This post describes the installation and configuration of the following software on FreeBSD.

RANCID is a utility for backing-up network devices configuration.

ViewVC is a browser interface for CVS.

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

When OSSEC receives a %SYS-5-CONFIG_I syslog message from a Cisco network device, it launches RANCID which fetches the latest version of the device configuration and stores it in a CVS repository that is browsable using ViewVC.

Cisco Configuration

IOS

service timestamps log datetime msec
username rancid secret 5 xxxxxxxxxxxxxxxxxx
logging 192.168.2.2

ASA

logging enable
logging trap notifications
logging host management 192.168.2.2
username rancid password xxxxxxxxxxxxxxxxxx encrypted

RANCID

Install the software

# cd /usr/ports/ports-mgmt/portmaster
# make clean all install
# make clean
# rehash
# portmaster misc/rpl
# rehash
# portmaster -d net-mgmt/rancid
# rpl 'spawn telnet' 'spawn telnet -K' /usr/local/libexec/rancid/clogin

Apply the following patches that address some issues with lock files.

rancid-run.diff
control_rancid.diff
# cd /usr/local/libexec/rancid
# patch < rancid-run.diff
# patch < control_rancid.diff

Add the rancid user and group

# vipw
------------------------------ cut here ------------------------------
rancid:*:805:805::0:0:RANCID Sandbox:/home/rancid:/bin/tcsh
------------------------------ cut here ------------------------------

# vi /etc/group
------------------------------ cut here ------------------------------
rancid:*:805:
------------------------------ cut here ------------------------------

Prepare the RANCID environment

# mkdir /home/rancid
# mkdir /home/rancid/bin
# mkdir /home/rancid/devices
# mkdir /home/rancid/tmp

# vi /home/rancid/.tcshrc
------------------------------ cut here ------------------------------
if ( ${?prompt} ) then
   set path=(${path} /usr/local/libexec/rancid)
endif
------------------------------ cut here ------------------------------

# rpl /tmp /home/rancid/tmp /usr/local/etc/rancid/rancid.conf
# rpl 'BASEDIR=/usr/local/var/rancid' 'BASEDIR=/home/rancid' /usr/local/etc/rancid/rancid.conf

# vi /home/rancid/.cloginrc
------------------------------ cut here ------------------------------
add password   * password enable
add user       * {rancid}
add method     * ssh
add autoenable * 0
------------------------------ cut here ------------------------------

# vi /usr/local/etc/rancid/rancid.conf
------------------------------ cut here ------------------------------
LIST_OF_GROUPS="devices"
------------------------------ cut here ------------------------------

Set proper permissions and ownership

# chmod 440 /home/rancid/.cloginrc
# chown -R rancid:rancid /home/rancid/.

Initialize the CVS repository

# su - rancid
% rancid-cvs

Create the device list

# su - rancid
% vi /home/rancid/devices/router.db
------------------------------ cut here ------------------------------
device:cisco:up
------------------------------ cut here ------------------------------

Run rancid

# su - rancid
% rancid-run

Create additional scripts

% vi /home/rancid/bin/run-rancid
------------------------------ cut here ------------------------------
#!/bin/csh -f

set path=($path /usr/local/bin)

setenv HOME /home/rancid

if ( ! ${?RANCIDHOME} ) then
 setenv RANCIDHOME /usr/local/libexec/rancid
endif

if ( ! ${?HOMERANCID} ) then
 setenv HOMERANCID `dirname $0`
 setenv HOMERANCID $HOMERANCID/..
 setenv HOMERANCID `realpath $HOMERANCID`
endif

set path=(${path} ${HOMERANCID}/bin ${RANCIDHOME})
rancid-run $*
------------------------------ cut here ------------------------------

% chmod 755 /home/rancid/bin/run-rancid

% vi /home/rancid/bin/run-one
------------------------------ cut here ------------------------------
#!/bin/csh -f

set path=($path /usr/local/bin)

setenv HOME /home/rancid

if ( $#argv != 2 ) then
echo "Wrong number of arguments - usage: run-one router group"
exit 1
endif

if ( ! ${?RANCIDHOME} ) then
 setenv RANCIDHOME /usr/local/libexec/rancid
endif

if ( ! ${?HOMERANCID} ) then
 setenv HOMERANCID `dirname $0`
 setenv HOMERANCID $HOMERANCID/..
 setenv HOMERANCID `realpath $HOMERANCID`
endif

set path=(${path} ${HOMERANCID}/bin ${RANCIDHOME})
rancid-run -r $1 $2
------------------------------ cut here ------------------------------

% chmod 755 /home/rancid/bin/run-one

Create the cron jobs

%vi /home/rancid/crontab
------------------------------ cut here ------------------------------
1 1,7,13,19 * * * /home/rancid/bin/run-rancid 2>&1 | tee /home/rancid/logs/run-rancid.log >>/dev/null 2>&1
50 23 * * * find /home/rancid/logs -type f -mtime +2 -exec rm {} \;
------------------------------ cut here ------------------------------

% crontab /home/rancid/crontab

ViewVC

Install the software

# portmaster -d devel/viewvc

Modify the ViewVC configuration file

# vi /usr/local/viewvc/viewvc.conf
------------------------------ cut here ------------------------------
cvs_roots = rancid: /home/rancid/CVS
root_parents = /home/rancid : cvs
default_root = rancid
use_localtime = 1
------------------------------ cut here ------------------------------

Read the instructions on how to use ViewVC

# cat /var/db/pkg/viewvc-*/+DISPLAY
*****************************************************************
 To use ViewVC, modify the configuration file located at
 /usr/local/viewvc/viewvc.conf.

 If no webserver was selected during installation, then
 a rc script for running ViewVC standalone is installed.
 To enable the standalone ViewVC server in rc.conf use
 parameter viewvc_enable="YES".

 You can also adjust the user which runs the ViewVC standalone 
 server with the parameter "viewvc_user".

 If you want to run the ViewVC standalone server with another 
 IP/PORT, use the parameter "viewvc_flags".

 To see all available parameters, use the command
 /usr/local/viewvc/bin/standalone.py --help

 To use ViewVC with Apache or lighttpd as a CGI script,
 see the following config examples.

 Example config lines for Apache
 ===============================
 Alias /viewvc "/usr/local/viewvc/bin/cgi/"
 <Directory "/usr/local/viewvc/bin/cgi">
    AddHandler cgi-script .cgi
    Options NONE +ExecCGI
    DirectoryIndex viewvc.cgi
    Order allow,deny
    Allow from all
 </Directory>

 Example config lines for lighttpd
 =================================
 server.modules = (
   "mod_alias",
   "mod_access"
 )

 alias.url += ( "/viewvc" => "/usr/local/viewvc/bin/cgi" )

 $HTTP["url"] =~ "^/viewvc/" {
   index-file.names  = ( "viewvc.cgi" )
     cgi.assign = (
       ".cgi" => "/usr/local/bin/python",
     )
 }
*****************************************************************

OSSEC

Install the software

# portmaster -d security/ossec-hids-server
# cp /usr/local/ossec-hids/ossec.conf.sample /usr/local/ossec-hids/ossec.conf
# portmaster -d security/sudo

Create the OSSEC script

# vi /usr/local/ossec-hids/active-response/bin/fire-rancid.sh
------------------------------ cut here ------------------------------
#!/bin/sh

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:~/bin
export PATH

ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5
HOST=$6

LOCAL=`dirname $0`;
cd $LOCAL
cd ../
PWD=`pwd`

# IP Address must be provided
if [ "x${HOST}" = "x" ]; then
   echo "$0: Missing argument      (host)"
   exit 1;
fi

ROUTER=`host ${HOST} | cut -f5 -d' '`

# Logging the call
echo "`date` $0 $1 $2 $3 $4 $5 $6 ${ROUTER}" >> ${PWD}/../logs/active-responses.log

sudo -u rancid /home/rancid/bin/run-one ${ROUTER} devices 2>&1 | tee /home/rancid/logs/run-one-${ROUTER}.log >>/dev/null 2>&1

exit 1;
------------------------------ cut here ------------------------------

% chmod 755 /usr/local/ossec-hids/active-response/bin/fire-rancid.sh
  • Modify the OSSEC configuration file

Adjust the parameters in the global section.

Replace the remote section and adjust the parameters.

Comment out the cisco-ios-rules.xml line.

# rpl /var/ossec /usr/local/ossec-hids /usr/local/ossec-hids/etc/ossec.conf
# vi /usr/local/ossec-hids/etc/ossec.conf
  <!-- <include>cisco-ios_rules.xml</include> -->

  <!-- <remote>
    <connection>secure</connection>
  </remote> -->

  <remote>
    <connection>syslog</connection>
    <allowed-ips>0.0.0.0/0</allowed-ips>
    <local_ip>192.168.2.2</local_ip>
  </remote>

  <command>
    <name>fire-rancid</name>
    <executable>fire-rancid.sh</executable>
    <expect></expect>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <!-- %SYS-5-CONFIG_I response. Fire rancid.
      -->
    <command>fire-rancid</command>
    <location>local</location>
    <!--
    <rules_id>4340,100002</rules_id>
      -->
    <rules_id>104340,100002</rules_id>
  </active-response>

Create local rules

# vi /home/ossec-hids/rules/local_rules.xml
  <rule id=”100002” level=”5”>
    <match>%SYS-5-CONFIG_I</match>
    <description>Configuration change detected.</description>
  </rule>

  <rule id=”104340” level=”8”>
    <if_sid>4340</if_sid>
    <options>no_email_alert</options>
  </rule>

Modify the syslog configuration

# vi /etc/rc.conf
------------------------------ cut here ------------------------------
syslogd_enable="YES"
syslogd_program="/usr/sbin/syslogd"
syslogd_flags="-b 127.0.0.1"
------------------------------ cut here ------------------------------

Restart syslogd

# sh /etc/rc.d/syslogd restart

Add the ossec user in sudoers

# visudo
------------------------------ cut here ------------------------------
ossec  ALL=(rancid) NOPASSWD: ALL
------------------------------ cut here ------------------------------

Start OSSEC

# vi /etc/rc.conf
------------------------------ cut here ------------------------------
ossechids_enable=”YES”
ossechids_user=”ossec”
ossechids_group=”ossec”
------------------------------ cut here ------------------------------

# sh /usr/local/etc/rc.d/ossec-hids start

Leave a reply

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> 

required