This is a direct derivative of the excellent work done by Terence Kent firstname.lastname@example.org for xetusoss/ossec-server. The primary changes are porting to CentOS 6 and adding support for ossec-wui (Web frontend for viewing ossec-hids data).
An ossec-server image with the ability to separate the ossec configuration/data from the container. This image is designed to be as turnkey as possible, supporting out of the box:
- Automatic enrollment for agents, using ossec-authd
- Syslog forwarding support for the ossec server messages (requires syslog server)
- SMTP notifications (requires no-auth SMTP server)
- Web frontend via Apache and ossec-wui
The following directories are externalized under
/var/ossec/data to allow the container to be replaced without configuration or data loss:
queue. In addition to those directories, the
bin/.process_list file is symlinked to
process_list in the data volume.
To get an up and running ossec server that supports auto-enrollment, has a web frontend, and sends HIDS notifications a SYSLOG server, use.
docker run --name ossec-server -d -p 1514:1514/udp -p 1515:1515 -p 443:443/tcp \ -e SYSLOG_FORWADING_ENABLED=true -e SYSLOG_FORWARDING_SERVER_IP=X.X.X.X \ -e WEB_ENABLED=true -e WEB_USER=admin -e WEB_PASSWORD=supersecure \ -v /somepath/ossec_mnt:/var/ossec/data delder/ossec-server
Once the system starts up, you can execute the standard ossec commands using docker. For example, to list active agents.
docker exec -ti ossec-server /var/ossec/bin/list_agents -a
Available Configuration Parameters
- AUTO_ENROLLMENT_ENABLED: Specifies whether or not to enable auto-enrollment via ossec-authd. Defaults to
- AUTHD_OPTIONS: Options to passed ossec-authd, other than -p and -g. Defaults to empty;
- SMTP_ENABLED: Whether or not to enable SMTP notifications. Defaults to
trueif ALERTS_TO_EMAIL is specified, otherwise
- SMTP_RELAY_HOST: The relay host for SMTP messages, required for SMTP notifications. This host must support non-authenticated SMTP (see this thread). No default.
- ALERTS_FROM_EMAIL: The email address the alerts should come from. Defaults to
- ALERTS_TO_EMAIL: The destination email address for SMTP notifications, required for SMTP notifications. No default.
- SYSLOG_FORWADING_ENABLED: Specify whether syslog forwarding is enabled or not. Defaults to
- SYSLOG_FORWARDING_SERVER_IP: The IP for the syslog server to send messagse to, required for syslog fowarding. No default.
- SYSLOG_FORWARDING_SERVER_PORT: The destination port for syslog messages. Default is
- SYSLOG_FORWARDING_FORMAT: The syslog message format to use. Default is
- WEB_ENABLED: Whether to turn on Apache to enable access to ossec-wui at https://hostname/ossec/
- WEB_USER: Username to set for htaccess to ossec-wui (defaults to admin if not set)
- WEB_PASSWORD: Password to set for WEB_USER access to ossec-wui (defaults to admin if not set)
Please note: All the SMTP, SYSLOG, and WEB configuration variables are only applicable to the first time setup. Once the container's data volume has been initialized, all the configuration options for OSSEC can be changed.
Known Issues / Warnings
A default localhost agent is added
On first launch, the ossec server will not start up properly and bind to port 1514, unless at least one agent to be present in the client.keys file. To avoid that issue, a local agent is setup by default. See this bug with OSSEC.