Node Type: Ossec
Firewall requirements
Regular Maintenance work
Emergency Measures
Installation
The Atomicorp RPMs repository
The Atomicorp RPMs repository is an interesting and useful Red Hat free store focused on security tools, among the several RPM stored are also available the Server and the Agent RPMs of the OSSEC tool; by installing RPM instead of compile .tgz files we integrate OSSEC into the standard package management system of Red Hat, so every Admin logged on the server will be aware of its presence.
Official installation method
To point to the
The Atomicorp RPMs repository we need to run this command:
wget -q -O - http://www.atomicorp.com/installers/atomic | sh
but because we run Scientific Linux instead of Red Hat we need to adapt our /etc/redhat-release file like in this session:
# cp -p /etc/redhat-release /etc/redhat-release.bck
# echo "Red Hat Enterprise Linux ES release 5" > /etc/redhat-release
# wget -q -O - http://www.atomicorp.com/installers/atomic | sh
once the command succeeded it will report:
Do you agree to these terms (yes/no): yes
Configuring the [atomic] yum archive for this system
Installing the Atomic GPG key: OK
Downloading atomic-release-1.0-13.el5.art.noarch.rpm: OK
The Atomic Rocket Turtle archive has now been installed and configured for your system
The following channels are available:
atomic - [ACTIVATED] - contains the stable tree of ART packages
atomic-testing - [DISABLED] - contains the testing tree of ART packages
atomic-bleeding - [DISABLED] - contains the development tree of ART packages
# ls -l /etc/yum.repos.d/atomic.repo
-rw-r--r-- 1 root root 1333 Jan 3 20:13 /etc/yum.repos.d/atomic.repo
Now you can restore your /etc/redhat-release.
# cat /etc/redhat-release.bck > /etc/redhat-release
Quick trick to install the atomic.repo without modify anything
Just find by yourself the right RPM on their
website, in our case we ran:
# rpm -Uv http://3es.atomicrocketturtle.com/packages/atomic-release/atomic-release-1.0-13.el5.art.noarch.rpm
Retrieving http://3es.atomicrocketturtle.com/packages/atomic-release/atomic-release-1.0-13.el5.art.noarch.rpm
warning: /var/tmp/rpm-xfer.a08T3p: Header V3 DSA signature: NOKEY, key ID 5ebd2744
Preparing packages for installation...
atomic-release-1.0-13.el5.art
Installing the OSSEC common RPM and inotify-tools
Now that our atomic.repo file is configured we can proceed with the ossec-server installation:
# yum -d 3 install ossec-hids.x86_64
Loaded plugins: kernel-module
Config time: 0.060
Yum Version: 3.2.22
Setting up Package Sacks
pkgsack time: 0.027
rpmdb time: 0.000
Setting up Install Process
Building updates object
up:Obs Init time: 0.146
up:simple updates time: 0.026
up:obs time: 0.002
up:condense time: 0.000
updates time: 0.644
Resolving Dependencies
--> Running transaction check
---> Package ossec-hids.x86_64 0:2.5.1-1.el5.art set to be updated
--> Processing Dependency: inotify-tools for package: ossec-hids
Matched inotify-tools-3.11-1.el5.art.x86_64 to require for inotify-tools
TSINFO: Marking inotify-tools-3.11-1.el5.art.x86_64 as install for ossec-hids-2.5.1-1.el5.art.x86_64
--> Running transaction check
---> Package inotify-tools.x86_64 0:3.11-1.el5.art set to be updated
--> Finished Dependency Resolution
Beginning Kernel Module Plugin
Finished Kernel Module Plugin
Depsolve time: 0.558
Dependencies Resolved
================================================================================================================================
Package Arch Version Repository Size
================================================================================================================================
Installing:
ossec-hids x86_64 2.5.1-1.el5.art atomic 39 k
Installing for dependencies:
inotify-tools x86_64 3.11-1.el5.art atomic 68 k
Transaction Summary
================================================================================================================================
Install 2 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 107 k
Is this ok [y/N]: y
Downloading Packages:
(1/2): ossec-hids-2.5.1-1.el5.art.x86_64.rpm | 39 kB 00:00
(2/2): inotify-tools-3.11-1.el5.art.x86_64.rpm | 68 kB 00:00
--------------------------------------------------------------------------------------------------------------------------------
Total 62 kB/s | 107 kB 00:01
Running rpm_check_debug
rpm_check_debug time: 0.017
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Transaction Test time: 0.085
Running Transaction
Installing : inotify-tools 1/2
Installing : ossec-hids 2/2
Transaction time: 0.467
Installed:
ossec-hids.x86_64 0:2.5.1-1.el5.art
Dependency Installed:
inotify-tools.x86_64 0:3.11-1.el5.art
Complete!
The Linux API
inotify its an interesting and independent module for OSSEC it's worth spend a bit of time reading about it; then please read how
OSSEC exploit inotify.
Select a coherent UID/GID for the Linux user 'ossec' and group 'ossec'
It's worth to keep aligned system UID/GID inside the several Linux servers we have to maintain, as the OSSEC common RPM deployment has just automatically created a new user/group ossec please double check if you can accept those values in all your Linux servers: in our case the answer was 'no' because the UID selected was 101 and we modified the values to:
# grep ossec /etc/passwd
ossec:x:18:301::/var/ossec:/sbin/nologin
# grep ossec /etc/group
ossec:x:301:ossec
Then reassign every file in /var/ossec/ that belongs to user 101 to user 18
Installing the OSSEC Server RPM
Once the right UID/GID for the Linux user 'ossec' has been created we can deploy the OSSEC Server RPM that will deploy many files owned by that user and group:
# yum install ossec-hids-server.x86_64 --enablerepo=dag
Loaded plugins: kernel-module
dag | 1.1 kB 00:00
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ossec-hids-server.x86_64 0:2.5.1-1.el5.art set to be updated
--> Processing Dependency: libmysqlclient.so.15(libmysqlclient_15)(64bit) for package: ossec-hids-server
--> Processing Dependency: perl(DBI) for package: ossec-hids-server
--> Processing Dependency: perl-DBD-SQLite for package: ossec-hids-server
--> Processing Dependency: libprelude.so.2()(64bit) for package: ossec-hids-server
--> Processing Dependency: libmysqlclient.so.15()(64bit) for package: ossec-hids-server
--> Running transaction check
---> Package libprelude.x86_64 0:0.9.21.2-1.el5.art set to be updated
---> Package mysqlclient15.x86_64 0:5.0.90-1.el5.art set to be updated
---> Package perl-DBD-SQLite.x86_64 0:1.29-1.el5.rf set to be updated
---> Package perl-DBI.x86_64 0:1.52-2.el5 set to be updated
--> Finished Dependency Resolution
Beginning Kernel Module Plugin
Finished Kernel Module Plugin
Dependencies Resolved
================================================================================================================================
Package Arch Version Repository Size
================================================================================================================================
Installing:
ossec-hids-server x86_64 2.5.1-1.el5.art atomic 1.6 M
Installing for dependencies:
libprelude x86_64 0.9.21.2-1.el5.art atomic 635 k
mysqlclient15 x86_64 5.0.90-1.el5.art atomic 1.3 M
perl-DBD-SQLite x86_64 1.29-1.el5.rf dag 834 k
perl-DBI x86_64 1.52-2.el5 54base 605 k
Transaction Summary
================================================================================================================================
Install 5 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 5.0 M
Is this ok [y/N]: y
Downloading Packages:
(1/5): perl-DBI-1.52-2.el5.x86_64.rpm | 605 kB 00:00
(2/5): libprelude-0.9.21.2-1.el5.art.x86_64.rpm | 635 kB 00:01
(3/5): perl-DBD-SQLite-1.29-1.el5.rf.x86_64.rpm | 834 kB 00:01
(4/5): mysqlclient15-5.0.90-1.el5.art.x86_64.rpm | 1.3 MB 00:01
(5/5): ossec-hids-server-2.5.1-1.el5.art.x86_64.rpm | 1.6 MB 00:01
--------------------------------------------------------------------------------------------------------------------------------
Total 665 kB/s | 5.0 MB 00:07
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : perl-DBI 1/5
Installing : libprelude 2/5
Installing : mysqlclient15 3/5
Installing : perl-DBD-SQLite 4/5
Installing : ossec-hids-server 5/5
Installed:
ossec-hids-server.x86_64 0:2.5.1-1.el5.art
Dependency Installed:
libprelude.x86_64 0:0.9.21.2-1.el5.art mysqlclient15.x86_64 0:5.0.90-1.el5.art perl-DBD-SQLite.x86_64 0:1.29-1.el5.rf
perl-DBI.x86_64 0:1.52-2.el5
Complete!
#
Select a coherent UID/GID for the Linux users 'ossecm','ossece','ossecr'
Like before, 3 new Linux users were automatically created and you could disagree on the automatic UID decision; once again that was our case and we changed their UID to 19,20 and 21 and reassigned their files in /var/ossec, play a bit with 'find . -uid' to find them.
# grep ossec /etc/passwd
ossec:x:18:301::/var/ossec:/sbin/nologin
ossecm:x:19:301::/var/ossec:/sbin/nologin
ossece:x:20:301::/var/ossec:/sbin/nologin
ossecr:x:21:301::/var/ossec:/sbin/nologin
Creating the OSSEC Server configuration file ossec.conf
# cd /var/ossec/bin
# ./ossec-configure
OSSEC Configuration utility v0.1
cp: cannot stat `/var/ossec//etc/ossec.conf': No such file or directory
1- What kind of installation do you want? (server, agent, local) [Default: server]: server
2- Setting up the configuration environment.
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) [Default: y]:
- What's your e-mail address? fabio.martinelli@psi.ch
- What's your SMTP server ip/host? psquad.psi.ch
3.2- Do you want to run the integrity check daemon? (y/n) [y]: y
3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y
3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response
- Do you want to enable active response? (y/n) [y]: y
- Active response enabled.
- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.
- Do you want to enable the firewall-drop response? (y/n) [y]:
- Do you want to add more IPs to the white list? (y/n)? [n]: y
- IPs (space separated): 192.33.123.86/24 129.129.194.77/16
3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: n
-- /var/log/messages (syslog)
-- /var/log/secure (syslog)
-- /var/log/maillog (syslog)
mv: cannot stat `/var/ossec//etc/ossec.conf': No such file or directory
Configuration complete.
Configuring the OSSEC Server
Now it's time to configure /var/ossec/etc/ossec.conf according to your specific site need, please consult the
Official Wiki.
Dump OSSEC alerts in a MySQL DB
Dumping information inside an SQL engine it's always a good practice, later we will can make interesting queries about the data stored: OSSEC allows to write in a
MySQL or Postgresql DB, because atomic made the RPMs to support
MySQL we used that, please read this [[http://www.ossec.net/doc/manual/output/mysql-database-output.html][OSSEC paragraph to understand the details].
Installing the OSSEC Agent on a different server
OSSEC is a distributed solutions to monitor logs, dynamically react to attacks, check for rootkit, and it needs to be deployed everywhere in your network, this is the installation on a client t3ce, we suppose here you've alredy deployed the atomic.repo file and created the Linux user 'ossec' and the group 'ossec' according to the previous UID/GID decision, in our case 19/301
# yum install ossec-client
Loaded plugins: kernel-module, priorities
Reducing CentOS-5 Testing to included packages only
Finished
2653 packages excluded due to repository priority protections
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ossec-hids-client.x86_64 0:2.5.1-1.el5.art set to be updated
--> Processing Dependency: ossec-hids = 2.5.1-1.el5.art for package: ossec-hids-client
--> Processing Dependency: perl-DBD-SQLite for package: ossec-hids-client
--> Running transaction check
---> Package ossec-hids.x86_64 0:2.5.1-1.el5.art set to be updated
--> Processing Dependency: inotify-tools for package: ossec-hids
---> Package perl-DBD-SQLite.x86_64 0:1.29-1.el5.rf set to be updated
--> Running transaction check
---> Package inotify-tools.x86_64 0:3.11-1.el5.art set to be updated
--> Finished Dependency Resolution
Beginning Kernel Module Plugin
Finished Kernel Module Plugin
Dependencies Resolved
============================================================================================================================================================
Package Arch Version Repository Size
============================================================================================================================================================
Installing:
ossec-hids-client x86_64 2.5.1-1.el5.art atomic 338 k
Installing for dependencies:
inotify-tools x86_64 3.11-1.el5.art atomic 68 k
ossec-hids x86_64 2.5.1-1.el5.art atomic 39 k
perl-DBD-SQLite x86_64 1.29-1.el5.rf dag 834 k
Transaction Summary
============================================================================================================================================================
Install 4 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 1.2 M
Is this ok [y/N]: y
Downloading Packages:
(1/4): ossec-hids-2.5.1-1.el5.art.x86_64.rpm | 39 kB 00:00
(2/4): inotify-tools-3.11-1.el5.art.x86_64.rpm | 68 kB 00:00
(3/4): ossec-hids-client-2.5.1-1.el5.art.x86_64.rpm | 338 kB 00:01
(4/4): perl-DBD-SQLite-1.29-1.el5.rf.x86_64.rpm | 834 kB 00:01
------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 282 kB/s | 1.2 MB 00:04
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 5ebd2744
atomic/gpgkey | 1.3 kB 00:00
Importing GPG key 0x5EBD2744 "Atomic Rocket Turtle " from /etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : inotify-tools 1/4
Installing : ossec-hids 2/4
Installing : perl-DBD-SQLite 3/4
Installing : ossec-hids-client 4/4
Installed:
ossec-hids-client.x86_64 0:2.5.1-1.el5.art
Dependency Installed:
inotify-tools.x86_64 0:3.11-1.el5.art ossec-hids.x86_64 0:2.5.1-1.el5.art perl-DBD-SQLite.x86_64 0:1.29-1.el5.rf
Complete!
[root@t3ce ~]#
Then edit the configuration file /var/ossec/etc/ossec.conf and point to your OSSEC server IP, also modify the configuration according to the specific needs of this Agent, check the manual.
Creating on the OSSEC Server the Agent keys
Services
Backups
--
FabioMartinelli - 2011-06-13