Project

General

Profile

Support #559

Updated by Daniel Curtis almost 10 years ago

{{>toc}} 

 This is an adaptation from a guide on raymii.org for installing OSSEC on Ubuntu (he/she does great work) adjusted to install on FreeBSD.  

 OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows. It also includes agentless monitoring for use with for example Cisco, HP or Juniper hardware. 

 This tutorial covers the installation of the OSSEC 2.8.0 server, the standard OSSEC Web UI and the Analogi dashboard on FreeBSD 9.2-RELEASE. It also covers OSSEC setup with MySQL support. Last but not least it shows you how to install the OSSEC agent on a *NIX system. 

 h1. Pre-requisites 

 * Update the system and ports tree: 
 <pre> 
 pkg update && pkg upgrade 
 portsnap fetch extract 
 </pre> 

 * Install portupgrade 
 <pre> 
 pkg install portupgrade 
 </pre> 

 h1. Install OSSEC  

 * Install ossec-hids-server from ports: 
 <pre> 
 portupgrade -Np ossec-hids-server 
 </pre> 
 *NOTE*: Make sure to enable @[X]MYSQL@ 

 h2. Configure OSSEC 

 * Enable OSSEC service to start at boot: 
 <pre> 
 echo 'ossechids_enable="YES"' >> /etc/rc.conf 
 </pre> 

 h3. Configure mail settings 
 * Now let’s configure the server the configuration. I modified the file to contain the following: 
 <pre> 
   <global> 
     <email_notification>yes</email_notification> 
     <email_to>admin@example.com</email_to> <email_to>elatov@moxz.local.com</email_to> 
     <smtp_server>smtp.example.com</smtp_server> <smtp_server>127.0.0.1</smtp_server> 
     <email_from>ossec@example.com</email_from> <email_from>ossecm@local.com</email_from> 
   </global> 

  <rootcheck> 
     <rootkit_files>/usr/local/ossec-hids/etc/shared/rootkit_files.txt</rootkit_files> 
     <rootkit_trojans>/usr/local/ossec-hids/etc/shared/rootkit_trojans.txt</rootkit_trojans> 
   </rootcheck> 
 </pre> 

 h3. Configure syscheck 

 * Edit I also cleaned up the OSSEC config file: 
 <pre> 
 vi /usr/local/ossec-hids/etc/ossec.conf 
 </pre> 

 * Adjust the syscheck Interval - syscheck is OSSEC's integrity checking process and we can tell syscheck how often to scan and checksum the filesystem for evidence of unauthorized changes: 
 <pre> 
 <syscheck> 
     <!-- Frequency that syscheck is executed -- default every 20 hours --> 
     <frequency>17200</frequency> 
 </pre> 

 h3. Specify Directories to Monitor 

 * Add/modify the directories to be monitored by OSSEC: 
 <pre> 
 <!-- Directories to check    (perform all possible verifications) --> 
     <directories report_changes="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories> 
     <directories report_changes="yes" check_all="yes">/bin,/sbin</directories> 
     <directories report_changes="yes" check_all="yes">/usr/local/etc,/usr/local/bin,/usr/local/sbin</directories> 
     <directories report_changes="yes" check_all="yes">/home/,/usr/local/home,/usr/local/www</directories> 
 </pre> 

 h3. Specify Files or Directories to be Ignored 

 * Add/modify the directories to be ignored by OSSEC: 
 <pre> 
 <!-- Files/directories to ignore --> 
     <ignore>/etc/mtab</ignore> 
     <ignore>/etc/hosts.deny</ignore> 
     <ignore>/etc/mail/statistics</ignore> 
     <ignore>/etc/random-seed</ignore> 
     <ignore>/etc/adjtime</ignore> 
     <ignore>/etc/httpd/logs</ignore> 
     <ignore>/etc/dumpdates</ignore> 
     <ignore>/usr/local/ossec-hids/logs</ignore> 
     <ignore>/usr/local/ossec-hids/queue</ignore> 
     <ignore>/usr/local/ossec-hids/var</ignore> 
     <ignore>/usr/local/ossec-hids/tmp</ignore> 
     <ignore>/usr/local/ossec-hids/stats</ignore> 
 </pre> 

 h3. Configure Rootcheck 

 * The next stop in ossec.conf is the rootcheck section. Rootcheck is a component of OSSEC which scans the system for rootkits. Modify the localfile section to match the following: 
 <> 
 <rootcheck> 
     <rootkit_files>/usr/local/ossec-hids/etc/shared/rootkit_files.txt</rootkit_files> 
     <rootkit_trojans>/usr/local/ossec-hids/etc/shared/rootkit_trojans.txt</rootkit_trojans> 
 </rootcheck> 
 That is all you need to change in ossec.conf - for now. Save and close it; we'll come back to it later. To make sure everything was set correctly, try restarting OSSEC. 

 sudo /usr/local/ossec-hids/bin/ossec-control restart 
 The restart should be successful. If it returns a configuration error, double check your entries for Steps 4 and 5. 

 Step 6 - Specify Log Files to be Monitored 
 A default installation of OSSEC is configured to monitor removed any log files whose locations are specific to a Linux system. On FreeBSD 10.1, some of those files have a slightly different name though they are still located in the same /var/log directory. 

 If you look in OSSEC's log file (/var/log/ossec-hids/logs/ossec.log), you'll see entries like these: 

 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages' 
 ossec-logcollector(1103): ERROR: Unable to open file '/var/log/authlog' 
 ossec-logcollector(1103): ERROR: Unable to open file '/var/log/secure' 
 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/xferlog' 
 An entry that contains ERROR: Unable to open file indicates a file that OSSEC could not find because it does not exist, or possibly the permissions are wrong. Verify which is the case didn’t exist on your system before drawing a conclusion. 

 Here is how can you determine the location of system. I ended up just having the log files OSSEC should monitor on FreeBSD 10.1. We'll use lsof to list open files which the system is using during runtime. lsof is not installed by default, so first install it: 

 sudo pkg install lsof following: 
 Then to run the log file check, use the following command: 

 lsof | grep log | grep -v ".so" | egrep -v "ossec|proc|dev|run" 
 All that command is doing is fishing for all open files, keeping log files that are of interest to us and jettisoning the rest. We definitely don't want to monitor files in OSSEC's installation directory, or in /proc, /dev or /var/run. You should get an output that contains a listing of log files. The following code block shows part of the output on the test system used for this tutorial: 

 syslogd    ...    root    ...    /var/log/messages 
 syslogd    ...    root    ...    /var/log/security 
 syslogd    ...    root    ...    /var/log/auth.log 
 syslogd    ...    root    ...    /var/log/maillog 
 syslogd    ...    root    ...    /var/log/lpd-errs 
 If you compare the names in that output with those in the output of OSSEC's log file, it's easy to see that /var/log/auth.log is the same as /var/log/authlog and /var/log/security is FreeBSD's equivalent of /var/log/secure. 

 Now open ossec.conf again and modify the names of the log files to match the names used in FreeBSD 10.1. 

 sudo nano /usr/local/ossec-hids/etc/ossec.conf 
 The code block below shows an example of what the modified lines should be. You will want to add log locations for the specific services you've installed and are running on the server; services like Nginx, Apache, etc. 

 <!-- Files to monitor (localfiles) --> 

 <pre> 
   <localfile> 

   
     <log_format>syslog</log_format> 
     <location>/var/log/auth.log</location> 
   </localfile> 

   <localfile> 
     <log_format>syslog</log_format> 
     <location>/var/log/security</location> <location>/var/log/xferlog</location> 
   </localfile> 
 Adding Log File Entries with util.sh 
 If long after you've installed OSSEC you have a log file in a custom directory that you wish to monitor, you can use OSSEC's util.sh command to add it or open ossec.conf with nano and add it manually. 

 For example, if you installed Nginx and its access and error log files are in the /var/log/nginx directory, you may add them to ossec.conf by using util.sh like so: 

 /usr/local/ossec-hids/bin/util.sh addfile /var/log/nginx/access.log 
 /usr/local/ossec-hids/bin/util.sh addfile /var/log/nginx/error.log 
 Note: If you run those two commands as they're presented and you don't have Nginx installed, you'll get an error saying the log files don't exist. 

 At this point, we have one last change to make in ossec.conf, so leave the file open as you move on the next step. 

 Step 7 - Alert on New Files 
 By default, OSSEC does not alert when new files are created in the system so we will change that behavior. There are two components to this change. 

 Set syscheck 
 Scroll back up to the syscheck area os of ossec.conf and add an alertnewfiles line just under the frequency check interval. 

 The result should read: 

 <syscheck> 

   <localfile> 
     <!-- Frequency that syscheck is executed -- default every 20 hours --> <log_format>syslog</log_format> 
     <frequency>17200</frequency> 

     <alert_new_files>yes</alert_new_files> <location>/var/log/maillog</location> 
   </localfile> 
 Now you can save and close ossec.conf. We're finished with it. </pre> 

 Modify * Started the Rule's Classification Level 
 Although we've told syscheck to watch for newly created files, OSSEC won't actually notify us about them yet. For that we need to modify a default OSSEC rule. 

 Open ossec_rules.xml in nano. 

 sudo nano /usr/local/ossec-hids/rules/ossec_rules.xml service: 
 The rule that fires when a file is added to a monitored directory is rule 554. Here's what it looks like: 

 <rule id="554" level="0"> <pre> 
 <category>ossec</category> service ossec-hids start 
 <decoded_as>syscheck_new_entry</decoded_as> 
 <description>File added to the system.</description> 
 <group>syscheck,</group> 
 </rule> 
 OSSEC does not send an alert if a rule has a level set to 0, so you have to copy that rule to local_rules.xml and modify it so that it will trigger an alert. You can use a mouse or touchpad to highlight the rule in nano, copy and temporarily paste it into a text editor on your host machine. </pre> 

 Now open local_rules.xml This is where all user-modified OSSEC rules should go; you should not make changes to ossec_rules.xml. 

 sudo nano /usr/local/ossec-hids/rules/local_rules.xml 
 Use CONTROL+SHIFT+V to paste the rule from your host machine's text editor into nano. Make sure you paste it within the group tags. We'll change the notification level to 7 and tell OSSEC that this rule overwrites rule 554 from ossec_rules.xml. 

 When done, the end of your local_rules.xml file should look like below. The first line is all that was changed from the original rule. 

 <rule id="554" level="7" overwrite="yes"> 
     <category>ossec</category> 
     <decoded_as>syscheck_new_entry</decoded_as> 
     <description>File added to the system.</description> 
     <group>syscheck,</group> 
 </rule> 


 </group> <!-- SYSLOG,LOCAL --> 


 <!-- EOF --> 
 When all is done, save and close the file, then restart OSSEC by typing: 

 sudo /usr/local/ossec-hids/bin/ossec-control restart 

 --- 

 h1. Nginx – Installation and Configuration 

 * Install Nginx 
 <pre> 
 pkg install nginx 
 </pre> 

 * Start and enable nginx to start at boot: 
 <pre> 
 echo 'nginx_enable="YES"' >> /etc/rc.conf 
 service nginx start 
 </pre> 

 h2. PHP – Installation and Configuration 

 * Install PHP5 and other required packages: 
 <pre> 
 portupgrade -Np php5 
 portupgrade -Np php5-mysql 
 portupgrade -Np php5-curl 
 portupgrade -Np php5-gd 
 portupgrade -Np pecl-intl 
 portupgrade -Np pear 
 portupgrade -Np pecl-imagick 
 portupgrade -Np php5-imap 
 portupgrade -Np php5-mcrypt 
 portupgrade -Np pecl-memcached 
 portupgrade -Np ming 
 portupgrade -Np pecl-ps 
 portupgrade -Np php5-pspell 
 portupgrade -Np php5-recode 
 portupgrade -Np php5-snmp 
 portupgrade -Np php5-sqlite3 
 portupgrade -Np php5-tidy 
 portupgrade -Np php5-xmlrpc 
 portupgrade -Np php5-xsl 
 </pre> 

 * Configure the default PHP settings 
 <pre> 
 cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini 
 </pre> 

 h3. Configure PHP-FPM 

 * Edit @/usr/local/etc/php-fpm.conf@: 
 <pre> 
 vi /usr/local/etc/php-fpm.conf 
 </pre> 
 #* Make the following changes: 
 <pre> 
 events.mechanism = kqueue 
 listen = /var/run/php-fpm.sock 
 listen.owner = www 
 listen.group = www 
 listen.mode = 0666 
 </pre> 

 * Enable PHP-FPM to start at boot: 
 <pre> 
 echo 'php_fpm_enable="YES"' >> /etc/rc.conf 
 </pre> 

 * Start PHP-FPM: 
 <pre> 
 service php-fpm start 
 </pre> 

 h3. Configure Nginx to use PHP-FPM: 

 * Create a directory for a OSSEC Web UI: 
 <pre> 
 mkdir /usr/local/www/ossec.example.com 
 </pre> 

 * Edit @/usr/local/etc/nginx/nginx.conf@: 
 <pre> 
 vi /usr/local/etc/nginx/nginx.conf 
 </pre> 
 #* Add the following inside the @server{ }@ block: 
 <pre> 
 http { 
 ... 
   server { 
     listen         80; 
     server_name    localhost; 
     root           /usr/local/www/ossec.example.com; 
     access_log     /var/log/ossec.example.com-access.log; 
     error_log      /var/log/ossec.example.com-error.log 

     location / { 
         index    index.php index.html index.htm; 
     } 

     # For all PHP requests, pass them on to PHP-FPM via FastCGI 
     location ~ \.php$ { 
        fastcgi_pass unix:/var/run/php-fpm.sock; 
        fastcgi_param SCRIPT_FILENAME /usr/local/www/ossec.example.com$fastcgi_script_name; 
        fastcgi_param PATH_INFO $fastcgi_script_name; 
        include fastcgi_params; # include extra FCGI params 
     } 
   ... 
   } 
 ... 
 } 
 </pre> 

 The PHP support in FreeBSD is extremely modular so the base install is very limited. It is very easy to add support using the _lang/php5-extensions_ port. This port provides a menu driven interface to PHP extension installation. Alternatively, individual extensions can be installed using the appropriate port. 

 * Restart nginx: 
 <pre> 
 service nginx restart 
 </pre> 

 --- 

 h1. MariaDB – Installation and Configuration 

 * Install MariaDB 5.5 server and client 
 <pre> 
 pkg install mariadb55-{server,client} 
 </pre> 

 h2. Configure MariaDB server 

 * Configure the MariaDB server 
 <pre> 
 cp /usr/local/share/mysql/my-small.cnf /usr/local/etc/my.cnf 
 </pre> 

 * Enable MariaDB to start at boot: 
 <pre> 
 echo 'mysql_enable="YES"' >> /etc/rc.conf 
 </pre> 

 * Start MariaDB 
 <pre> 
 service mysql-server start 
 </pre> 

 * Set password for mysql using the following command 
 <pre> 
 mysqladmin -uroot password 
 </pre>  

 * Restart mysql using the following commands: 
 <pre> 
 service mysql-server restart 
 </pre> 

 h2. Install and configure phpMyAdmin 

 * Install phpmyadmin: 
 <pre> 
 pkg install phpmyadmin 
 </pre> 

 * Setup phpMyAdmin for nginx by adding the following to the @server{ }@ block in @nginx.conf@: 
 <pre> 
 vi /usr/local/etc/nginx/nginx.conf 
 </pre> 
 #* And add/modify the following: 
 <pre> 
 ## phpMyAdmin 
 location ^~ /phpmyadmin { 
   access_log    off; 
   rewrite ^    /phpMyAdmin/ permanent; 
 } 
 
 location /phpMyAdmin { 
   root /usr/local/www/phpMyAdmin; 
   index index.php index.html; 

   ## Only Allow connections from localhost 
   allow 127.0.0.1; 
   deny all; 

   location ~ ^/phpMyAdmin/(.*\.php)$ { 
     root /usr/local/www/phpMyAdmin; 
     fastcgi_pass unix:/var/run/php-fpm.sock; 
     fastcgi_param SCRIPT_FILENAME /usr/local/www/phpMyAdmin$fastcgi_script_name; 
     fastcgi_param PATH_INFO $fastcgi_script_name; 
     include fastcgi_params; # include extra FCGI params 
   } 
 } 
 </pre> 

 Now its time to configure phpMyAdmin. Do this by creating the file @/usr/local/www/phpMyAdmin/config.inc.php@, the basic configuration file for phpMyAdmin. Traditionally, users have manually created or modified @/usr/local/www/phpMyAdmin/config.inc.php@, but now phpMyAdmin includes a nice setup script, making it much easier to create this file with the settings you want.  

 * Start by creating the directory /usr/local/www/phpMyAdmin/config and make it writable by the phpMyAdmin setup script: 
 <pre> 
 mkdir /usr/local/www/phpMyAdmin/config 
 chmod o+w /usr/local/www/phpMyAdmin/config 
 </pre> 

 * Then make @/usr/local/www/phpMyAdmin/config.inc.php@ readable by the phpMyAdmin setup script: 
 <pre> 
 chmod o+r /usr/local/www/phpMyAdmin/config.inc.php 
 </pre> 

 * Now open your web browser and navigate to http://ossec.example.com/phpmyadmin/setup where you will see the phpMyAdmin setup _Overview_ page.  

 * Select *New Server* and then select the *Authentication* tab.  
 *# Under the *Authentication type* choose +http+ from the drop-down list (using HTTP-Auth to sign-in into phpMyAdmin will avoid storing login/password credentials directly in config.inc.php) 
 *# And remove +root+ from the *User for config auth*. 

 * Now select *Apply* and you will be returned you to the Overview page where you should see a new server listed.  

 * Select *Save* again in the Overview page to save your configuration as @/usr/local/www/phpMyAdmin/config/config.inc.php@.  

 * Now let’s move that file up one directory to @/usr/local/www/phpMyAdmin@ where phpMyAdmin can make use of it. 
 <pre> 
 mv /usr/local/www/phpMyAdmin/config/config.inc.php /usr/local/www/phpMyAdmin   
 </pre>  

 * Now let’s try out phpMyAdmin to make sure it works. Point your web browser to http://www.example.com/phpmyadmin where you will be presented with a pop-up box requesting you to log in.  
 Use “root” and the MySQL password you set up previously, then you should be directed to the phpMyAdmin administration page.  

 * We no longer need the /usr/local/www/phpMyAdmin/config directory so let’s remove it, and the read permission we added previously to /usr/local/www/phpMyAdmin/config.inc.php: 
 <pre> 
 rm -r /usr/local/www/phpMyAdmin/config 
 chmod o-r /usr/local/www/phpMyAdmin/config.inc.php 
 </pre> 

 * And wrap up by restarting the nginx and MySQL servers: 
 <pre> 
 service nginx restart 
 service mysql-server restart 
 </pre> 

 Create a user and database for OSSEC. Open a MySQL shell: 
 <pre> 
 mysql -u root -p 
 </pre> 
 #* And run the following to create the *ossec* database with the *ossec_u* user 
 <pre> 
 create database ossec; 

 grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec_u; 

 set password for ossec_u = PASSWORD('Passw0rd'); 

 flush privileges; 

 quit; 
 </pre> 

 The database also needs a schema. OSSEC provides the schema, it is located in the extracted OSSEC folder, src/os_dbd. 

 Import it into MySQL: 

 mysql -u root -p ossec < src/os_dbd/mysql.schema 
 OSSEC MySQL configuration 
 We have to add the database config to /var/ossec/etc/ossec.conf: 

 <ossec_config> 
     <database_output> 
         <hostname>127.0.0.1</hostname> 
         <username>ossec_u</username> 
         <password>Passw0rd</password> 
         <database>ossec</database> 
         <type>mysql</type> 
     </database_output> 
 </ossec_config> 
 Change type mysql to type postgresql for the PostgreSQL database. 

 Save it, then enable the database in OSSEC: 

 /var/ossec/bin/ossec-control enable database 
 /var/ossec/bin/ossec-control restart  
 Installing OSSEC Web UI 
 OSSEC Web UI 

 This is also quite simple. Because we've already set up Apache and PHP, we can just download the web UI and extract to /var/www/html: 

 wget http://www.ossec.net/files/ossec-wui-0.8.tar.gz 
 tar -xf ossec-wui-0.8.tar.gz 
 mkdir -p /var/www/html/ossec/tmp/ 
 mv ossec-wui-0.8/* /var/www/html/ossec/ 
 chown www-data:www-data /var/www/html/ossec/tmp/ 
 chmod 666 /var/www/html/ossec/tmp 
 Make sure the www-data user can access the ossec folder: 

 usermod -a -G ossec www-data 
 We use version 0.8 of Web UI because there are a lot of errors (like broken search) in the stable 0.3 version. We also set the correct permissions on the tmp/ folder. Afterwards the web ui is visible at http://hostname/ossec/. 

 Installing Analogi Web Dashboard 
 OSSEC Analogi dashboard 

 This tutorial was tested on a DigitalOcean VPS. If you use this link you sponsor this website. (referral link) 

 The Analogi dashboard is a nice and informative dashboard around OSSEC, which provides more visual information then the standard Web UI. The standard Web UI has better search functions, the Dashboard can be used for example on a Wall Mounted monitor and such. 

 Installation consists out of cloning the git repo and editing the settings file: 

 cd /var/www/html/ 
 git clone https://github.com/ECSC/analogi.git 
 cp analogi/db_ossec.php.new analogi/db_ossec.php 
 vim analogi/db_ossec.php         
 Edit the relevant settings for the MySQL database configuration: 

 define ('DB_USER_O', 'ossec_u'); 
 define ('DB_PASSWORD_O', 'Passw0rd'); 
 define ('DB_HOST_O', '127.0.0.1'); 
 define ('DB_NAME_O', 'ossec'); 
 When correctly configured the Analogi webinterface can be found at http://hostname/analogi/. 

 The OSSEC server is now correctly set up. 

 Client installation 
 Download and verify the OSSEC 2.8 .tar.gz file as described above. Don't forget to install the development packages. This time, do an agent installation. See the output below: 

 # ./install.sh  

   ** Para instalao em portugus, escolha [br]. 
   ** ,    [cn]. 
   ** Fur eine deutsche Installation wohlen Sie [de]. 
   **      ,    [el]. 
   ** For installation in English, choose [en]. 
   ** Para instalar en Espaol , eliga [es]. 
   ** Pour une installation en franais, choisissez [fr] 
   ** A Magyar nyelv teleptshez vlassza [hu]. 
   ** Per l'installazione in Italiano, scegli [it]. 
   ** [jp]. 
   ** Voor installatie in het Nederlands, kies [nl]. 
   ** Aby instalowa w jzyku Polskim, wybierz [pl]. 
   **         , [ru]. 
   ** Za instalaciju na srpskom, izaberi [sr]. 
   ** Trke kurulum iin sein [tr]. 
   (en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]:  


  OSSEC HIDS v2.8 Installation Script - http://www.ossec.net 

  You are about to start the installation process of the OSSEC HIDS. 
  You must have a C compiler pre-installed in your system. 
  If you have any questions or comments, please send an e-mail 
  to dcid@ossec.net (or daniel.cid@gmail.com). 

   - System: Linux ossec-client 3.13.0-24-generic 
   - User: root 
   - Host: ossec-client 


   -- Press ENTER to continue or Ctrl-C to abort. -- 


 1- What kind of installation do you want (server, agent, local, hybrid or help)? agent 

   - Agent(client) installation chosen. 

 2- Setting up the installation environment. 

  - Choose where to install the OSSEC HIDS [/var/ossec]:  

     - Installation will be made at    /var/ossec . 

 3- Configuring the OSSEC HIDS. 

   3.1- What's the IP Address or hostname of the OSSEC HIDS server?: 1.2.3.4 

    - Adding Server IP 1.2.3.4 

   3.2- Do you want to run the integrity check daemon? (y/n) [y]:  

    - Running syscheck (integrity check daemon). 

   3.3- Do you want to run the rootkit detection engine? (y/n) [y]:  

    - Running rootcheck (rootkit detection). 

   3.4 - Do you want to enable active response? (y/n) [y]:  


   3.5- Setting the configuration to analyze the following logs: 
     -- /var/log/auth.log 
     -- /var/log/syslog 
     -- /var/log/dpkg.log 

  - If you want to monitor any other file, just change  
    the ossec.conf and add a new localfile entry. 
    Any questions about the configuration can be answered 
    by visiting us online at http://www.ossec.net . 


    --- Press ENTER to continue --- 


     5- Installing the system 
      - Running the Makefile 
     INFO: Little endian set. 

      *** Making zlib (by Jean-loup Gailly and Mark Adler)    ***  

     [...] 

      *** Making cJSON (by Dave Gamble)    ***  

     [...] 

      *** Making Lua 5.2 (by team at PUC-Rio in Brazi)    ***  

      [...] 

      *** Making os_xml ***  

     [...] 

      *** Making os_regex ***  

     [...] 

      *** Making os_net ***  

     [...] 

      *** Making os_crypto ***  

     [...] 

      *** Making shared ***  

     [...] 

      *** Making config ***  

     [...] 

      *** Making os_maild ***  

     [...] 

      *** Making os_dbd ***  

     [...] 

      *** Making os_csyslogd ***  

     [...] 

      *** Making agentlessd ***  

     [...] 

      *** Making os_execd ***  

     [...] 

      *** Making analysisd ***  

     [...] 

      *** Making logcollector ***  

     [...] 

      *** Making remoted ***  

     [...] 

      *** Making client-agent ***  

     [...] 

      *** Making addagent ***  

     [...] 

      *** Making util ***  

     [...] 

      *** Making rootcheck ***  

     [...] 

      *** Making syscheckd ***  

     [...] 

      *** Making monitord ***  

     [...] 

      *** Making os_auth ***  

     [...] 

      - System is Debian (Ubuntu or derivative). 
      - Init script modified to start OSSEC HIDS during boot. 

      - Configuration finished properly. 

      - To start OSSEC HIDS: 
             /var/ossec/bin/ossec-control start 

      - To stop OSSEC HIDS: 
             /var/ossec/bin/ossec-control stop 

      - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf 


         Thanks for using the OSSEC HIDS. 
         If you have any question, suggestion or if you find any bug, 
         contact us at contact@ossec.net or using our public maillist at 
         ossec-list@ossec.net 
         ( http://www.ossec.net/main/support/ ). 

         More information can be found at http://www.ossec.net 

         ---    Press ENTER to finish (maybe more information below). --- 
 Client OSSEC config 

 Adding a client to OSSEC is quite simple. First you add the client to the server, which gives you a key. Then you add this key to the client, edit the config file on the client and that's it. 

 First we need to generate a key on the OSSEC server for this client. We do this by running /var/ossec/bin/manage_agents, option A, then entering the hostname, IP and ID for the client we want to add. Do this on the OSSEC server: 

 root@ossec:~# /var/ossec/bin/manage_agents 
 **************************************** 
 * OSSEC HIDS v2.8 Agent manager.       * 
 * The following options are available: * 
 **************************************** 
    (A)dd an agent (A). 
    (E)xtract key for an agent (E). 
    (L)ist already added agents (L). 
    (R)emove an agent (R). 
    (Q)uit. 
 Choose your action: A,E,L,R or Q: A 

 - Adding a new agent (use '\q' to return to the main menu). 
   Please provide the following: 
    * A name for the new agent: ossec-client1 
    * The IP Address of the new agent: 2.3.4.5 
    * An ID for the new agent[001]:  
 Agent information: 
    ID:001 
    Name:ossec-client1 
    IP Address:2.3.4.5 

 Confirm adding it?(y/n): y 
 Agent added. 
 Get the key for the OSSEC client: 

 root@ossec:~# /var/ossec/bin/manage_agents 

 **************************************** 
 * OSSEC HIDS v2.8 Agent manager.       * 
 * The following options are available: * 
 **************************************** 
    (A)dd an agent (A). 
    (E)xtract key for an agent (E). 
    (L)ist already added agents (L). 
    (R)emove an agent (R). 
    (Q)uit. 
 Choose your action: A,E,L,R or Q: E 

 Available agents: 
    ID: 001, Name: ossec-client1, IP: 2.3.4.5 
 Provide the ID of the agent to extract the key (or '\q' to quit): 001 

 Agent key information for '001' is: 
 SD[...]AAUjd= 

 ** Press ENTER to return to the main menu. 
 Then switch to the OSSEC client and execute the manage_agents: 

 root@ossec:~# /var/ossec/bin/manage_agents 

 **************************************** 
 * OSSEC HIDS v2.8 Agent manager.       * 
 * The following options are available: * 
 **************************************** 
    (I)mport key from the server (I). 
    (Q)uit. 
 Choose your action: I or Q: i 

 * Provide the Key generated by the server. 
 * The best approach is to cut and paste it. 
 *** OBS: Do not include spaces or new lines. 

 Paste it here (or '\q' to quit): SD[...]AAUjd= 

 Agent information: 
    ID:001 
    Name:ossec-client1 
    IP Address:2.3.4.5 

 Confirm adding it?(y/n): y 
 Added. 
 ** Press ENTER to return to the main menu. 
 Check if this in the /var/ossec/etc/ossec.conf file: 

 <client> 
   <server-hostname>1.2.3.4</server-hostname> 
 </client> 
 Where 1.2.3.4 is your OSSEC server URL or IP. 

 Now restart OSSEC on both the OSSEC server and the newly added client: 

 /var/ossec/bin/ossec-control restart 
 Repeat these steps for any client that needs to be added. 

 Bonus Tips 
 Here are a few bonus tips/config examples for OSSEC 

 Active Response 
 If you've enabled Active Response you are protected from brute force attacks for ssh and some other pieces of software. Try it, login as a nonexistent user and check the web ui and logging: 

 brute 

 tail -f /var/ossec/logs/active-responses.log  
 Wed Jun 11 21:16:43 CEST 2014 /var/ossec/active-response/bin/host-deny.sh add - 198.211.118.121 1402514203.20760 5712 
 Wed Jun 11 21:16:43 CEST 2014 /var/ossec/active-response/bin/firewall-drop.sh add - 198.211.118.121 1402514203.20760 5712 
 On Linux it is just a standard iptables DROP rule for that IP. You can delete the DROP rule by first finding out it's ID: 

 iptables -L -n --line-numbers 
 Chain INPUT (policy ACCEPT) 
 num    target       prot opt source                 destination          
 1      DROP         all    --    198.211.118.121        0.0.0.0/0            

 Chain FORWARD (policy ACCEPT) 
 num    target       prot opt source                 destination          
 1      DROP         all    --    198.211.118.121        0.0.0.0/0            

 Chain OUTPUT (policy ACCEPT) 
 num    target       prot opt source                 destination 
 Then you can delete the rule with that ID: 

 iptables -D INPUT 1 
 iptables -D FORWARD 1 
 Ignoring rules 

 To very simply ignore rules based on rule id, add them to the XML file located in /var/ossec/rules/local_rules/xml, either on the ossec client for one machine or the ossec server to ignore on all machines: 

 <!-- Specify here a list of rules to ignore. --> 
 <!-- 3334 postfix start    --> 
 <!-- 3333 postfix stop --> 
 <rule id="100030" level="0"> 
     <if_sid>3333, 3334</if_sid> 
     <description>List of rules to be ignored.</description> 
 </rule> 
 Monitoring additional log files 

 The OSSEC agent by default only monitors a few log files. To add more, edit the /var/ossec/etc/ossec.conf file and add a line like this: 

 <localfile> 
     <location>/var/log/*</location> 
     <log_format>syslog</log_format> 
 </localfile> 
 This will add all files under /var/log. This might be a lot, you can also just add multiple <localfile> blocks with filenames. 

 Firewall 

 You need to allow UDP port 1514 between OSSEC server and clients. Otherwise you get errors like this: 

 2013/09/06 19:53:00 ossec-agentd: INFO: Using IPv4 for: 10.0.51.31 . 
 2013/09/06 19:53:21 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'ossec.raymii.nl/10.0.51.31'. 
 Removing OSSEC 

 h2. Resources 

 * http://www.ossec.net/doc/ 
 * https://raymii.org/s/tutorials/OSSEC_2.8.0_Server_Client_and_Analogi_Dashboard_on_Ubuntu.html 
 * https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-ossec-on-freebsd-10-1 
 * http://virtuallyhyper.com/2014/04/ossec-freebsd/* Add/modify the directories to be monitored by OSSEC:

Back