An ossec-server image with the ability to separate the ossec configuration/data from the container, meaning easy container replacements. This image is designed to be as turn key as possible, supporting out of the box:
- Automatic enrollment for agents, using ossec-authd
- Remote syslog forwarding for the ossec server messages
- SMTP notifications (requires no-auth SMTP server)
The following directories are externalized under /var/ossec/data which allow the container to be replaced without configuration or data loss: logs, etc, stats,rules, and queue. In addition to those directories, the bin/.process_list file is symlink'ed to process_list in the data volume.
To get an up and running ossec server that supports auto-enrollment and sends HIDS notifications a syslog server, use.
docker run --name ossec-server -d -p 1514:1514/udp -p 1515:1515\
-e SYSLOG_FORWADING_ENABLED=true -e SYSLOG_FORWARDING_SERVER_IP=X.X.X.X\
-v /somepath/ossec_mnt:/var/ossec/data xetusoss/ossec-server
Once the system starts up, you can execute the standard ossec commands using docker. For example, to list active agents.
docker exec -ti ossec-server /var/ossec/bin/list_agents -a
- AUTO_ENROLLMENT_ENABLED: Specifies whether or not to enable auto-enrollment via ossec-authd. Defaults to
true; - AUTHD_OPTIONS: Options to passed ossec-authd, other than -p and -g. Defaults to empty;
- SMTP_ENABLED: Whether or not to enable SMTP notifications. Defaults to
trueif ALERTS_TO_EMAIL is specified, otherwisefalse - SMTP_RELAY_HOST: The relay host for SMTP messages, required for SMTP notifications. This host must support non-authenticated SMTP (see this thread). No default.
- ALERTS_FROM_EMAIL: The email address the alerts should come from. Defaults to
ossec@$HOSTNAME. - ALERTS_TO_EMAIL: The destination email address for SMTP notifications, required for SMTP notifications. No default.
- SYSLOG_FORWADING_ENABLED: Specify whether syslog forwarding is enabled or not. Defaults to
false. - SYSLOG_FORWARDING_SERVER_IP: The IP for the syslog server to send messagse to, required for syslog fowarding. No default.
- SYSLOG_FORWARDING_SERVER_PORT: The destination port for syslog messages. Default is
514. - SYSLOG_FORWARDING_FORMAT: The syslog message format to use. Default is
default.
Please note: All the SMTP and SYSLOG configuration variables are only applicable to the first time setup. Once the container's data volume has been initialized, all the configuration options for OSSEC can be changed.
Since this is a docker container, ossec-execd really isn't a great idea anyway. Having a log server, such as graylog, react based on log entries is the recommended approach.
On first launch, the ossec server will not start up properly and bind to port 1514, unless at least one agent to be present in the client.keys file. To avoid that issue, a local agent is setup by default. See this bug with OSSEC.
The osxfs integration used for volume binding on Mac OS X causes an issue resolving symlinks in the container. To work around this issue, just don't bind /var/ossec/data to a host directory. Instead, use a regular docker volume and execute a shell in the container to inspect the data. All the typical docker volume management tricks apply, of course.
# To start the container on OS X
docker run --name ossec-server -d -p 1514:1514/udp -p 1515:1515\
-e SYSLOG_FORWADING_ENABLED=true -e SYSLOG_FORWARDING_SERVER_IP=X.X.X.X\
-v /var/ossec/data xetusoss/ossec-server
Since this image has become the de-facto standard for OSSEC on docker hub, I wanted to be very clear that we intend to maintain this image with the interest of the community in mind. If you have issues, please file them. If you have made changes you'd like to see included, pull requests are welcome!