OSSEC on Linux

STEP TO STEP GUIDE TO INSTALLATION

OF OSSEC ON LINUX

Introduction

1. OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

2. It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows.

3. OSSIM has OSSEC SERVER integrated by default and can be used to collect logs from the systems on which OSSEC is installed.

4. The procedure of installation of OSSEC and its integration with the OSSIM Server is as follows.

Step #1

The installer for OSSEC provided to the trainees is in the form of a tarball. As root untar the tarball using the following command.

$tar -xvf ossec-hides-2.5.1.tar.gz

Step #2

Go to the extracted directory using the following command:

$cd ossec-hids-2.5.1

Step #3

Now execute the installer script using the following command.

$./install.sh

Step #4

After executing the command the installer script will start and will ask to select the language for the installer. The default language is [en]. Do not type anything and press Enter.

Figure 1

Step #5

Now it would ask for the installation mode and give two options agent & server. Since we need to install OSSEC as an OSSIM agent, type agent and press Enter.

Step #6

The installer would ask for the directory in which OSSEC would be installed. The default directory is /var/ossec as shown in the following figure. Press Enter.

Figure 2

Step #7

Now it would ask for the IP Address of the OSSEC HIDS server which would be the OSSIM server in our case. Type the IP Address of the OSSEC Server X.X.X.X and press Enter. An example screenshot is as under.

Figure 3

Step #8

Now the installer would ask for some basic configurations for OSSEC.

1. Do you want to run the integrity check daemon. The default is {y}. Press Enter.

2. Do you want to run the rootkit detection engine. The default is {y}. Press Enter.

3. Do you want to enable active responses. The default is {y}. Press Enter.

Figure 4

Step #9

Now it would automatically configure the logs which would be analyzed by the OSSEC agent. Leave as default and press Enter. After pressing Enter the installation of OSSEC would start as shown in the following Screenshot.

Figure 5

Step #10

After OSSEC has completed its installation. Press Enter and the installer would exit.

Figure 6

Now we need to integrate the OSSEC Agent with the OSSEC HIDS(OSSIM) Server. The Steps are as follows.

Integration of OSSEC with OSSIM Server

The integration of OSSEC with OSSIM is very simple. The step by step procedure is given as under.

1. Get a secure shell to the OSSIM Server using the following command on the Linux Terminal.

$ ssh [email protected]

2. Give the root password.

3. After logging in to the OSSIM HIDS Server. Give the following command.

$ /var/ossec/bin/manage_agents

4. Now configure an agent following these steps.

****************************************

* OSSEC HIDS v2.0 Agent manager. *

* The following options are available: *

****************************************

(A)dd an agent (A).

(E)xtract key for an agent (E).

(L)ist already added agents (L).

(R)emove an agent (R).

(Q)uit.

Choose your action: A,E,L,R or Q:

5. Type A and press Enter. Follow the following steps to add an agent.

- Adding a new agent (use '\q' to return to the main menu).

Please provide the following:

* A name for the new agent: Test

* The IP Address of the new agent: X.X.X.X

* An ID for the new agent[002]: 002 {Select Default ID for New Agent}

Agent information:

ID:002

Name:Test

IP Address:10.1.1.14

Confirm adding it?(y/n): y

Agent added.

mailto:[email protected]

6. Now you will get the following options again.

****************************************

* OSSEC HIDS v2.0 Agent manager. *


****************************************

(A)dd an agent (A).

(E)xtract key for an agent (E).

(L)ist already added agents (L).

(R)emove an agent (R).

(Q)uit.

Choose your action: A,E,L,R or Q:

7. Type E and press Enter. It will give the following options

Available agents:

ID: 002, Name: Test, IP: X.X.X.X

Provide the ID of the agent to extract the key (or '\q' to quit): 002 {Give the ID of the agent for key generation}

Agent key information for '002' is:

MDAyIFRlc3QgMTAuMS4xLjE0IGE5NmY2MzAzMWI1ZTdhMzI1ZWJiYWQ2MDFkM2U4ODhkOWUxZDQ3NDMwZTM1MjhmZDJiMjExNGQ5ZTA2MDg4ZDM= {Select the key using mouse, right click and click Copy}

** Press ENTER to return to the main menu.

8. On another terminal on the system on which the agent is installed give the same command.

$ /var/ossec/bin/manage_agents

9. It would give the following options.

****************************************

* OSSEC HIDS v2.5.1 Agent manager. *


****************************************

(I)mport key from the server (I).

(Q)uit.

Choose your action: I or Q:

10. Type I to Import key and press Enter.

11. After pressing Enter we would get the following prompt.

* Provide the Key generated by the server.

* The best approach is to cut and paste it.

*** OBS: Do not include spaces or new lines.

Paste it here (or '\q' to quit):

12. Paste the key which you copied earlier and press Enter. As a result we get the following options.

Agent information:

ID:002

Name:Test

IP Address:X.X.X.X

Confirm adding it?(y/n):

13. Select “y” and press Enter. As a result the agent would be added the main menu would return.

****************************************

* OSSEC HIDS v2.5.1 Agent manager. *


****************************************

(I)mport key from the server (I).

(Q)uit.

Choose your action: I or Q:

14. Select “Q” and press Enter.15. After following the above procedure stop the OSSEC-CONTROL Service using the following

command.$ /var/ossec/bin/ossec-control stop

16. Then start the OSSEC-CONTROL Service using the following command.$ /var/ossec/bin/ossec-control start

17. As a result the agent would be connected to the OSSIM Server.

18. Now, we need to configure the OSSIM Server so that it shows OSSEC Logs.

19. On the OSSEC Server edit the file config.cfg using the following command.

$ nano /etc/ossim/agent/config.cfg

20. In the plugins section give the path of the OSSEC configuration file as follows.

#/etc/ossim/agent/config.cfg

[plugins] arpwatch=/etc/ossim/agent/plugins/arpwatch.cfg iptables=/etc/ossim/agent/plugins/iptables.cfg nagios=/etc/ossim/agent/plugins/nagios.cfg nmap-monitor=/etc/ossim/agent/plugins/nmap-monitor.cfg ntop-monitor=/etc/ossim/agent/plugins/ntop-monitor.cfg osiris=/etc/ossim/agent/plugins/osiris.cfg ossim-monitor=/etc/ossim/agent/plugins/ossim-monitor.cfg p0f=/etc/ossim/agent/plugins/p0f.cfg pads=/etc/ossim/agent/plugins/pads.cfg pam_unix=/etc/ossim/agent/plugins/pam_unix.cfg rrd=/etc/ossim/agent/plugins/rrd.cfg snare=/etc/ossim/agent/plugins/snare.cfg snortunified=/etc/ossim/agent/plugins/snortunified.cfg ssh=/etc/ossim/agent/plugins/ssh.cfg sudo=/etc/ossim/agent/plugins/sudo.cfg ossec=/etc/ossim/agent/plugins/ossec.cfg

21. In the file /etc/ossim/ossim_server.conf in the [sensors] section detectors are defined. Add the word “ossec” to the list of detectors.

22. After adding the above configuration save the configuration file using the command Ctrl+X and then press “Y” and Enter.

23. Now reboot the OSSIM Server using the following command and OSSEC would be configured successfully. Now we can see the OSSEC logs in the OSSIM Server.

$ shutdown -r

****************************

Documents

OSSEC on Linux