comp.org.uk

Networking | Programming | Security | Linux | Computer Science | About

OSSEC Host Intrusion Detection System (HIDS)

OSSEC is a host system intrusion detection system (HIDS), and it is free and open source. It conducts analysis of system logs, integrity checking, monitoring the registry of Windows, rootkit detection, and alerting at a particular time and event. It provides the function of intrusion detection for most operating systems, including Linux, BSD-like, Mac OS, Solaris, and Windows. Its cross-platform architecture makes it easy to manage and monitor for multiple operating systems.

OSSEC consists of a main application (server), agents, and the web management interface.

Installing

Well, let's start with OSSEC by installing it in our infrastructure. First of all, we need to satisfy some requirements. OSSEC requires gcc, libc, and apache with php5 support. For this, we should execute the following commands:

apt-get install build-essential
apt-get install apache2 apache2-utils libapache2-mod-php5

Next, we need to obtain OSSEC. For this purpose, we should execute the following commands:

git clone https://github.com/ossec/ossec-hids
git clone https://github.com/ossec/ossec-wui

Now that we have installation packages, let's install them using the following command:

cd ossec-hids/
./install.sh

It starts a wizard with a few questions that we should answer. The most important question is about the type of installation. Here, we should create two different types of installation: for agents and for the server.

Next, let's install the web part of OSSEC. Move the ossec-wui directory to the folder where it can be accessed by the web server:

mv ossec-wui* /var/www/htdocs/ossec-wui

Then, execute the setup script:

cd /var/www/htdocs/ossec-wui
./setup.sh

The wizard will start, so we should answer questions such as login and password to gain access to the web interface of OSSEC.

Configuring

OSSEC stores all the files in /var/ossec. Let's open the /var/ossec/ossec.conf file and give it the form we need. Here, we set sending alerts to e-mail by selecting the server address, mailing address, and the maximum possible number of messages per hour.

Then, there is a block of rules that describes what and how OSSEC will react.

The syscheck section sets the integrity check. Its meaning lies in the fact that the system calculates a hash of each file in the specified directory and checks them periodically. Here, we set what we will monitor in a directory and how long it will be checked for. The section describes the command scripts that can be used by the system under certain conditions.

In the end, we set log files that need to be analyzed and compared with the rules.

Now, the coarse settings of the OSSEC server are finished and we can run it:

service ossec-hids start

If successful, you will receive an e-mail with a message on startup in the mailing address.

After this, we need to add the user account of the web server (www-data) to the OSSEC group. Open the /etc/group file in editor:

nano /etc/group

Find the line ossec:x:1002 and change it to ossec:x:1002:www-data.

After that, we need to set permissions for the tmp directory of our OSSEC instance and restart Apache service.

chmod 770 tmp/
chgrp www-data tmp/
apachectl restart

Now we can access the OSSEC web interface using the following link: http://localhost/ossec-wui/.

Connecting OSSEC agents

Let's install an OSSEC agent from the same distribution. We choose the agent mode in the wizard. For the question "What's the IP Address or hostname of the OSSEC HIDS server?" we input the IP address of our OSSEC server. Now, we need to associate the OSSEC agent with our server. For this, we should go to the server and launch the manager working with the agents:

/var/ossec/bin/manage_agents

In the interactive mode, we need to perform the following steps:

  1. Select A to add an agent (A).
  2. Write the name of our agent.
  3. Specify the IP address of our agent.
  4. Choose an agent ID. We can leave the ID that OSSEC suggests.
  5. "Confirm adding it? (Y / n)" Answer with y.
  6. Then, select the E key to extract an agent.
  7. Specify the ID of our new agent.
  8. Copy the base64 string and press Enter.
  9. Select the Q output from the manager to work with agents.
  10. Restart the server for the successful addition of the agent:

    /etc/init.d/ossec restart

Then, let's go to our agent and go in the manager working with the agents:

/var/ossec/bin/manage_agents

In the interactive mode, we need to perform the following steps:

  1. Select the I key to import from the server to add a key that we copied.
  2. Insert the key, add the agent, and exit.

Then, we can run our agent:

/etc/init.d/ossec start

It should come in the mail notification that a new agent is connected. Go to the server to check whether the agent is connected:

/var/ossec/bin/agent_control -l

Here, we will see the list of our agents with the status Active. Also, /var/ossec/logs/alerts.alerts.log should have an event like that.

So the OSSEC agent is connected. Now, we can see our agent in the web interface.

Note

If you want to learn more about OSSEC, the official documentation is available at http://ossec.github.io/docs/.


Published on Mon 02 January 2012 by Sandra Michaels in Security with tag(s): ossec hids