser interface for CVS.
OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
When OSSEC receives a %SYS-5-CONFIG_I syslog message from a Cisco network device, it launches RANCID which fetches the latest version of the device configuration and stores it in a CVS repository that is browsable using ViewVC.
Cisco Configuration
IOS
service timestamps log datetime msec username rancid secret 5 xxxxxxxxxxxxxxxxxx logging 192.168.2.2
ASA
logging enable logging trap notifications logging host management 192.168.2.2 username rancid password xxxxxxxxxxxxxxxxxx encrypted
RANCID
Install the software
# cd /usr/ports/ports-mgmt/portmaster # make clean all install # make clean # rehash # portmaster misc/rpl # rehash # portmaster -d net-mgmt/rancid # rpl 'spawn telnet' 'spawn telnet -K' /usr/local/libexec/rancid/clogin
Apply the following patches that address some issues with lock files.
rancid-run.diff
control_rancid.diff
# cd /usr/local/libexec/rancid # patch < rancid-run.diff # patch < control_rancid.diff
Add the rancid user and group
# vipw ------------------------------ cut here ------------------------------ rancid:*:805:805::0:0:RANCID Sandbox:/home/rancid:/bin/tcsh ------------------------------ cut here ------------------------------ # vi /etc/group ------------------------------ cut here ------------------------------ rancid:*:805: ------------------------------ cut here ------------------------------
Prepare the RANCID environment
# mkdir /home/rancid # mkdir /home/rancid/bin # mkdir /home/rancid/devices # mkdir /home/rancid/tmp # vi /home/rancid/.tcshrc ------------------------------ cut here ------------------------------ if ( ${?prompt} ) then set path=(${path} /usr/local/libexec/rancid) endif ------------------------------ cut here ------------------------------ # rpl /tmp /home/rancid/tmp /usr/local/etc/rancid/rancid.conf # rpl 'BASEDIR=/usr/local/var/rancid' 'BASEDIR=/home/rancid' /usr/local/etc/rancid/rancid.conf # vi /home/rancid/.cloginrc ------------------------------ cut here ------------------------------ add password * password enable add user * {rancid} add method * ssh add autoenable * 0 ------------------------------ cut here ------------------------------ # vi /usr/local/etc/rancid/rancid.conf ------------------------------ cut here ------------------------------ LIST_OF_GROUPS="devices" ------------------------------ cut here ------------------------------
Set proper permissions and ownership
# chmod 440 /home/rancid/.cloginrc # chown -R rancid:rancid /home/rancid/.
Initialize the CVS repository
# su - rancid % rancid-cvs
Create the device list
# su - rancid % vi /home/rancid/devices/router.db ------------------------------ cut here ------------------------------ device:cisco:up ------------------------------ cut here ------------------------------
Run rancid
# su - rancid % rancid-run
Create additional scripts
% vi /home/rancid/bin/run-rancid ------------------------------ cut here ------------------------------ #!/bin/csh -f set path=($path /usr/local/bin) setenv HOME /home/rancid if ( ! ${?RANCIDHOME} ) then setenv RANCIDHOME /usr/local/libexec/rancid endif if ( ! ${?HOMERANCID} ) then setenv HOMERANCID `dirname $0` setenv HOMERANCID $HOMERANCID/.. setenv HOMERANCID `realpath $HOMERANCID` endif set path=(${path} ${HOMERANCID}/bin ${RANCIDHOME}) rancid-run $* ------------------------------ cut here ------------------------------ % chmod 755 /home/rancid/bin/run-rancid % vi /home/rancid/bin/run-one ------------------------------ cut here ------------------------------ #!/bin/csh -f set path=($path /usr/local/bin) setenv HOME /home/rancid if ( $#argv != 2 ) then echo "Wrong number of arguments - usage: run-one router group" exit 1 endif if ( ! ${?RANCIDHOME} ) then setenv RANCIDHOME /usr/local/libexec/rancid endif if ( ! ${?HOMERANCID} ) then setenv HOMERANCID `dirname $0` setenv HOMERANCID $HOMERANCID/.. setenv HOMERANCID `realpath $HOMERANCID` endif set path=(${path} ${HOMERANCID}/bin ${RANCIDHOME}) rancid-run -r $1 $2 ------------------------------ cut here ------------------------------ % chmod 755 /home/rancid/bin/run-one
Create the cron jobs
%vi /home/rancid/crontab ------------------------------ cut here ------------------------------ 1 1,7,13,19 * * * /home/rancid/bin/run-rancid 2>&1 | tee /home/rancid/logs/run-rancid.log >>/dev/null 2>&1 50 23 * * * find /home/rancid/logs -type f -mtime +2 -exec rm {} \; ------------------------------ cut here ------------------------------ % crontab /home/rancid/crontab
ViewVC
Install the software
# portmaster -d devel/viewvc
Modify the ViewVC configuration file
# vi /usr/local/viewvc/viewvc.conf ------------------------------ cut here ------------------------------ cvs_roots = rancid: /home/rancid/CVS root_parents = /home/rancid : cvs default_root = rancid use_localtime = 1 ------------------------------ cut here ------------------------------
Read the instructions on how to use ViewVC
# cat /var/db/pkg/viewvc-*/+DISPLAY
***************************************************************** To use ViewVC, modify the configuration file located at /usr/local/viewvc/viewvc.conf. If no webserver was selected during installation, then a rc script for running ViewVC standalone is installed. To enable the standalone ViewVC server in rc.conf use parameter viewvc_enable="YES". You can also adjust the user which runs the ViewVC standalone server with the parameter "viewvc_user". If you want to run the ViewVC standalone server with another IP/PORT, use the parameter "viewvc_flags". To see all available parameters, use the command /usr/local/viewvc/bin/standalone.py --help To use ViewVC with Apache or lighttpd as a CGI script, see the following config examples. Example config lines for Apache =============================== Alias /viewvc "/usr/local/viewvc/bin/cgi/" <Directory "/usr/local/viewvc/bin/cgi"> AddHandler cgi-script .cgi Options NONE +ExecCGI DirectoryIndex viewvc.cgi Order allow,deny Allow from all </Directory> Example config lines for lighttpd ================================= server.modules = ( "mod_alias", "mod_access" ) alias.url += ( "/viewvc" => "/usr/local/viewvc/bin/cgi" ) $HTTP["url"] =~ "^/viewvc/" { index-file.names = ( "viewvc.cgi" ) cgi.assign = ( ".cgi" => "/usr/local/bin/python", ) } *****************************************************************
OSSEC
Install the software
# portmaster -d security/ossec-hids-server # cp /usr/local/ossec-hids/ossec.conf.sample /usr/local/ossec-hids/ossec.conf # portmaster -d security/sudo
Create the OSSEC script
# vi /usr/local/ossec-hids/active-response/bin/fire-rancid.sh ------------------------------ cut here ------------------------------ #!/bin/sh PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:~/bin export PATH ACTION=$1 USER=$2 IP=$3 ALERTID=$4 RULEID=$5 HOST=$6 LOCAL=`dirname $0`; cd $LOCAL cd ../ PWD=`pwd` # IP Address must be provided if [ "x${HOST}" = "x" ]; then echo "$0: Missing argument (host)" exit 1; fi ROUTER=`host ${HOST} | cut -f5 -d' '` # Logging the call echo "`date` $0 $1 $2 $3 $4 $5 $6 ${ROUTER}" >> ${PWD}/../logs/active-responses.log sudo -u rancid /home/rancid/bin/run-one ${ROUTER} devices 2>&1 | tee /home/rancid/logs/run-one-${ROUTER}.log >>/dev/null 2>&1 exit 1; ------------------------------ cut here ------------------------------ % chmod 755 /usr/local/ossec-hids/active-response/bin/fire-rancid.sh
- Modify the OSSEC configuration file
Adjust the parameters in the global section.
Replace the remote section and adjust the parameters.
Comment out the cisco-ios-rules.xml line.
# rpl /var/ossec /usr/local/ossec-hids /usr/local/ossec-hids/etc/ossec.conf # vi /usr/local/ossec-hids/etc/ossec.conf
<!-- <include>cisco-ios_rules.xml</include> --> <!-- <remote> <connection>secure</connection> </remote> --> <remote> <connection>syslog</connection> <allowed-ips>0.0.0.0/0</allowed-ips> <local_ip>192.168.2.2</local_ip> </remote> <command> <name>fire-rancid</name> <executable>fire-rancid.sh</executable> <expect></expect> <timeout_allowed>no</timeout_allowed> </command> <active-response> <!-- %SYS-5-CONFIG_I response. Fire rancid. --> <command>fire-rancid</command> <location>local</location> <!-- <rules_id>4340,100002</rules_id> --> <rules_id>104340,100002</rules_id> </active-response>
Create local rules
# vi /home/ossec-hids/rules/local_rules.xml
<rule id=”100002” level=”5”> <match>%SYS-5-CONFIG_I</match> <description>Configuration change detected.</description> </rule> <rule id=”104340” level=”8”> <if_sid>4340</if_sid> <options>no_email_alert</options> </rule>
Modify the syslog configuration
# vi /etc/rc.conf ------------------------------ cut here ------------------------------ syslogd_enable="YES" syslogd_program="/usr/sbin/syslogd" syslogd_flags="-b 127.0.0.1" ------------------------------ cut here ------------------------------
Restart syslogd
# sh /etc/rc.d/syslogd restart
Add the ossec user in sudoers
# visudo ------------------------------ cut here ------------------------------ ossec ALL=(rancid) NOPASSWD: ALL ------------------------------ cut here ------------------------------
Start OSSEC
# vi /etc/rc.conf ------------------------------ cut here ------------------------------ ossechids_enable=”YES” ossechids_user=”ossec” ossechids_group=”ossec” ------------------------------ cut here ------------------------------ # sh /usr/local/etc/rc.d/ossec-hids start