Project

General

Profile

Support #559

Updated by Daniel Curtis almost 10 years ago

{{>toc}} 

 OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows. It also includes agentless monitoring for use with for example Cisco, HP or Juniper hardware. 

 This tutorial covers the installation of the OSSEC 2.8.0 server, the standard OSSEC Web UI and the Analogi dashboard on FreeBSD 9.2-RELEASE. It also covers OSSEC setup with MySQL support. Last but not least it shows you how to install the OSSEC agent on a *NIX system. 

 h1. Pre-requisites 

 * Update the system and ports tree: 
 <pre> 
 pkg update && pkg upgrade 
 portsnap fetch extract 
 </pre> 

 * Install portupgrade 
 <pre> 
 pkg install portupgrade 
 </pre> 

 * Install py-htpasswd 
 <pre> 
 portupgrade -Np security/py-htpasswd 
 </pre> 

 h1. Install OSSEC  

 * Install ossec-hids-server from ports: 
 <pre> 
 portupgrade -Np ossec-hids-server 
 </pre> 
 *NOTE*: Make sure to enable @[X]MYSQL@ 

 h2. Configure OSSEC 

 * Enable OSSEC service to start at boot: 
 <pre> 
 echo 'ossechids_enable="YES"' >> /etc/rc.conf 
 </pre> 

 * Edit the OSSEC config file: 
 <pre> 
 vi /usr/local/ossec-hids/etc/ossec.conf 
 </pre> 
 *NOTE*: The following settings are changed from the above file. 

 h3. Configure mail settings 

 * Now let’s configure the server the configuration. I modified the file to contain the following: 
 <pre> 
   <global> 
     <email_notification>yes</email_notification> 
     <email_to>admin@example.com</email_to> 
     <smtp_server>smtp.example.com</smtp_server> 
     <email_from>ossec@example.com</email_from> 
   </global> 
 </pre> 

 h3. Configure syscheck 

 * Adjust the syscheck Interval - syscheck is OSSEC's integrity checking process and we can tell syscheck how often to scan and checksum the filesystem for evidence of unauthorized changes: 
 <pre> 
 <syscheck> 
     <!-- Frequency that syscheck is executed -- this is set to run every 12 hours --> 
     <frequency>43200</frequency> 
 </pre> 

 h3. Specify Directories to Monitor 

 * Add/modify the directories to be monitored by OSSEC: 
 <pre> 
 <!-- Directories to check    (perform all possible verifications) --> 
     <directories report_changes="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories> 
     <directories report_changes="yes" check_all="yes">/bin,/sbin</directories> 
     <directories report_changes="yes" check_all="yes">/usr/local/etc,/usr/local/bin,/usr/local/sbin</directories> 
     <directories report_changes="yes" check_all="yes">/home/,/usr/local/home,/usr/local/www</directories> 
 </pre> 

 h3. Specify Directories to Ignored 

 * Add/modify the directories to be ignored by OSSEC: 
 <pre> 
 <!-- Files/directories to ignore --> 
     <ignore>/etc/mtab</ignore> 
     <ignore>/etc/hosts.deny</ignore> 
     <ignore>/etc/mail/statistics</ignore> 
     <ignore>/etc/random-seed</ignore> 
     <ignore>/etc/adjtime</ignore> 
     <ignore>/etc/httpd/logs</ignore> 
     <ignore>/etc/dumpdates</ignore> 
     <ignore>/usr/local/ossec-hids/logs</ignore> 
     <ignore>/usr/local/ossec-hids/queue</ignore> 
     <ignore>/usr/local/ossec-hids/var</ignore> 
     <ignore>/usr/local/ossec-hids/tmp</ignore> 
     <ignore>/usr/local/ossec-hids/stats</ignore> 
 </pre> 

 h3. Configure Rootcheck 

 * The next stop in ossec.conf is the rootcheck section. Rootcheck is a component of OSSEC which scans the system for rootkits. Modify the section to match the following: 
 <pre> 
 <rootcheck> 
     <rootkit_files>/usr/local/ossec-hids/etc/shared/rootkit_files.txt</rootkit_files> 
     <rootkit_trojans>/usr/local/ossec-hids/etc/shared/rootkit_trojans.txt</rootkit_trojans> 
 </rootcheck> 
 </pre> 

 * Start OSSEC server: 
 <pre> 
 service ossec-hids start 
 </pre> 

 h3. Specify Log Files to be Monitored 

 The files set in this example are: 
 # /var/log/messages 
 # /var/log/security 
 # /var/log/auth.log 
 # /var/log/maillog 
 # /var/log/lpd-errs 

 * The code block below shows an example of what the modified lines should be. You will want to add log locations for the specific services you've installed and are running on the server; services like Nginx, Apache, etc. 
 <pre> 
 <!-- Files to monitor (localfiles) --> 

 <localfile> 

   <log_format>syslog</log_format> 
     <location>/var/log/auth.log</location> 
   </localfile> 

   <localfile> 
     <log_format>syslog</log_format> 
     <location>/var/log/security</location> 
   </localfile> 

   <localfile> 
     <log_format>syslog</log_format> 
     <location>/var/log/messages</location> 
   </localfile> 

   <localfile> 
     <log_format>syslog</log_format> 
     <location>/var/log/maillog</location> 
   </localfile> 

   <localfile> 
     <log_format>syslog</log_format> 
     <location>/var/log/lpd-errs</location> 
   </localfile> 
 </pre> 

 h2. Adding Log File Entries with util.sh 

 h3. Fixing the OSSEC util.sh script 

 * Open the util.sh file with vi: 
 <pre> 
 vi /usr/local/ossec-hids/bin/util.sh 
 </pre> 
 #* Then replace ALL instances of */var/ossec/etc/ossec.conf* with *+/usr/local/ossec-hids/etc/ossec.conf+* 

 * If you installed Nginx and its access and error log files are in the @/var/log/nginx@ directory, you may add them to ossec.conf by using util.sh like so: 
 <pre> 
 /usr/local/ossec-hids/bin/util.sh addfile /var/log/nginx/access.log 
 /usr/local/ossec-hids/bin/util.sh addfile /var/log/nginx/error.log 
 </pre> 

 h3. Alert on New Files 

 By default, OSSEC does not alert when new files are created in the system so we will change that behavior. There are two components to this change. 

 * Set syscheck - Scroll back up to the syscheck area os of ossec.conf and add an alertnewfiles line just under the frequency check interval: 
 <pre> 
 <syscheck> 
     <alert_new_files>yes</alert_new_files> 
 </pre> 

 h3. Modify the Rule's Classification Level 

 Although we've told syscheck to watch for newly created files, OSSEC won't actually notify us about them yet. For that we need to modify a default OSSEC rule. 

 * Open ossec_rules.xml: 
 <pre> 
 vi /usr/local/ossec-hids/rules/ossec_rules.xml 
 </pre> 
 #* The rule that fires when a file is added to a monitored directory is rule 554. Here's what it looks like: 
 <rule id="554" level="0"> 
 <category>ossec</category> 
 <decoded_as>syscheck_new_entry</decoded_as> 
 <description>File added to the system.</description> 
 <group>syscheck,</group> 
 </rule> 

 * Open @local_rules.xml@ This is where all user-modified OSSEC rules should go; you should *+not+* make changes to @ossec_rules.xml@ 
 <pre> 
 vi /usr/local/ossec-hids/rules/local_rules.xml 
 </pre> 
 #* And add/modify the following change the notification level to 7 and tell OSSEC that this rule overwrites rule 554 from @ossec_rules.xml@. When done, the end of your @local_rules.xml@ file should look like below. The first line is all that was changed from the original rule. 
 <pre> 
 <rule id="554" level="7" overwrite="yes"> 
     <category>ossec</category> 
     <decoded_as>syscheck_new_entry</decoded_as> 
     <description>File added to the system.</description> 
     <group>syscheck,</group> 
 </rule> 

 </group> <!-- SYSLOG,LOCAL --> 

 <!-- EOF --> 
 </pre> 

 * Then restart OSSEC: 
 <pre> 
 service ossec-hids restart 
 </pre> 

 --- 

 h1. Nginx – Installation and Configuration 

 * Install Nginx 
 <pre> 
 pkg install nginx 
 </pre> 

 * Start and enable nginx to start at boot: 
 <pre> 
 echo 'nginx_enable="YES"' >> /etc/rc.conf 
 service nginx start 
 </pre> 

 h2. PHP – Installation and Configuration 

 * Install PHP5 and other required packages: 
 <pre> 
 portupgrade -Np php5 
 portupgrade -Np php5-mysql 
 portupgrade -Np php5-curl 
 portupgrade -Np php5-gd 
 portupgrade -Np pecl-intl 
 portupgrade -Np pear 
 portupgrade -Np pecl-imagick 
 portupgrade -Np php5-imap 
 portupgrade -Np php5-mcrypt 
 portupgrade -Np pecl-memcached 
 portupgrade -Np ming 
 portupgrade -Np php5-pspell 
 portupgrade -Np php5-recode 
 portupgrade -Np php5-snmp 
 portupgrade -Np php5-sqlite3 
 portupgrade -Np php5-tidy 
 portupgrade -Np php5-xmlrpc 
 portupgrade -Np php5-xsl 
 </pre> 

 * Configure the default PHP settings 
 <pre> 
 cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini 
 </pre> 

 h3. Configure PHP-FPM 

 * Edit @/usr/local/etc/php-fpm.conf@: 
 <pre> 
 vi /usr/local/etc/php-fpm.conf 
 </pre> 
 #* Make the following changes: 
 <pre> 
 events.mechanism = kqueue 
 listen = /var/run/php-fpm.sock 
 listen.owner = www 
 listen.group = www 
 listen.mode = 0666 
 </pre> 

 * Enable PHP-FPM to start at boot: 
 <pre> 
 echo 'php_fpm_enable="YES"' >> /etc/rc.conf 
 </pre> 

 * Start PHP-FPM: 
 <pre> 
 service php-fpm start 
 </pre> 

 h3. Configure Nginx to use PHP-FPM: 

 * Create a directory for a OSSEC Web UI: 
 <pre> 
 mkdir /usr/local/www/ossec.example.com 
 </pre> 

 * Edit @/usr/local/etc/nginx/nginx.conf@: 
 <pre> 
 vi /usr/local/etc/nginx/nginx.conf 
 </pre> 
 #* Add the following *ossec server block*: 
 <pre> 
   server { 
     listen         80; 
     server_name    ossec.example.com; 
     root           /usr/local/www/ossec-wui; 
     access_log     /var/log/ossec.example.com-access.log; 
     error_log      /var/log/ossec.example.com-error.log 

     location / { 
         index    index.php index.html index.htm; 
     } 

     # For all PHP requests, pass them on to PHP-FPM via FastCGI 
     location ~ \.php$ { 
        fastcgi_pass unix:/var/run/php-fpm.sock; 
        fastcgi_param SCRIPT_FILENAME /usr/local/www/ossec-wui$fastcgi_script_name; 
        fastcgi_param PATH_INFO $fastcgi_script_name; 
        include fastcgi_params; # include extra FCGI params 
     } 
 </pre> 
 #* Add the following *analogi server block*: 
 <pre> 
   server { 
     listen         80; 
     server_name    analogi.example.com; 
     root           /usr/local/www/analogi; 
     access_log     /var/log/analogi.example.com-access.log; 
     error_log      /var/log/analogi.example.com-error.log 

     location / { 
         index    index.php index.html index.htm; 
     } 

     # For all PHP requests, pass them on to PHP-FPM via FastCGI 
     location ~ \.php$ { 
        fastcgi_pass unix:/var/run/php-fpm.sock; 
        fastcgi_param SCRIPT_FILENAME /usr/local/www/analogi$fastcgi_script_name; 
        fastcgi_param PATH_INFO $fastcgi_script_name; 
        include fastcgi_params; # include extra FCGI params 
     } 
 </pre> 

 * Restart nginx: 
 <pre> 
 service nginx restart 
 </pre> 

 --- 

 h1. MariaDB – Installation and Configuration 

 * Install MariaDB 5.5 server and client 
 <pre> 
 pkg install mariadb55-{server,client} 
 </pre> 

 h2. Configure MariaDB server 

 * Configure the MariaDB server 
 <pre> 
 cp /usr/local/share/mysql/my-small.cnf /usr/local/etc/my.cnf 
 </pre> 

 * Enable MariaDB to start at boot: 
 <pre> 
 echo 'mysql_enable="YES"' >> /etc/rc.conf 
 </pre> 

 * Start MariaDB 
 <pre> 
 service mysql-server start 
 </pre> 

 * Set password for mysql using the following command 
 <pre> 
 mysql_secure_installation 
 </pre>  

 * Restart mysql using the following commands: 
 <pre> 
 service mysql-server restart 
 </pre> 

 * Create a user and database for OSSEC. Open a MySQL shell: 
 <pre> 
 mysql -u root -p 
 </pre> 
 #* And run the following to create the *ossec* database with the *ossec_u* user 
 <pre> 
 create database ossec; 

 grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec_u; 

 set password for ossec_u = PASSWORD('SuperSecretPassword'); 

 flush privileges; 

 quit; 
 </pre> 

 h3. Configure OSSEC database schema 

 The database also needs a schema. OSSEC provides the schema, it is located in the    OSSEC github. 

 * Download latest OSSEC MySQL schema: 
 <pre> 
 cd /usr/local/ossec-hids 
 wget https://github.com/ossec/ossec-hids/raw/master/src/os_dbd/mysql.schema 
 </pre> 
 #* Import the schema into the ossec database: 
 <pre> 
 mysql -u root -p ossec < mysql.schema 
 </pre> 

 h3. OSSEC MySQL configuration 

 * Add the database config to the ossec.conf file: 
 <pre> 
 vi /usr/local/ossec-hids/etc/ossec.conf 
 </pre> 
 #* And add the *database_output* block into the *ossec_config* block: 
 <pre> 
 <ossec_config> 
 #... 
     <database_output> 
         <hostname>127.0.0.1</hostname> 
         <username>ossec_u</username> 
         <password>SuperSecretPassword</password> 
         <database>ossec</database> 
         <type>mysql</type> 
     </database_output> 
 #... 
 </ossec_config> 
 </pre> 

 * Enable the database in OSSEC: 
 <pre> 
 /usr/local/ossec-hids/bin/ossec-control enable database 
 </pre> 

 * And restart OSSEC: 
 <pre> 
 service ossec-hids restart  
 </pre> 

 --- 

 h1. Installing OSSEC Web UI 

 * Download the web UI to /usr/local/www/ossec-wui: 
 <pre> 
 cd /usr/local/www 
 git clone https://github.com/ossec/ossec-wui.git ossec-wui 
 mkdir -p /usr/local/www/ossec-wui/tmp/ 
 chown -R www:www /usr/local/www/ossec-wui 
 chmod 666 /usr/local/www/ossec-wui/tmp/ 
 </pre> 

 * Make sure to add the *www* user to the ossec group, so nginx can access the ossec folder: 
 <pre> 
 pw usermod www -G ossec 
 </pre> 

 * Edit the ossec webui config: 
 <pre> 
 vi /usr/local/www/ossec-hids/ossec_conf.php 
 </pre> 
 #* And change the @$ossec_dir@ path to the following: 
 <pre> 
 /* Ossec directory */ 
 $ossec_dir="/usr/local/ossec-hids"; 
 </pre> 

 * Change the ossec webui ownership to the nginx server: 
 <pre> 
 chown -R www:www /usr/local/www/ossec-wui 
 </pre> 

 * Run the setup script: 
 <pre> 
 cd /usr/local/www/ossec-wui 
 ./setup.sh 
 </pre> 

 When correctly configured the OSSEC Eeb User Interface can be found at http://ossec.example.com/. 

 h1. Installing Analogi Web Dashboard 

 The Analogi dashboard is a nice and informative dashboard around OSSEC, which provides more visual information then the standard Web UI. The standard Web UI has better search functions, the Dashboard can be used for example on a Wall Mounted monitor and such. 

 * Installation consists out of cloning the git repo and editing the settings file: 
 <pre> 
 cd /usr/local/www/ 
 git clone https://github.com/ECSC/analogi.git analogi 
 cp analogi/db_ossec.php.new analogi/db_ossec.php 
 vi analogi/db_ossec.php  
 </pre>  
      
 * Edit the relevant settings for the MySQL database configuration: 
 <pre> 
 define ('DB_USER_O', 'ossec_u'); 
 define ('DB_PASSWORD_O', 'SuperSecretPassword'); 
 define ('DB_HOST_O', '127.0.0.1'); 
 define ('DB_NAME_O', 'ossec'); 
 </pre> 

 When correctly configured the Analogi web interface can be found at http://analogi.example.com/. 

 h1. Client installation 

 h2. Install the OSSEC client 

 h3. Install OSSEC Client on FreeBSD 

 * Install OSSEC client on FreeBSD: 
 <pre> 
 pkg install ossec-hids-client 
 </pre> 

 h3. Install OSSEC Client on Ubuntu/Debian 

 * On Debian/Ubuntu you will need the build-essential package in order to compile and install OSSEC: 
 <pre> 
 apt-get install build-essential 
 </pre> 
 #* If database support is needed mysql-dev or postgresql-dev should be installed. Run the following command to install these packages. 
 <pre> 
 apt-get install mysql-dev postgresql-dev 
 </pre> 

 * Download OSSEC 
 <pre> 
 wget http://www.ossec.net/files/ossec-hids-2.8.1.tar.gz 
 </pre> 

 * Uncompress and install OSSEC client: 
 <pre> 
 tar xzf ossec-hids-2.8.1.tar.gz 
 cd ossec-hids-2.8.1 
 bash ./install.sh 
 </pre> 

 h2. Generate a Client Key on the OSSEC Server 

 Adding a client to OSSEC is quite simple. First you add the client to the server, which gives you a key. Then you add this key to the client, edit the config file on the client and that's it. 

 * First generate a key on the OSSEC server for this client. Do this by running: 
 <pre> 
 /usr/local/ossec-hids/bin/manage_agents 
 </pre> 
 #* Choose option *A* 
 #* Then entering the hostname: *client.example.com* 
 #* The IP: *10.0.0.4* 
 #* And *ID* (pressing enter will use the next available ID)  

 h3. Get the Client Key for the OSSEC agent 

 * Next generate a key on the OSSEC server for this client. Do this by running: 
 <pre> 
 /usr/local/ossec-hids/bin/manage_agents 
 </pre> 
 #* Choose option *E* 
 #* Choose the ID number of the agent that the key will be generated for: *001* 
 #* Example output: 
 <pre> 
 Agent key information for '001' is: 
 SD[...]AAUjd= 
 </pre> 

 h2. Install Client Key in to Client agent 

 * Then switch to the OSSEC client and execute the @manage_agents@: 
 <pre> 
 /usr/local/ossec-hids/bin/manage_agents 
 </pre> 
 #* Choose option *I* 
 #* Then paste the client key generated on the OSSEC server: *SD[...]AAUjd=* 

 * Now restart OSSEC on *both* the OSSEC server and the newly added client: 
 <pre> 
 service ossec-hids restart 
 </pre> 

 Repeat these steps for any client that needs to be added. 

 h1. Bonus Tips 

 Here are a few bonus tips/config examples for OSSEC 

 h2. Active Response 

 If you've enabled Active Response you are protected from brute force attacks for ssh and some other pieces of software. Try it, login as a nonexistent user and check the web ui and logging: 
 <pre> 
 tail -f /var/ossec/logs/active-responses.log 
 </pre>  
 #* _Example output_: 
 <pre> 
 Wed Jun 11 21:16:43 CEST 2014 /var/ossec/active-response/bin/host-deny.sh add - 198.211.118.121 1402514203.20760 5712 
 Wed Jun 11 21:16:43 CEST 2014 /var/ossec/active-response/bin/firewall-drop.sh add - 198.211.118.121 1402514203.20760 5712 
 </pre> 

 h2. Ignoring rules 

 * To very simply ignore rules based on rule id, add them to the XML file located in /usr/local/ossec-hids/rules/local_rules/xml, either on the ossec client for one machine or the ossec server to ignore on all machines: 
 <pre> 
 <!-- Specify here a list of rules to ignore. --> 
 <!-- 3334 postfix start    --> 
 <!-- 3333 postfix stop --> 
 <rule id="100030" level="0"> 
     <if_sid>3333, 3334</if_sid> 
     <description>List of rules to be ignored.</description> 
 </rule> 
 </pre> 

 h2. Monitoring additional log files 

 The OSSEC agent by default only monitors a few log files. To add more, edit the /usr/local/ossec-hids/etc/ossec.conf file and add a line like this: 
 <localfile> 
     <location>/var/log/*</location> 
     <log_format>syslog</log_format> 
 </localfile> 

 This will add all files under /var/log. This might be a lot, you can also just add multiple @<localfile>@ blocks with filenames. 

 h1. Resources 

 * http://www.ossec.net/doc/ 
 * https://raymii.org/s/tutorials/OSSEC_2.8.0_Server_Client_and_Analogi_Dashboard_on_Ubuntu.html 
 * https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-ossec-on-freebsd-10-1 
 * http://virtuallyhyper.com/2014/04/ossec-freebsd/* Add/modify the directories to be monitored by OSSEC:

Back