First step is setting up the server. You can download the latest version at their website. In this example we will configure both server with MySQL support and WebUI using Apache.
Let's install the packages needed:
$ sudo apt-get install make gcc apache2-utils libapache2-mod-php5 apache2 libmysqlclient-dev mysql-server
Next download the sources to a temporal directory and decompress them:
$ tar -xvzf ossec-hids-2.7.1.tar.gz
$ cd ossec-hids-2.7.1/
There's a nice installation script for us to install the application. Let's walk throughout it.
$ sudo sh install.sh
<select language>
1- What kind of installation do you want (server, agent, local, hybrid or help)? server (right?)
2 - Choose where to install the OSSEC HIDS [/var/ossec]: (where to install this)
3.1- Do you want e-mail notification? (y/n) [y]: n (do you want emails from OSSEC?)
3.2- Do you want to run the integrity check daemon? (y/n) [y]: (useful, kind of like it more than tripwire)
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: (convenient to detect visitors)
3.4- Do you want to enable active response? (y/n) [y]: (Up to you, I'd enable it first only on test environments)
- Do you want to enable the firewall-drop response? (y/n) [y]: (same)
- Do you want to add more IPs to the white list? (y/n)? [n]:y (I'd add your trust network here)
- IPs (space separated): 10.0.0.0/24
3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: (enable remote syslog)
After installing we will receive a few notes about the application. The main ones are:
- To start / stop OSSEC HIDS: /var/ossec/bin/ossec-control start / stop
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
- To manage the agents: /var/ossec/bin/manage_agents
Let's move to the WebUI part. First, we need to configure Apache to serve the app - let's say it's located at /var/www/ossec-wui. This is my configuration file:
$ cat /etc/apache2/sites-enabled/ossec.conf
<VirtualHost *:80>
ServerAdmin some@guy.is
DocumentRoot /var/www/ossec-wui
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/ossec-wui>
Options FollowSymLinks
AllowOverride All
</Directory>
</VirtualHost>
Now let's download the code from the ossec, decompress it and run the setup.sh script.
$ tar -xvzf ossec-wui-0.8.tar.gz -C /var/www/ossec-wui
$ cd /var/www/ossec-wui
$ sudo sh setup.sh
Setting up ossec ui...
Username: [username they will generate to create the .htpassword]
New password:
Re-type new password:
Adding password for user
Enter your web server user name (e.g. apache, www, nobody, www-data, ...)
www-data [enter the user who runs your apache, in debian is www-data]Enter your OSSEC install directory path (e.g. /var/ossec)
/var/ossec [ your ossec installation path]
You must restart your web server after this setup is done.
Setup completed successfuly.
The script should add your web server's user to the ossec security group. Check it out to confirm we can continue:
$ cat /etc/group | grep ossec
ossec:x:1002:www-data
Some initial modifications to the [installation path]/etc/ossec.conf, we will add our local network to the syslog component and configure our database as an output component.
$ sudo vim /var/ossec/etc/ossec.conf
Let's look for these lines:
<remote>
<connection>syslog</connection>
</remote>
We change it to:
<remote>
<connection>syslog</connection>
<allowed-ips>10.0.0.0/16</allowed-ips> [Our local network]
</remote>
Not, let's add our database config:
<database_output>
<hostname>127.0.0.1</hostname>
<username>ossec-user</username>
<password>ossec-pass</password>
<database>ossec-database-name</database>
<type>mysql</type>
</database_output>
Certainly we need to create the database as well, and load the initial schema - it can be found in the initial source tarball, folder /src/os_dbd/mysql.schema
$ mysql> create database ossec-database-name
$ mysql> grant all privileges on ossec-database-name.* to ossec-user@localhost identified by 'ossec-pass';
$ mysql -u ossec-user -p ossec-database-name < [path to tarball]/src/os_dbd/mysql.schema
$ mysql> grant all privileges on ossec-database-name.* to ossec-user@localhost identified by 'ossec-pass';
$ mysql -u ossec-user -p ossec-database-name < [path to tarball]/src/os_dbd/mysql.schema
Next we enable the output to DB:
$ sudo /var/ossec/bin/ossec-control enable database_output
And restart the server:
$ sudo service ossec restart (or sudo /etc/init.d/ossec restart depending on your configuration)
Now we install the software on the client(s). Let's install the basic packages we need to compile the software and download the sources:
$ sudo apt-get install make gcc
$ tar -xvzf ossec-hids-2.7.1.tar.gz
$ cd ossec-hids-2.7.1/
$ sudo sh install.sh
<select language>
1- What kind of installation do you want (server, agent, local, hybrid or help)? agent
<installation path>
3.1- What's the IP Address or hostname of the OSSEC HIDS server?: your-server-hostname
3.2- Do you want to run the integrity check daemon? (y/n) [y]:
3.3- Do you want to run the rootkit detection engine? (y/n) [y]:
3.4 - Do you want to enable active response? (y/n) [y]: y [only if not production or you know what you are doing]
The installation of the client is pretty straight forward. Now we need to register the client on the server, for this we will use the tool /var/ossec/bin/manage_agents on both server and client:
(Server side)
$ /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.7.1 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: a
- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: myclient
* The IP Address of the new agent: XXX.XXX.XXX.XXX
* An ID for the new agent[001]: 001Agent information:
ID:001
Name: myclient
IP Address: XXX.XXX.XXX.XXX
Confirm adding it?(y/n): y
Agent added.
****************************************
* OSSEC HIDS v2.7.1 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: E
Available agents:
ID: 001, Name: myclient, IP: XXX.XXX.XXX.XXX
Provide the ID of the agent to extract the key (or '\q' to quit): 001
Agent key information for '001' is:
saldkjaslkdjklsjadklasjdlkjasdlkjasaldkjaslkdjklsjadklasjdlkjasdlkjasaldkjaslkdjklsjadklasjdlkjasdlkjasaldkjaslkdjklsjadklasjdlkjasdlkjasaldkjaslkdjklsjadklasjdlkjasdlkjasaldkjaslkdjklsjadklasjdlkjasdlkja [copy paste this key ]
** Press ENTER to return to the main menu.
****************************************
* OSSEC HIDS v2.7.1 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: q
** You must restart OSSEC for your changes to take effect.
manage_agents: Exiting ..
(On client side)
$ sudo /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v2.7.1 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: I
* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.
Paste it here (or '\q' to quit): [here you put the key generated in the server]
Agent information:
ID:001
Name:myclient
IP Address:XXX.XXX.XXX.XXX
Confirm adding it?(y/n): y
Added.
** Press ENTER to return to the main menu.
****************************************
* OSSEC HIDS v2.7.1 Agent manager. *
* The following options are available: *
****************************************
(I)mport key from the server (I).
(Q)uit.
Choose your action: I or Q: Q
** You must restart OSSEC for your changes to take effect.
manage_agents: Exiting ..
Now we start the client:
$ sudo service ossec start ( or /etc/init.d/ossec start )
That's it, the client should be talking to the server. We can confirm with the agent_control tool from the server:
$ sudo /var/ossec/bin/agent_control -i 001
OSSEC HIDS agent_control. Agent information:
Agent ID: 001
Agent Name: myclient
IP address: XXX.XXX.XXX.XXX
Status: Active <--
Operating system: Linux microsites01 3.8.0-19-generic #29-Ubuntu SMP W..
Client version: OSSEC HIDS v2.7.1
Last keep alive: Mon Jan 27 09:03:10 2014
Syscheck last started at: Mon Jan 27 03:08:49 2014
Rootcheck last started at: Sun Jan 26 21:17:08 2014
We can use the [installation path]/logs/ossec.log to diagnose issues on agents. I found that on AWS, with my configuration, I needed to specify the IP of the server to make the agent work. On the server's [installation paath]/etc/ossec.conf :
From:
<client>
<server-hostname>server-ossec.mydomain.com</server-hostname>
</client>
to
<client>
<server-hostname>server-ossec.mydomain.com</server-hostname>
<server-ip>XXX.XXX.XXX.XXX</server-ip>
</client>
To check out more configurations and functionalities of OSSEC you can check their online manual
