Tags:
create new tag
view all tags

Node Type: Ossec

Firewall requirements

local port open to reason

Table of contents

Regular Maintenance work

Emergency Measures

Installation

The Atomicorp RPMs repository

The Atomicorp RPMs repository is an interesting and useful Red Hat free store focused on security tools, among the several RPM stored are also available the Server and the Agent RPMs of the OSSEC tool; by installing RPM instead of compile .tgz files we integrate OSSEC into the standard package management system of Red Hat, so every Admin logged on the server will be aware of its presence.

Official installation method

To point to the The Atomicorp RPMs repository we need to run this command: 
wget -q -O - http://www.atomicorp.com/installers/atomic | sh
but because we run Scientific Linux instead of Red Hat we need to adapt our /etc/redhat-release file like in this session: 
# cp -p /etc/redhat-release /etc/redhat-release.bck
# echo "Red Hat Enterprise Linux ES release 5" > /etc/redhat-release
# wget -q -O - http://www.atomicorp.com/installers/atomic | sh
once the command succeeded it will report: 
Do you agree to these terms (yes/no): yes

Configuring the [atomic] yum archive for this system 

Installing the Atomic GPG key: OK
Downloading atomic-release-1.0-13.el5.art.noarch.rpm: OK

The Atomic Rocket Turtle archive has now been installed and configured for your system
The following channels are available:
  atomic          - [ACTIVATED] - contains the stable tree of ART packages
  atomic-testing  - [DISABLED]  - contains the testing tree of ART packages
  atomic-bleeding - [DISABLED]  - contains the development tree of ART packages

# ls -l /etc/yum.repos.d/atomic.repo
-rw-r--r-- 1 root root 1333 Jan  3 20:13 /etc/yum.repos.d/atomic.repo
Now you can restore your /etc/redhat-release. 
# cat /etc/redhat-release.bck  > /etc/redhat-release

Quick trick to install the atomic.repo without modify anything

Just find by yourself the right RPM on their website, in our case we ran: 
# rpm -Uv http://3es.atomicrocketturtle.com/packages/atomic-release/atomic-release-1.0-13.el5.art.noarch.rpm
Retrieving http://3es.atomicrocketturtle.com/packages/atomic-release/atomic-release-1.0-13.el5.art.noarch.rpm
warning: /var/tmp/rpm-xfer.a08T3p: Header V3 DSA signature: NOKEY, key ID 5ebd2744
Preparing packages for installation...
atomic-release-1.0-13.el5.art

Installing the OSSEC common RPM and inotify-tools

Now that our atomic.repo file is configured we can proceed with the ossec-server installation: 
# yum -d 3 install ossec-hids.x86_64
Loaded plugins: kernel-module
Config time: 0.060
Yum Version: 3.2.22
Setting up Package Sacks
pkgsack time: 0.027
rpmdb time: 0.000
Setting up Install Process
Building updates object
up:Obs Init time: 0.146
up:simple updates time: 0.026
up:obs time: 0.002
up:condense time: 0.000
updates time: 0.644
Resolving Dependencies
--> Running transaction check
---> Package ossec-hids.x86_64 0:2.5.1-1.el5.art set to be updated
--> Processing Dependency: inotify-tools for package: ossec-hids
Matched inotify-tools-3.11-1.el5.art.x86_64 to require for inotify-tools
TSINFO: Marking inotify-tools-3.11-1.el5.art.x86_64 as install for ossec-hids-2.5.1-1.el5.art.x86_64
--> Running transaction check
---> Package inotify-tools.x86_64 0:3.11-1.el5.art set to be updated
--> Finished Dependency Resolution
Beginning Kernel Module Plugin
Finished Kernel Module Plugin
Depsolve time: 0.558

Dependencies Resolved

================================================================================================================================
 Package                          Arch                      Version                             Repository                 Size
================================================================================================================================
Installing:
 ossec-hids                       x86_64                    2.5.1-1.el5.art                     atomic                     39 k
Installing for dependencies:
 inotify-tools                    x86_64                    3.11-1.el5.art                      atomic                     68 k

Transaction Summary
================================================================================================================================
Install      2 Package(s)         
Update       0 Package(s)         
Remove       0 Package(s)         

Total download size: 107 k
Is this ok [y/N]: y
Downloading Packages:
(1/2): ossec-hids-2.5.1-1.el5.art.x86_64.rpm                                                             |  39 kB     00:00     
(2/2): inotify-tools-3.11-1.el5.art.x86_64.rpm                                                           |  68 kB     00:00     
--------------------------------------------------------------------------------------------------------------------------------
Total                                                                                            62 kB/s | 107 kB     00:01     
Running rpm_check_debug
rpm_check_debug time: 0.017
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Transaction Test time: 0.085
Running Transaction
  Installing     : inotify-tools                                                                                            1/2 
  Installing     : ossec-hids                                                                                               2/2 
Transaction time: 0.467

Installed:
  ossec-hids.x86_64 0:2.5.1-1.el5.art                                                                                           

Dependency Installed:
  inotify-tools.x86_64 0:3.11-1.el5.art                                                                                         

Complete!
The Linux API inotify its an interesting and independent module for OSSEC it's worth spend a bit of time reading about it; then please read how OSSEC exploit inotify.

Select a coherent UID/GID for the Linux user 'ossec' and group 'ossec'

It's worth to keep aligned system UID/GID inside the several Linux servers we have to maintain, as the OSSEC common RPM deployment has just automatically created a new user/group ossec please double check if you can accept those values in all your Linux servers: in our case the answer was 'no' because the UID selected was 101 and we modified the values to: 
# grep ossec /etc/passwd
ossec:x:18:301::/var/ossec:/sbin/nologin
# grep ossec /etc/group
ossec:x:301:ossec
Then reassign every file in /var/ossec/ that belongs to user 101 to user 18

Installing the OSSEC Server RPM

Once the right UID/GID for the Linux user 'ossec' has been created we can deploy the OSSEC Server RPM that will deploy many files owned by that user and group: 
# yum install ossec-hids-server.x86_64 --enablerepo=dag
Loaded plugins: kernel-module
dag                                                                                                      | 1.1 kB     00:00     
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ossec-hids-server.x86_64 0:2.5.1-1.el5.art set to be updated
--> Processing Dependency: libmysqlclient.so.15(libmysqlclient_15)(64bit) for package: ossec-hids-server
--> Processing Dependency: perl(DBI) for package: ossec-hids-server
--> Processing Dependency: perl-DBD-SQLite for package: ossec-hids-server
--> Processing Dependency: libprelude.so.2()(64bit) for package: ossec-hids-server
--> Processing Dependency: libmysqlclient.so.15()(64bit) for package: ossec-hids-server
--> Running transaction check
---> Package libprelude.x86_64 0:0.9.21.2-1.el5.art set to be updated
---> Package mysqlclient15.x86_64 0:5.0.90-1.el5.art set to be updated
---> Package perl-DBD-SQLite.x86_64 0:1.29-1.el5.rf set to be updated
---> Package perl-DBI.x86_64 0:1.52-2.el5 set to be updated
--> Finished Dependency Resolution
Beginning Kernel Module Plugin
Finished Kernel Module Plugin

Dependencies Resolved

================================================================================================================================
 Package                            Arch                    Version                               Repository               Size
================================================================================================================================
Installing:
 ossec-hids-server                  x86_64                  2.5.1-1.el5.art                       atomic                  1.6 M
Installing for dependencies:
 libprelude                         x86_64                  0.9.21.2-1.el5.art                    atomic                  635 k
 mysqlclient15                      x86_64                  5.0.90-1.el5.art                      atomic                  1.3 M
 perl-DBD-SQLite                    x86_64                  1.29-1.el5.rf                         dag                     834 k
 perl-DBI                           x86_64                  1.52-2.el5                            54base                  605 k

Transaction Summary
================================================================================================================================
Install      5 Package(s)         
Update       0 Package(s)         
Remove       0 Package(s)         

Total download size: 5.0 M
Is this ok [y/N]: y
Downloading Packages:
(1/5): perl-DBI-1.52-2.el5.x86_64.rpm                                                                    | 605 kB     00:00     
(2/5): libprelude-0.9.21.2-1.el5.art.x86_64.rpm                                                          | 635 kB     00:01     
(3/5): perl-DBD-SQLite-1.29-1.el5.rf.x86_64.rpm                                                          | 834 kB     00:01     
(4/5): mysqlclient15-5.0.90-1.el5.art.x86_64.rpm                                                         | 1.3 MB     00:01     
(5/5): ossec-hids-server-2.5.1-1.el5.art.x86_64.rpm                                                      | 1.6 MB     00:01     
--------------------------------------------------------------------------------------------------------------------------------
Total                                                                                           665 kB/s | 5.0 MB     00:07     
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : perl-DBI                                                                                                 1/5 
  Installing     : libprelude                                                                                               2/5 
  Installing     : mysqlclient15                                                                                            3/5 
  Installing     : perl-DBD-SQLite                                                                                          4/5 
  Installing     : ossec-hids-server                                                                                        5/5 

Installed:
  ossec-hids-server.x86_64 0:2.5.1-1.el5.art                                                                                    

Dependency Installed:
  libprelude.x86_64 0:0.9.21.2-1.el5.art    mysqlclient15.x86_64 0:5.0.90-1.el5.art    perl-DBD-SQLite.x86_64 0:1.29-1.el5.rf   
  perl-DBI.x86_64 0:1.52-2.el5             

Complete!
#

Select a coherent UID/GID for the Linux users 'ossecm','ossece','ossecr'

Like before, 3 new Linux users were automatically created and you could disagree on the automatic UID decision; once again that was our case and we changed their UID to 19,20 and 21 and reassigned their files in /var/ossec, play a bit with 'find . -uid' to find them. 
# grep ossec /etc/passwd
ossec:x:18:301::/var/ossec:/sbin/nologin
ossecm:x:19:301::/var/ossec:/sbin/nologin
ossece:x:20:301::/var/ossec:/sbin/nologin
ossecr:x:21:301::/var/ossec:/sbin/nologin

Creating the OSSEC Server configuration file ossec.conf 

# cd /var/ossec/bin
# ./ossec-configure 

OSSEC Configuration utility v0.1

cp: cannot stat `/var/ossec//etc/ossec.conf': No such file or directory
1- What kind of installation do you want? (server, agent, local) [Default: server]: server

2- Setting up the configuration environment.

3- Configuring the OSSEC HIDS.

  3.1- Do you want e-mail notification? (y/n) [Default: y]: 
   - What's your e-mail address? fabio.martinelli@psi.ch
   - What's your SMTP server ip/host? psquad.psi.ch

  3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

  3.4- Active response allows you to execute a specific 
       command based on the events received. For example,
       you can block an IP address or disable access for
       a specific user.  
       More information at:
       http://www.ossec.net/en/manual.html#active-response
       

   - Do you want to enable active response? (y/n) [y]: y
     - Active response enabled.
   
   - By default, we can enable the host-deny and the 
     firewall-drop responses. The first one will add
     a host to the /etc/hosts.deny and the second one
     will block the host on iptables (if linux) or on
     ipfilter (if Solaris, FreeBSD or NetBSD).
   - They can be used to stop SSHD brute force scans, 
     portscans and some other forms of attacks. You can 
     also add them to block on snort events, for example.

  
   - Do you want to enable the firewall-drop response? (y/n) [y]: 
   - Do you want to add more IPs to the white list? (y/n)? [n]: y
   - IPs (space separated): 192.33.123.86/24 129.129.194.77/16

  3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: n

    -- /var/log/messages (syslog)
    -- /var/log/secure (syslog)
    -- /var/log/maillog (syslog)
mv: cannot stat `/var/ossec//etc/ossec.conf': No such file or directory
Configuration complete.

Configuring the OSSEC Server

Now it's time to configure /var/ossec/etc/ossec.conf according to your specific site need, please consult the Official Wiki.

Dump OSSEC alerts in a MySQL DB

Dumping information inside an SQL engine it's always a good practice, later we will can make interesting queries about the data stored: OSSEC allows to write in a MySQL or Postgresql DB, because atomic made the RPMs to support MySQL we used that, please read this [[http://www.ossec.net/doc/manual/output/mysql-database-output.html][OSSEC paragraph to understand the details].

Installing the OSSEC Agent on a different server

OSSEC is a distributed solutions to monitor logs, dynamically react to attacks, check for rootkit, and it needs to be deployed everywhere in your network, this is the installation on a client t3ce, we suppose here you've alredy deployed the atomic.repo file and created the Linux user 'ossec' and the group 'ossec' according to the previous UID/GID decision, in our case 19/301 
# yum install ossec-client
Loaded plugins: kernel-module, priorities
Reducing CentOS-5 Testing to included packages only
Finished
2653 packages excluded due to repository priority protections
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ossec-hids-client.x86_64 0:2.5.1-1.el5.art set to be updated
--> Processing Dependency: ossec-hids = 2.5.1-1.el5.art for package: ossec-hids-client
--> Processing Dependency: perl-DBD-SQLite for package: ossec-hids-client
--> Running transaction check
---> Package ossec-hids.x86_64 0:2.5.1-1.el5.art set to be updated
--> Processing Dependency: inotify-tools for package: ossec-hids
---> Package perl-DBD-SQLite.x86_64 0:1.29-1.el5.rf set to be updated
--> Running transaction check
---> Package inotify-tools.x86_64 0:3.11-1.el5.art set to be updated
--> Finished Dependency Resolution
Beginning Kernel Module Plugin
Finished Kernel Module Plugin

Dependencies Resolved

============================================================================================================================================================
 Package                                    Arch                            Version                                   Repository                       Size
============================================================================================================================================================
Installing:
 ossec-hids-client                          x86_64                          2.5.1-1.el5.art                           atomic                          338 k
Installing for dependencies:
 inotify-tools                              x86_64                          3.11-1.el5.art                            atomic                           68 k
 ossec-hids                                 x86_64                          2.5.1-1.el5.art                           atomic                           39 k
 perl-DBD-SQLite                            x86_64                          1.29-1.el5.rf                             dag                             834 k

Transaction Summary
============================================================================================================================================================
Install      4 Package(s)         
Update       0 Package(s)         
Remove       0 Package(s)         

Total download size: 1.2 M
Is this ok [y/N]: y
Downloading Packages:
(1/4): ossec-hids-2.5.1-1.el5.art.x86_64.rpm                                                                                         |  39 kB     00:00     
(2/4): inotify-tools-3.11-1.el5.art.x86_64.rpm                                                                                       |  68 kB     00:00     
(3/4): ossec-hids-client-2.5.1-1.el5.art.x86_64.rpm                                                                                  | 338 kB     00:01     
(4/4): perl-DBD-SQLite-1.29-1.el5.rf.x86_64.rpm                                                                                      | 834 kB     00:01     
------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                       282 kB/s | 1.2 MB     00:04     
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 5ebd2744
atomic/gpgkey                                                                                                                        | 1.3 kB     00:00     
Importing GPG key 0x5EBD2744 "Atomic Rocket Turtle " from /etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : inotify-tools                                                                                                                        1/4 
  Installing     : ossec-hids                                                                                                                           2/4 
  Installing     : perl-DBD-SQLite                                                                                                                      3/4 
  Installing     : ossec-hids-client                                                                                                                    4/4 

Installed:
  ossec-hids-client.x86_64 0:2.5.1-1.el5.art                                                                                                                

Dependency Installed:
  inotify-tools.x86_64 0:3.11-1.el5.art               ossec-hids.x86_64 0:2.5.1-1.el5.art               perl-DBD-SQLite.x86_64 0:1.29-1.el5.rf              

Complete!
[root@t3ce ~]#
Then edit the configuration file /var/ossec/etc/ossec.conf and point to your OSSEC server IP, also modify the configuration according to the specific needs of this Agent, check the manual.

Creating on the OSSEC Server the Agent keys

Services

Backups

-- FabioMartinelli - 2011-06-13

NodeTypeForm
Hostnames t3ossec
Services ossec daemon
Hardware PSI DMZ VMWare cluster
Install Profile not yet
Guarantee/maintenance until n.a.
Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r2 - 2011-06-13 - FabioMartinelli
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback