Wednesday, September 21, 2011

Setting up OSSEC on Ubuntu 11.04

Preamble

This blog post captures my experience installing and configuring OSSEC (host-based intrusion detection software).

OSSEC Installation

The basic process that was followed is outlined on the OSSEC website.

Get the main install package from the OSSEC download page.  The following are the commands to download the tarball and verify its integrity.  Ensure that the md5 and sha1 checksums match the strings stored in the downloaded checksum file.

  • wget http://www.ossec.net/files/ossec-hids-2.6.tar.gz
  • wget http://www.ossec.net/files/ossec-hids-2.6_checksum.txt
  • cat ossec-hids-2.6_checksum.txt
  • md5sum ossec-hids-2.6.tar.gz
  • sha1sum ossec-hids-2.6.tar.gz
Commands to extract the tarball and delete the original downloads:
  • tar -xvvf ossec-hids-2.6.tar.gz
  • rm ossec-hids-2.6.tar.gz
  • rm ossec-hids-2.6_checksum.txt
Run the install script:
  • cd ossec-hids-2.6/
  • sudo ./install.sh
  • en - english
  • local - local installation of the server and agent
  • /var/ossec - where we want to install it
  • n - disable email notification
  • y - run integrity check daemon
  • y - run rootkit detection engine
  • y - enable active response
  • y - enable firewall-drop response
  • n - no more IPs to add to the active response white list
  • enter - builds OSSEC
At the end of the build process there are messages to indicate that the init script has been modified to start OSSEC HIDS during boot and that configuration has finished properly.  In addition the commands to start and stop OSSEC are displayed:
  • sudo /var/ossec/bin/ossec-control start 
  • sudo /var/ossec/bin/ossec-control stop
Start OSSEC using the above command.

Installing OSSEC-UI (Web-based user-interface for OSSEC)

This installation process is also posted on the OSSEC web site.  Another good resource can be found here.
Get the web interface install package from the OSSEC download page and verify it's integrity:
  • wget http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz
  • wget http://www.ossec.net/files/ui/ossec-wui-0.3-checksum.txt
  • cat ossec-wui-0.3-checksum.txt
  • md5sum ossec-wui-0.3.tar.gz
  • sha1sum ossec-wui-0.3.tar.gz
Commands to extract the tarball and delete the original downloads:
  • tar -xvvf ossec-wui-0.3.tar.gz
  • rm ossec-wui-0.3.tar.gz
  • rm ossec-wui-0.3-checksum.txt
Move the extracted directory under the web root then change to that directory:
  • sudo mv ossec-wui-0.3/ /var/www/
  • cd /var/www/ossec-wui-0.3
Run the install script and configure some things:
  • sudo ./setup.sh 
  • enter the username and password of a new user for OSSEC
  • sudo nano /etc/group (change ossec:x:1004: to ossec:x:1004:www-data)
  • sudo chmod 770 tmp/
  • sudo chgrp www-data tmp/
  • sudo /etc/init.d/apache2 restart (restart apache)
Restrict public access to the /var/www/ossec-wui-0.3 directory by editing /etc/apache2/httpd.conf to contain the following:
   <Directory /var/www/ossec-wui-0.3/>
   Order allow,deny
   Allow from 72.39.173.172
   Allow from 24.246.23.51
   </Directory>
Resolve issues with the deprecated ereg_replace function:
  • grep ereg_replace /var/www/ossec-wui-0.3/lib/*.php
  • edit all results returned; for example: ereg_replace(">" becomes str_replace("/>/g"
Resolve issue on line 842 of /var/www/ossec-wui-0.3/lib/os_lib_alerts.php:
  • remove the double quotes from fseek($fp, $seek_place, "SEEK_SET");
Configuring rules to ignore certain events is done by editing /home/ubuntu/ossec-hids-2.6/etc/rules/local_rules.xml so that it contains rules such as:
   <rule id="100551" level="0">
     <if_group>syscheck</if_group>
     <match>/etc/motd</match>
     <description>Ignore integrity checksum changed for MOTD.</description>
   </rule>

No comments:

Post a Comment