'aws autoscaling AMI with OSSEC installed

so we've created an autoscaling group with an ami of our own, that ami have a server and an automated ossec service that reports to slack channel, the thing is that when a new instance is launched, the ossec send a lot of alerts because the files signatures are different and that is ok because when a new instance is launched it recreates the ami in new volumes.

Now how can I have ossec installed in those ami, but when as launch a new instance not having all the alerts from files changed.

I tried restarting ossec service when a new instance is launched but It had the same behavior, ossec sends alerts that all the files were changed.

autoscalingossec


Solution 1:[1]

Since your ossec agent included in your AMI I don't think it is possible to stop these alerts on the first boot, becuase as you said it is simply what ossec does when recognize any change, so I would suggest to do not include ossec agent in the image but alternatively install it using User data whenever auto scale group create a new instance, this may cause extra time to boot the instances but it may fix your problem.

Solution 2:[2]

I have been working to implement ossec under our golden amis in AWS the last days and this has been a huge pain due to the alarms by files changes which generate every time a ec2 instance is created.

Exists two big points here:

  1. An ec2 is created using cloud init. I had to create a new systemd template of ossec service to start after cloud-final.service:
              [Unit]
              Description=OSSEC
              After=network.target cloud-final.service
              After=multi-user.target

              [Service]
              Type=forking
              ExecStart=/var/ossec/bin/ossec-control start
              ExecStop=/var/ossec/bin/ossec-control stop
              ExecReload=/var/ossec/bin/ossec-control restart

              Restart=always

              [Install]
              WantedBy=multi-user.target
  1. OSSEC work using queues. You have to ensure at the moment you are generating the ami the ossec service is stopped and the following directories cleaned:
  • /var/ossec/queue/diff/local/*
  • /var/ossec/queue/syscheck/*
  • /var/ossec/logs/alerts/*

I have to do a big effort to achieve that. So I hope that my answer in this post will be helpful in the future

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Asri Badlah
Solution 2 Daniel Majano

Related Questions

Self stopping EC2 once task complete?

Error response from daemon: ........... connect: connection refused AWS ECS

Find region from within an EC2 instance

The Streamlit app stops with "Please wait... " and then stops

The Streamlit app stops with "Please wait... " and then stops

"Database hosts array is empty." after deploying Laravel project on AWS Elastic Beanstalk

Using Boto to find to which device and EBS Volume is mounted

Using Boto to find to which device and EBS Volume is mounted

AWS EC2 Group did not stabilize

Scheduled tasks (cronjobs) how to do that on one server only

Installing Software on an AWS EC2 Windows 2019 Instance

Bad gate way Error while using ftp in server

Cant link stylesheet

[?1034hsh-4.2$ Cannot perform start session: EOF

AWS S3 CLI - Connection was closed before we received a valid response from endpoint