OSSEC Security Implementation on Linux

OSSEC Security Implementation on Linux

Introduction

 

OSSEC is a platform to monitor and control your systems. It mixes together all the aspects of HIDS (host-based intrusion detection), log monitoring, and Security Incident Management (SIM)/Security Information and Event Management (SIEM) together in a simple, powerful, and open source solution.

 

OSSEC is an open-source, host-based intrusion detection system (HIDS) that performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. It’s a must-have security application on any server.It runs on most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows

 

OSSEC can be installed to monitor just the server it’s installed on (a local installation), or be installed as a server to monitor one or more agents.

 

OSSEC Architecture

 

The OSSEC tool can be implemented in multiple  ways that totally depends on your infrastructure i.e. whether you have fixed number of servers, or you have infrastructure that is frequently scaled – up and down.

 

INSTALLATION

  • Step 1: Install Required Packages

 

OSSEC will be compiled from source, so you need a compiler to make that possible. Install compiler first.

 

# sudo yum install -y gcc inotify-tools

[ GCC- gnu compiler collection ]

 

OpenSSL is suggested

  • Step 2 – Download and Verify OSSEC

 

OSSEC is delivered as a compressed tarball that has to be downloaded from the project’s website. The checksum file, which will be used to verify that the tarball has not be tampered with, also has to be downloaded.

 

To download the tarball, type:

 

#  wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.2.tar.gz

 

[   wget may not be able to pull files from the OSSEC site. Use the -U flag to add a UserAgent, or obtain the checksum file by some other manner.  ]

 

For the checksum file, type:

 

# wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.2-checksum.txt

 

With both files downloaded, the next step is to verify the MD5 and SHA1 checksums of the tarball. For the MD5sum, type:

 

# md5sum -c ossec-hids-2.8.2-checksum.txt [OPTIONAL]

 

The expected output is:

ossec-hids-2.8.2.tar.gz: OK

md5sum: WARNING: 1 line is improperly formatted

To verify the SHA1 hash, type:

# sha1sum -c ossec-hids-2.8.2-checksum.txt [OPTIONAL]

And its expected output is:

ossec-hids-2.8.2.tar.gz: OK

sha1sum: WARNING: 1 line is improperly formatted

 

To verify the SHA1 hash, type:

# sha1sum -c ossec-hids-2.8.2-checksum.txt [OPTIONAL]

And its expected output is:

ossec-hids-2.8.2.tar.gz: OK

sha1sum: WARNING: 1 line is improperly formatted

  • Step 3: Determine Your SMTP Server (OPTIONAL)

During  OSSEC installation process you have an option to get mail alert at that time you have to add your mail address.

#  dig -t mx you@example.com

Output Shows as:-

[ ;; ANSWER SECTION:

vivaldi.net.        300 IN  MX  10 mail.vivaldi.net. ]

 

  • Step 4: Install OSSEC

 

To install OSSEC, you first need to unpack the tarball, which you do by typing:

# tar xf ossec-hids-2.8.2.tar.gz

OR

# tar -zxvf ossec-hids-*.tar.gz (or gunzip -d; tar -xvf)

{

There is a bug in this virson(ossec-hids-2.8.2).To fix it do these

 

steps:-

# cd   ossec-hids-2.8.2

Ossec-hids-2.8.2

# vim active-response/hosts-deny.sh

Go to This Syntax

# Deleting from hosts.deny

elif [ “x$” = “xdelete” ]; then

lock;

TMP_FILE = `mktemp /var/ossec/ossec-hosts.XXXXXXXXXX`

if [ “X$” = “X” ]; then

# Cheap fake tmpfile, but should be harder then no random data

TMP_FILE = “/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc ‘a-zA-Z0-9’ | fold -w 32 | head -1 `”

fi

On the lines that start with TMP_FILE, delete the spaces around the = sign. After removing the spaces, that portion of the file should be as shown in the block of code below. Save and close the file.

After done changes it look like As:

# Deleting from hosts.deny

elif [ “x$” = “xdelete” ]; then

lock;

TMP_FILE=`mktemp /var/ossec/ossec-hosts.XXXXXXXXXX`

if [ “X$” = “X” ]; then

# Cheap fake tmpfile, but should be harder then no random data

TMP_FILE=”/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc ‘a-zA-Z0-9’ | fold -w 32 | head -1 `”

fi

Then Save and Exit

}

Problem is fix, now we done installation.

Ossec-hids-2.8.2 # sudo ./install.sh

 

Throughout the installation process, you’ll be prompted to provide some input.

First Question is for language Selection:

Select En(For english) and then  press Enter

The first question will ask you what type of installation you want. Here, enter server

1- What kind of installation do you want (server, agent, local, hybrid or help)? Server

2- Setting up the installation environment.

– Choose where to install the OSSEC HIDS [/var/ossec]: Enter

/var/ossec

Installation will be made at /var/ossec

3- Configuring the OSSEC HIDS.

3.1- Do you want e-mail notification? (y/n) [y]:

– What’s your e-mail address? you@example.com

– What’s your SMTP server ip/host?

[ When in doubt, choose 127.0.0.1 and then alter the configuration after you are certain of the correct address to use. ]

3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

– Running syscheck (integrity check daemon).

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

– Running rootcheck (rootkit detection).

3.4- Active response allows you to execute a specific

command based on the events received. For example,  you can block an IP  address or disable access for a specific user.

More information at:

http://www.ossec.net/en/manual.html#active-response

– Do you want to enable active response? (y/n) [y]: y

– Active response enabled.

– By default, we can enable the host-deny and the

firewall-drop responses. The first one will add

a host to the /etc/hosts.deny and the second one

will block the host on iptables (if linux) or on

ipfilter (if Solaris, FreeBSD or NetBSD).

– They can be used to stop SSHD brute force scans,

portscans and some other forms of attacks. You can

also add them to block on snort events, for example.

 

3.5- Do you want to enable the firewall-drop response? (y/n) [y]:

y

– firewall-drop enabled (local) for levels >= 6

– Default white list for the active response:

– 192.168.65.2

– Do you want to add more IPs to the white list? (y/n)? [n]:

N

3.6- Setting the configuration to analyze the following logs:

— /var/log/messages

— /var/log/auth.log

— /var/log/syslog

— /var/log/mail.info

– If you want to monitor any other file, just changethe ossec.conf and add a new localfile entry.

Any questions about the configuration can be answeredby visiting us online at http://www.ossec.net .

PERSS ENTER TO FINISH INSTALLATION

 

  • Step 5: Start OSSEC

 

OSSEC has been installed, but not started. To start it, first switch to the root account.

# sudo su

Then Start OSSEC

 

# /var/ossec/bin/ossec-control start

 

  • Step 6: Customize OSSEC

 

# vim /var/ossec/etc/ossec.conf

The first item to verify is an email setting, which you’ll find in the global section of the file:

 

<global>

<email_notification>yes</email_notification>

<email_to>akashdeep@i2k2.com</email_to>

<smtp_server>localhost</smtp_server>

<email_from>mmtcpemalert@gmail.com</email_from>

<email_maxperhour>5000</email_maxperhour>

</global>

“WE USE HERE SMTP RELAY SERVER”

 

Another setting that you want to customize, especially while testing the system, is the frequency with which OSSEC runs its audits. That setting is in the syscheck section,

and, by default, it is run every 22 hours. To test OSSEC’s alerting features, you might want to set it to a lower value, but reset it to the default afterwards.

<syscheck>

<frequency>79200</frequency>

<alert_new_files>yes</alert_new_files>  (##### add this line )

One last setting that’s good to change is in the list to directories that OSSEC should check. You’ll find them right after the previous setting. Be default, the directories are shown as:

<directories check_all=”yes”>/etc,/usr/bin,/usr/sbin</directories>

<directories check_all=”yes”>/bin,/sbin</directories>

Modify both lines to make OSSEC report changes in real-time. When finished, they should read:

<directories report_changes=”yes” realtime=”yes” check_all=”yes”>/etc,/usr/bin,/usr/sbin</directories>

<directories report_changes=”yes” realtime=”yes” check_all=”yes”>/bin,/sbin</directories>

Save and close the file.

The next file that we’ll need to modify is local_rules.xml in the /var/ossec/rules directory. So cd into that directory:

# cd /var/ossec/rules

# vim  local_rules.xml

That directory holds OSSEC’s rule files, none of which should be modified, except the local_rules.xml file. In that file, we add custom rules. The rule we need to add is the one

that fires when a new file is added. That rule, numbered 554, does not trigger an alert by default. That’s because OSSEC does not send out alerts when a rule with level set to zero is triggered.

Here’s what rule 554 looks like by default.

<rule id=”554″ level=”0″>

<category>ossec</category>

<decoded_as>syscheck_new_entry</decoded_as>

<description>File added to the system.</description>

<group>syscheck,</group>

</rule>

We need to add a modified version of that rule in the local_rules.xml file. That modified version is given in the block of code below. Copy and add it to the bottom of the file just before

the closing tag.

<rule id=”554″ level=”7″ overwrite=”yes”>

<category>ossec</category>

<decoded_as>syscheck_new_entry</decoded_as>

<description>File added to the system.</description>

<group>syscheck,</group>

</rule>

Save and close the file, then restart OSSEC.

At Last you can restart the service

 

# /var/ossec/bin/ossec-control restart

 

Before moving on to setting up agents, remember that the OSSEC HIDS server needs to receive communication from agents on port 1514 and possibly 514.

You must ensure that the firewall or packet filter on the server host machine allows this traffic. Each operating system and software distribution provides a way to do this.

You must enable inbound UDP traffic on ports 1514 and 514 from any subnets where agents are installed. The firewall rule must maintain connection state because the agent expects

Responses from the server.

  • Managing Agents

Before moving on to another install type, let’s review the key management in the OSSEC HIDS. Agents must be able to identify themselves to the server,

and the server must be able to validate the identity of the agent. This ensures that illicit messages aren’t processed by the server when sent from non-agent hosts.

The server-agent traffic is encrypted and validated using pre-shared keys. These keys must be generated on the server and then imported on the agent side.

The procedure is the same regardless of the agent platform. All agent key management is done using the manage_agents utility in the OSSEC HIDS bin directory.You must create a key for

each agent by adding the agent using the manage_agents utility.Run the utility and then choose Add an agent by entering A

# /opt/ossec/bin/manage_agents

****************************************

* OSSEC HIDS v1.4 Agent manager.       *

* The following options are available: *

****************************************

(A)dd an agent (A).

(E)xtract key for an agent (E).

(L)ist already added agents (L).

(R)emove an agent (R).

(Q)uit.

Choose your action: A,E,L,R or Q: A

You are prompted for host details and an identifier for the agent. The IP address, not the hostname, of the agent host must be provided. The ID can be any number you choose,

but it must be numeric. The name can be any  identifying text that is meaningful to you, without spaces, but typically it makes most sense to use the hostname.

– Adding a new agent (use ‘\q’ to return to the main menu).

Please provide the following:

* A name for the new agent: xyz

* The IP Address of the new agent: X.X.X.X

* An ID for the new agent[001]: 001

Agent information:

 

ID:001

Name:xyz

IP  Address:X.X.X.X

Confirm adding it?(y/n): y

Agent added.

Repeat this procedure for each agent you must install. After you are done creating keys,restart the OSSEC HIDS service, using /var/ossec/bin/ossec-control, so that the OSSEC HIDS

can read the updated keys and permitted agent IP addresses. Failure to restart the OSSEC HIDS server might result in connection failures for the agents. After the OSSEC HIDS software

is installed on the agents, you will return to the server to retrieve the keys for each agent  using the same manage_agents utility.

 

From the manage agents menu, enter e to extract a key. You are provided with a list of already configured agents. Choose your agent by entering the correct ID.

The key is displayed so you can copy it to your clipboard.

#  /opt/ossec/bin/manage_agents

****************************************

* OSSEC HIDS v1.3 Agent manager.      *

* The following options are available:

*

****************************************

(A)dd an agent (A).

(E)xtract key for an agent (E).

(L)ist already added agents (L).

(R)emove an agent (R).

(Q)uit.

Choose your action: A,E,L,R or Q: e

Available agents:

ID: 001, Name: xyz, IP: X.X.X.X

Provide the ID of the agent to extract the key (or ‘\q’ to quit): 001

Agent key information for ‘001’ is:

MDAxIG1hcnMgMTkyLjE2OC42NS40MCBmY2UzMjM4OTc1ODgzYTU4ZWM3YTRkYWJiZTJmMjQ2Y2ViODhmMzl

mYjE3MmI4OGUzMTE0MDczMzVhYjk2OTRh

** Press ENTER to return to the main menu.

 

Copy that key and paste it in agent side.

 

********** THIS IS ALL ON SERVER SIDE FOR NOW. **********

We have to install ossec on client(Agent) side.

There are two method to do this.

1)Install Ossec on Host side.

2)Also, by copying the install files to another host, you can perform the installation on multiple hosts without recompiling every time.

  • Installing Agents

Agent installation on Unix/Linux/BSD platforms is performed similar to the other install types.The only notable difference is that you must provide the server IP address. After installation,

the agent does not start properly until the key, which is generated on the server, is imported.For Microsoft Windows, the installation is also simple, but it is performed using a graphical

installer. Importing the key from the server to the agent typically requires Secure Shell (SSH)access to the server, so make sure the Windows host has an SSH client.

NOTE

[After the install.sh script is successfully run once, the files are compiled. The install.sh script has a binary-install option that allows you to reinstall without recompiling every time.

Also, by copying the install files to another host, you can perform the installation on multiple hosts without recompiling every time. This assumes, of course, that all hosts are of the same

operating system. The hosts still require some build tools, such as make, to be installed, but do not require a full build environment.]

  • Installing the Unix Agent

The same installation procedure used for local and server installations is used for an agent installation on Unix- and Linux-based hosts. Start by choosing agent installation in step 1 and

then a directory location in step 2. The defaults are shown in square brackets and can be accepted by pressing Enter, or customized as in this case. You will notice that the agent install has

fewer options to configure. This is because the server does much of the work.

 

1- What kind of installation do you want (server, agent, local or help)? agent

–  Agent(client)  installation  chosen.

2- Setting up the installation environment.

– Choose where to install the OSSEC HIDS [/var/ossec]: /opt/ossec

– Installation will be made at /opt/ossec .

3- Configuring the OSSEC HIDS.

3.1- What’s the IP Address of the OSSEC HIDS server?: X.X.X.X

–  Adding  Server  IP  X.X.X.X

3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

– Running syscheck (integrity check daemon).

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

–  Running  rootcheck  (rootkit  detection).

On the agent installation, notice that the only options for active response are enable or disable. Enabling active response on an agent allows the server to initiate responses

that are executed on this agent. We recommend enabling for all agents.

3.4 – Do you want to enable active response? (y/n) [y]: y

3.5- Setting the configuration to analyze the following logs:

—  /var/log/messages

—  /var/log/authlog

—  /var/log/secure

—  /var/log/xferlog

—  /var/log/maillog

– If you want to monitor any other file, just change the ossec.conf and add a new localfile entry.Any questions about the configuration can be answeredby visiting us online at http://www.ossec.net .

 

–— Press ENTER to continue —–

After you press Enter, the OSSEC HIDS is compiled, installed, and configured with the options you specified. When the installation is complete, the installer script provides you

with some final information. You should make note of the information and take any recommended actions. For example, for the OSSEC HIDS to use the OpenBSD pf firewall,

a few lines must be added to the /etc/pf.conf script.

Before starting the OSSEC HIDS agent, the key generated on the server must be imported.The manage_agents utility is used to import the keys. Because the keys are on the server,

the normal method for retrieving the keys is to connect to the server using SSH and run the manage_agents utility.

 

To import the key, run the manage_agents utility on the agent host. The menu for agents is much simpler, because importing keys is the only option. Enter i to import

and then paste the key value previously saved to your clipboard.

# /opt/ossec/bin/manage_agents

****************************************

* OSSEC HIDS v1.3 Agent manager.      *

* The following options are available:

*

****************************************

(I)mport key from the server (I).

(Q)uit.

Choose your action: I or Q: i

* Provide the Key generated by the server.

* The best approach is to cut and paste it.

*** OBS: Do not include spaces or new lines.

Paste it here (or ‘\q’ to quit):

MDAxIG1hcnMgMTkyLjE2OC42NS40MCBmY2UzMjM4OTc1ODgzYTU4ZWM3YTRkYWJiZTJmMjQ2Y2ViODhmMzl

mYjE3MmI4OGUzMTE0MDczMzVhYjk2OTRh

Agent information:

ID:001

Name:xyz

IP  Address:X.X.X.X

Confirm adding it?(y/n): y

Added.

** Press ENTER to return to the main menu.

****************************************

* OSSEC HIDS v1.3 Agent manager.       *

* The following options are available: *

****************************************

(I)mport key from the server (I).

(Q)uit.

Choose your action: I or Q: q

** You must restart the server for your changes to have effect.

manage_agents

: Exiting ..

 

Now that the agent installation is complete, we can start the OSSEC HIDS service by

running the following command:

# /opt/ossec/bin/ossec-control start

The agent starts and connects to the server. You can verify this by checking the agent logs (/var/ossec/logs/ossec.log) and finding messages similar to the following near the end of the file:

2007/10/10 23:25:48 ossec-agentd: Connecting to server (X.X.X.X:1514).

2007/10/10 23:25:48 ossec-agentd(4102): Connected to the server.

 

 

Configuring MySQL

Database Setup

Create a database, setup the database user, and add the schema with the following commands.

# mysql -u root -p

mysql> create database ossec;

mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossecuser@<ossec ip>;

Query OK, 0 rows affected (0.00 sec)

mysql> set password for ossecuser@<ossec ip>=PASSWORD(‘ossecpass’);

Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;

Query OK, 0 rows affected (0.00 sec)

mysql> quit

# mysql -u root -p ossec < mysql.schema

OSSEC Setup

In order for ossec to output alerts and other data into the database the /var/ossec/etc/ossec.conf will need to have a <database_output> section added.

<database_output>

<hostname>localhost</hostname>

<username>ossecuser</username>

<password>PASSWORD</password>

<database>ossec</database>

<type>mysql</type>

</database_output>

Complete MySQL Output

All that is left is to enable the database daemon and restart ossec for the changes to take effect.

# /var/ossec/bin/ossec-control enable database

# /var/ossec/bin/ossec-control restart

 

Automatically creating and setting up the agent keys With Authd

You need to create the certificate / private key for SSL (note that OSSEC will look at /var/ossec/etc/sslmanager.cert and /var/ossec/etc/sslmanager.key for them).

# openssl genrsa -out /var/ossec/etc/sslmanager.key 2048

# openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365

*Note that you only need to run this command on the manager (not on the agents)

Once the keys are created, you can start the ossec-authd:

# /var/ossec/bin/ossec-authd -p 1515 >/dev/null 2>&1 &

 

Setting up the agents

/var/ossec/bin/agent-auth -m <Server IP> -p 1515

Output

INFO: Connected to <Server ip>

INFO: Using agent name as: agent-name

INFO: Send request to manager. Waiting for reply.

INFO: Received response with agent key

INFO: Valid key created. Finished.

INFO: Connection closed.

Sometime it shows error as:

ERROR: Not compiled. Missing OpenSSL support.

This Error occur due to two reason below as:

1> 1515/tcp port is not open.

2> OpenSSL package is not install on agent-side.

If you check these two above option(1515 port or OpenSSl) both are available.And does not resolve the problem then you have to reinstall the ossec on agent side.

 

Step to reconfigure.

1> Remove Ossec

 # rm -rf /var/ossec

 

2> Install Ossec as agent

Follow the above installation Steps.

Then try this again /var/ossec/bin/agent-auth -m <Server IP> -p 1515

 

IMPORTANT

You have to make some change on both side(server & agent) in /var/ossec/etc/clients.key file, change here any to <agent-ip>.

 

 

Some Important Points/Commands

  • To check ossec logs.

All Errors or ossec related logs generates here.

# /var/ossec/logs/ossec.log.

  • To check alert from agent.

# /var/ossec/logs/alerts/alerts.log

  • To List no. of connected agent.

# /var/ossec/bin/manage_agents -l

  • To list no. of active agent.

# /var/ossec/bin/agent_control -lc

  • To list status of a particular agent.

# /var/ossec/bin/agent_control -i <agent-id>

  • To delete agent.

Delete agent from this file.

# vim /var/ossec/etc/client.keys

  • To start/stop/restart/status of ossec

# /var/ossec/bin/ossec-control argument

  • Configuration file of ossec.

/var/ossec/etc/ossec.conf

 

Related Posts