Tags:
tag this topic
create new tag
view all tags
<!-- keep this as a security measure: #uncomment if the subject should only be modifiable by the listed groups * Set ALLOWTOPICCHANGE = Main.TWikiAdminGroup,Main.CMSAdminGroup * Set ALLOWTOPICRENAME = Main.TWikiAdminGroup,Main.CMSAdminGroup #uncomment this if you want the page only be viewable by the listed groups # * Set ALLOWTOPICVIEW = Main.TWikiAdminGroup,Main.CMSAdminGroup --> ---+!! Node Type: %CALC{"$SUBSTITUTE(%TOPIC%,NodeType,)"}% ---++!! Firewall requirements | *local port* | *open to* | *reason* | <!-- Example line #| 443/tcp | * | Apache on SSL Web Server | --> --- %TOC{title="Table of contents"}% ---+ Regular Maintenance work <!-- #List any regular activities which do not run automatically and need an administrator's action. --> ---+ Emergency Measures <!-- #List any measures that must be taken in case of some major incident, e.g. whether a mailing #list must be contacted or whether other services need to be shut down, etc. --> ---+ Installation <!-- #Comment here on any peculiarities of the installation, e.g. on special packages needed, special setup #procedures which are not obvious --> ---++ The Atomicorp RPMs repository [[http://www4.atomicorp.com/][The Atomicorp]] RPMs repository is an interesting and useful Red Hat free store focused on security tools, among the several RPM stored are also available the Server and the Agent RPMs of the OSSEC tool; by installing RPM instead of compile .tgz files we integrate OSSEC into the standard package management system of Red Hat, so every Admin logged on the server will be aware of its presence. ---+++ Official installation method To point to the [[http://www4.atomicorp.com/][The Atomicorp]] RPMs repository we need to run this command: <pre> wget -q -O - http://www.atomicorp.com/installers/atomic | sh </pre> but because we run Scientific Linux instead of Red Hat we need to adapt our /etc/redhat-release file like in this session: <pre> # cp -p /etc/redhat-release /etc/redhat-release.bck # echo "Red Hat Enterprise Linux ES release 5" > /etc/redhat-release # wget -q -O - http://www.atomicorp.com/installers/atomic | sh </pre> once the command succeeded it will report: <pre> Do you agree to these terms (yes/no): yes Configuring the [atomic] yum archive for this system Installing the Atomic GPG key: OK Downloading atomic-release-1.0-13.el5.art.noarch.rpm: OK The Atomic Rocket Turtle archive has now been installed and configured for your system The following channels are available: atomic - [ACTIVATED] - contains the stable tree of ART packages atomic-testing - [DISABLED] - contains the testing tree of ART packages atomic-bleeding - [DISABLED] - contains the development tree of ART packages # ls -l /etc/yum.repos.d/atomic.repo -rw-r--r-- 1 root root 1333 Jan 3 20:13 /etc/yum.repos.d/atomic.repo </pre> Now you can restore your /etc/redhat-release. <pre> # cat /etc/redhat-release.bck > /etc/redhat-release </pre> ---+++ Quick trick to install the atomic.repo without modify anything Just find by yourself the right RPM on their [[http://3es.atomicrocketturtle.com/packages/atomic-release/][website]], in our case we ran: <pre> # rpm -Uv http://3es.atomicrocketturtle.com/packages/atomic-release/atomic-release-1.0-13.el5.art.noarch.rpm Retrieving http://3es.atomicrocketturtle.com/packages/atomic-release/atomic-release-1.0-13.el5.art.noarch.rpm warning: /var/tmp/rpm-xfer.a08T3p: Header V3 DSA signature: NOKEY, key ID 5ebd2744 Preparing packages for installation... atomic-release-1.0-13.el5.art </pre> ---++ Installing the OSSEC common RPM and inotify-tools Now that our atomic.repo file is configured we can proceed with the ossec-server installation: <pre> # yum -d 3 install ossec-hids.x86_64 Loaded plugins: kernel-module Config time: 0.060 Yum Version: 3.2.22 Setting up Package Sacks pkgsack time: 0.027 rpmdb time: 0.000 Setting up Install Process Building updates object up:Obs Init time: 0.146 up:simple updates time: 0.026 up:obs time: 0.002 up:condense time: 0.000 updates time: 0.644 Resolving Dependencies --> Running transaction check ---> Package ossec-hids.x86_64 0:2.5.1-1.el5.art set to be updated --> Processing Dependency: inotify-tools for package: ossec-hids Matched inotify-tools-3.11-1.el5.art.x86_64 to require for inotify-tools TSINFO: Marking inotify-tools-3.11-1.el5.art.x86_64 as install for ossec-hids-2.5.1-1.el5.art.x86_64 --> Running transaction check ---> Package inotify-tools.x86_64 0:3.11-1.el5.art set to be updated --> Finished Dependency Resolution Beginning Kernel Module Plugin Finished Kernel Module Plugin Depsolve time: 0.558 Dependencies Resolved ================================================================================================================================ Package Arch Version Repository Size ================================================================================================================================ Installing: ossec-hids x86_64 2.5.1-1.el5.art atomic 39 k Installing for dependencies: inotify-tools x86_64 3.11-1.el5.art atomic 68 k Transaction Summary ================================================================================================================================ Install 2 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 107 k Is this ok [y/N]: y Downloading Packages: (1/2): ossec-hids-2.5.1-1.el5.art.x86_64.rpm | 39 kB 00:00 (2/2): inotify-tools-3.11-1.el5.art.x86_64.rpm | 68 kB 00:00 -------------------------------------------------------------------------------------------------------------------------------- Total 62 kB/s | 107 kB 00:01 Running rpm_check_debug rpm_check_debug time: 0.017 Running Transaction Test Finished Transaction Test Transaction Test Succeeded Transaction Test time: 0.085 Running Transaction Installing : inotify-tools 1/2 Installing : ossec-hids 2/2 Transaction time: 0.467 Installed: ossec-hids.x86_64 0:2.5.1-1.el5.art Dependency Installed: inotify-tools.x86_64 0:3.11-1.el5.art Complete! </pre> The Linux API [[http://linux.die.net/man/7/inotify][inotify]] its an interesting and independent module for OSSEC it's worth spend a bit of time reading about it; then please read how [[http://www.ossec.net/doc/manual/syscheck/index.html#real-time-monitoring][OSSEC exploit inotify]]. ---++ Select a coherent UID/GID for the Linux user 'ossec' and group 'ossec' It's worth to keep aligned system UID/GID inside the several Linux servers we have to maintain, as the OSSEC common RPM deployment has just automatically created a new user/group ossec please double check if you can accept those values in all your Linux servers: in our case the answer was 'no' because the UID selected was 101 and we modified the values to: <pre> # grep ossec /etc/passwd ossec:x:18:301::/var/ossec:/sbin/nologin # grep ossec /etc/group ossec:x:301:ossec </pre> Then reassign every file in /var/ossec/ that belongs to user 101 to user 18 ---++ Installing the OSSEC Server RPM Once the right UID/GID for the Linux user 'ossec' has been created we can deploy the OSSEC Server RPM that will deploy many files owned by that user and group: <pre> # yum install ossec-hids-server.x86_64 --enablerepo=dag Loaded plugins: kernel-module dag | 1.1 kB 00:00 Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package ossec-hids-server.x86_64 0:2.5.1-1.el5.art set to be updated --> Processing Dependency: libmysqlclient.so.15(libmysqlclient_15)(64bit) for package: ossec-hids-server --> Processing Dependency: perl(DBI) for package: ossec-hids-server --> Processing Dependency: perl-DBD-SQLite for package: ossec-hids-server --> Processing Dependency: libprelude.so.2()(64bit) for package: ossec-hids-server --> Processing Dependency: libmysqlclient.so.15()(64bit) for package: ossec-hids-server --> Running transaction check ---> Package libprelude.x86_64 0:0.9.21.2-1.el5.art set to be updated ---> Package mysqlclient15.x86_64 0:5.0.90-1.el5.art set to be updated ---> Package perl-DBD-SQLite.x86_64 0:1.29-1.el5.rf set to be updated ---> Package perl-DBI.x86_64 0:1.52-2.el5 set to be updated --> Finished Dependency Resolution Beginning Kernel Module Plugin Finished Kernel Module Plugin Dependencies Resolved ================================================================================================================================ Package Arch Version Repository Size ================================================================================================================================ Installing: ossec-hids-server x86_64 2.5.1-1.el5.art atomic 1.6 M Installing for dependencies: libprelude x86_64 0.9.21.2-1.el5.art atomic 635 k mysqlclient15 x86_64 5.0.90-1.el5.art atomic 1.3 M perl-DBD-SQLite x86_64 1.29-1.el5.rf dag 834 k perl-DBI x86_64 1.52-2.el5 54base 605 k Transaction Summary ================================================================================================================================ Install 5 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 5.0 M Is this ok [y/N]: y Downloading Packages: (1/5): perl-DBI-1.52-2.el5.x86_64.rpm | 605 kB 00:00 (2/5): libprelude-0.9.21.2-1.el5.art.x86_64.rpm | 635 kB 00:01 (3/5): perl-DBD-SQLite-1.29-1.el5.rf.x86_64.rpm | 834 kB 00:01 (4/5): mysqlclient15-5.0.90-1.el5.art.x86_64.rpm | 1.3 MB 00:01 (5/5): ossec-hids-server-2.5.1-1.el5.art.x86_64.rpm | 1.6 MB 00:01 -------------------------------------------------------------------------------------------------------------------------------- Total 665 kB/s | 5.0 MB 00:07 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : perl-DBI 1/5 Installing : libprelude 2/5 Installing : mysqlclient15 3/5 Installing : perl-DBD-SQLite 4/5 Installing : ossec-hids-server 5/5 Installed: ossec-hids-server.x86_64 0:2.5.1-1.el5.art Dependency Installed: libprelude.x86_64 0:0.9.21.2-1.el5.art mysqlclient15.x86_64 0:5.0.90-1.el5.art perl-DBD-SQLite.x86_64 0:1.29-1.el5.rf perl-DBI.x86_64 0:1.52-2.el5 Complete! # </pre> ---++ Select a coherent UID/GID for the Linux users 'ossecm','ossece','ossecr' Like before, 3 new Linux users were automatically created and you could disagree on the automatic UID decision; once again that was our case and we changed their UID to 19,20 and 21 and reassigned their files in /var/ossec, play a bit with 'find . -uid' to find them. <pre> # grep ossec /etc/passwd ossec:x:18:301::/var/ossec:/sbin/nologin ossecm:x:19:301::/var/ossec:/sbin/nologin ossece:x:20:301::/var/ossec:/sbin/nologin ossecr:x:21:301::/var/ossec:/sbin/nologin </pre> ---++ Creating the OSSEC Server configuration file ossec.conf <pre> # cd /var/ossec/bin # ./ossec-configure OSSEC Configuration utility v0.1 cp: cannot stat `/var/ossec//etc/ossec.conf': No such file or directory 1- What kind of installation do you want? (server, agent, local) [Default: server]: server 2- Setting up the configuration environment. 3- Configuring the OSSEC HIDS. 3.1- Do you want e-mail notification? (y/n) [Default: y]: - What's your e-mail address? fabio.martinelli@psi.ch - What's your SMTP server ip/host? psquad.psi.ch 3.2- Do you want to run the integrity check daemon? (y/n) [y]: y 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y 3.4- Active response allows you to execute a specific command based on the events received. For example, you can block an IP address or disable access for a specific user. More information at: http://www.ossec.net/en/manual.html#active-response - Do you want to enable active response? (y/n) [y]: y - Active response enabled. - By default, we can enable the host-deny and the firewall-drop responses. The first one will add a host to the /etc/hosts.deny and the second one will block the host on iptables (if linux) or on ipfilter (if Solaris, FreeBSD or NetBSD). - They can be used to stop SSHD brute force scans, portscans and some other forms of attacks. You can also add them to block on snort events, for example. - Do you want to enable the firewall-drop response? (y/n) [y]: - Do you want to add more IPs to the white list? (y/n)? [n]: y - IPs (space separated): 192.33.123.86/24 129.129.194.77/16 3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: n -- /var/log/messages (syslog) -- /var/log/secure (syslog) -- /var/log/maillog (syslog) mv: cannot stat `/var/ossec//etc/ossec.conf': No such file or directory Configuration complete. </pre> ---++ Configuring the OSSEC Server Now it's time to configure /var/ossec/etc/ossec.conf according to your specific site need, please consult the [[http://www.ossec.net/doc/manual/][Official Wiki]]. ---++ Dump OSSEC alerts in a MySQL DB Dumping information inside an SQL engine it's always a good practice, later we will can make interesting queries about the data stored: OSSEC allows to write in a MySQL or Postgresql DB, because atomic made the RPMs to support MySQL we used that, please read this [[http://www.ossec.net/doc/manual/output/mysql-database-output.html][OSSEC paragraph to understand the details]. <pre> </pre> ---++ Installing the OSSEC Agent on a different server OSSEC is a distributed solutions to monitor logs, dynamically react to attacks, check for rootkit, and it needs to be deployed everywhere in your network, this is the installation on a client t3ce, we suppose here you've alredy deployed the atomic.repo file and created the Linux user 'ossec' and the group 'ossec' according to the previous UID/GID decision, in our case 19/301 <pre> # yum install ossec-client Loaded plugins: kernel-module, priorities Reducing CentOS-5 Testing to included packages only Finished 2653 packages excluded due to repository priority protections Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package ossec-hids-client.x86_64 0:2.5.1-1.el5.art set to be updated --> Processing Dependency: ossec-hids = 2.5.1-1.el5.art for package: ossec-hids-client --> Processing Dependency: perl-DBD-SQLite for package: ossec-hids-client --> Running transaction check ---> Package ossec-hids.x86_64 0:2.5.1-1.el5.art set to be updated --> Processing Dependency: inotify-tools for package: ossec-hids ---> Package perl-DBD-SQLite.x86_64 0:1.29-1.el5.rf set to be updated --> Running transaction check ---> Package inotify-tools.x86_64 0:3.11-1.el5.art set to be updated --> Finished Dependency Resolution Beginning Kernel Module Plugin Finished Kernel Module Plugin Dependencies Resolved ============================================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================================ Installing: ossec-hids-client x86_64 2.5.1-1.el5.art atomic 338 k Installing for dependencies: inotify-tools x86_64 3.11-1.el5.art atomic 68 k ossec-hids x86_64 2.5.1-1.el5.art atomic 39 k perl-DBD-SQLite x86_64 1.29-1.el5.rf dag 834 k Transaction Summary ============================================================================================================================================================ Install 4 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 1.2 M Is this ok [y/N]: y Downloading Packages: (1/4): ossec-hids-2.5.1-1.el5.art.x86_64.rpm | 39 kB 00:00 (2/4): inotify-tools-3.11-1.el5.art.x86_64.rpm | 68 kB 00:00 (3/4): ossec-hids-client-2.5.1-1.el5.art.x86_64.rpm | 338 kB 00:01 (4/4): perl-DBD-SQLite-1.29-1.el5.rf.x86_64.rpm | 834 kB 00:01 ------------------------------------------------------------------------------------------------------------------------------------------------------------ Total 282 kB/s | 1.2 MB 00:04 warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 5ebd2744 atomic/gpgkey | 1.3 kB 00:00 Importing GPG key 0x5EBD2744 "Atomic Rocket Turtle <admin@atomicrocketturtle.com>" from /etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt Is this ok [y/N]: y Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : inotify-tools 1/4 Installing : ossec-hids 2/4 Installing : perl-DBD-SQLite 3/4 Installing : ossec-hids-client 4/4 Installed: ossec-hids-client.x86_64 0:2.5.1-1.el5.art Dependency Installed: inotify-tools.x86_64 0:3.11-1.el5.art ossec-hids.x86_64 0:2.5.1-1.el5.art perl-DBD-SQLite.x86_64 0:1.29-1.el5.rf Complete! [root@t3ce ~]# </pre> Then edit the configuration file /var/ossec/etc/ossec.conf and point to your OSSEC server IP, also modify the configuration according to the specific needs of this Agent, check the manual. ---++ Creating on the OSSEC Server the Agent keys ---+ Services <!-- #List all the important services, their installation, configuration and how to start and stop them --> ---+ Backups -- Main.FabioMartinelli - 2011-06-13
NodeTypeForm
Hostnames
t3ossec
Services
ossec daemon
Hardware
PSI DMZ VMWare cluster
Install Profile
not yet
Guarantee/maintenance until
n.a.
E
dit
|
A
ttach
|
Watch
|
P
rint version
|
H
istory
: r2
<
r1
|
B
acklinks
|
V
iew topic
|
Ra
w
edit
|
M
ore topic actions
Topic revision: r2 - 2011-06-13
-
FabioMartinelli
CmsTier3
Log In
CmsTier3 Web
Create New Topic
Index
Search
Changes
Notifications
Statistics
Preferences
User Pages
Main Page
Policies
Monitoring Storage Space
Monitoring Slurm Usage
Physics Groups
Steering Board Meetings
Admin Pages
AdminArea
Cluster Specs
Home
Site map
CmsTier3 web
LCGTier2 web
PhaseC web
Main web
Sandbox web
TWiki web
CmsTier3 Web
Create New Topic
Index
Search
Changes
Notifications
RSS Feed
Statistics
Preferences
P
View
Raw View
Print version
Find backlinks
History
More topic actions
Edit
Raw edit
Attach file or image
Edit topic preference settings
Set new parent
More topic actions
Account
Log In
E
dit
A
ttach
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki?
Send feedback