Needed to install some sort of host intrusion detection system on various servers. OSSEC server and agent model seemed to fit the bill. Also, I wanted some sort of web interface. Because I’m lazy.
My sources:
How to Install OSSEC on Red Hat or CentOS 6
Installing ossec client on CentOS 6…
1. Add the EPEL repository to meet an inotify-tools dependency. Check to make sure that the release version is the current one by looking at the file directory at http://download.fedoraproject.org/pub/epel/6/x86_64/.
$ sudo rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
2. Fetch/run the atomic repository script to add their repository.
$ wget https://www.atomicorp.com/installers/atomic && sudo chmod +x atomic && sudo ./atomic
3. Use yum to install the ossec server (or client)
$ sudo yum install ossec-hids ossec-hids-server
You’ll see something like this:
$ sudo yum install ossec-hids ossec-hids-server Loaded plugins: fastestmirror, priorities Determining fastest mirrors epel/metalink | 12 kB 00:00 * atomic: www5.atomicorp.com * base: ftpmirror.your.org * epel: fedora-epel.mirror.lstn.net * extras: ftpmirror.your.org * rpmforge: mirror.us.leaseweb.net * updates: ftpmirror.your.org atomic | 1.9 kB 00:00 atomic/primary_db | 517 kB 00:00 base | 3.7 kB 00:00 base/primary_db | 4.4 MB 00:00 epel | 4.2 kB 00:00 epel/primary_db | 5.4 MB 00:01 extras | 3.4 kB 00:00 extras/primary_db | 18 kB 00:00 rpmforge | 1.9 kB 00:00 rpmforge/primary_db | 2.6 MB 00:00 updates | 3.4 kB 00:00 updates/primary_db | 4.4 MB 00:00 455 packages excluded due to repository priority protections Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package ossec-hids.x86_64 0:2.7-20.el6.art will be updated ---> Package ossec-hids.x86_64 0:2.7-24.el6.art will be an update ---> Package ossec-hids-server.x86_64 0:2.7-20.el6.art will be updated ---> Package ossec-hids-server.x86_64 0:2.7-24.el6.art will be an update --> Processing Dependency: libGeoIP.so.1()(64bit) for package: ossec-hids-server-2.7-24.el6.art.x86_64 --> Running transaction check ---> Package GeoIP.x86_64 0:1.4.8-1.1.el6.art will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Updating: ossec-hids x86_64 2.7-24.el6.art atomic 56 k ossec-hids-server x86_64 2.7-24.el6.art atomic 858 k Installing for dependencies: GeoIP x86_64 1.4.8-1.1.el6.art atomic 619 k Transaction Summary ================================================================================ Install 1 Package(s) Upgrade 2 Package(s) Total download size: 1.5 M Is this ok [y/N]: y Downloading Packages: (1/3): GeoIP-1.4.8-1.1.el6.art.x86_64.rpm | 619 kB 00:00 (2/3): ossec-hids-2.7-24.el6.art.x86_64.rpm | 56 kB 00:00 (3/3): ossec-hids-server-2.7-24.el6.art.x86_64.rpm | 858 kB 00:00 -------------------------------------------------------------------------------- Total 1.5 MB/s | 1.5 MB 00:01 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : GeoIP-1.4.8-1.1.el6.art.x86_64 1/5 Updating : ossec-hids-2.7-24.el6.art.x86_64 2/5 Updating : ossec-hids-server-2.7-24.el6.art.x86_64 3/5 Cleanup : ossec-hids-server-2.7-20.el6.art.x86_64 4/5 Cleanup : ossec-hids-2.7-20.el6.art.x86_64 5/5 Verifying : ossec-hids-server-2.7-24.el6.art.x86_64 1/5 Verifying : ossec-hids-2.7-24.el6.art.x86_64 2/5 Verifying : GeoIP-1.4.8-1.1.el6.art.x86_64 3/5 Verifying : ossec-hids-server-2.7-20.el6.art.x86_64 4/5 Verifying : ossec-hids-2.7-20.el6.art.x86_64 5/5 Dependency Installed: GeoIP.x86_64 0:1.4.8-1.1.el6.art Updated: ossec-hids.x86_64 0:2.7-24.el6.art ossec-hids-server.x86_64 0:2.7-24.el6.art Complete!
4. Start the server.
$ sudo service ossec-hids start Starting ossec-hids: [ OK ]
5. Get the OSSEC web user interface.
$ wget http://www.ossec.net/files/ossec-wui-0.3.tar.gz
6. Un-tar and move it to your default http server files location
$ tar xvf ossec-wui-0.3.tar.gz
$ sudo mv ossec-wui-0.3 /var/www/html/ossec-wui
7. Initialize the web UI
$ cd /var/www/html/ossec-wui
sudo ./setup.sh [sudo] password for xxxxx: Setting up ossec ui... Username:New password: Re-type new password: Adding password for user Setup completed successfuly.
8. Add apache user (or whatever user owns your http server) to group ossec
$ sudo gpasswd -a apache ossec
9. Fix permissions and ownership (do as su)
$ sudo -s
# cd /var/ossec
# chmod 770 tmp/
# chgrp apache tmp/
10. Restart ossec and apache
$ sudo service ossec-hids restart Shutting down ossec-hids: [ OK ] Starting ossec-hids: [ OK ]
$ sudo service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ]
And now OSSEC server should be running and you can access the web interface at: http://your.host.or.ip/ossec-wui/
Next up: setting up an agent on a client machine.
11. Install the OSSEC HIDS client on the machine you want to monitor
$ sudo yum install ossec-hids-client Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * atomic: www3.atomicorp.com * base: centos-mirror.jchost.net * epel: fedora-epel.mirror.lstn.net * extras: mirror.steadfast.net * updates: centos.unmeteredvps.net Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package ossec-hids-client.x86_64 0:2.7-24.el6.art will be installed --> Processing Dependency: ossec-hids = 2.7-24.el6.art for package: ossec-hids-client-2.7-24.el6.art.x86_64 --> Running transaction check ---> Package ossec-hids.x86_64 0:2.7-24.el6.art will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: ossec-hids-client x86_64 2.7-24.el6.art atomic 267 k Installing for dependencies: ossec-hids x86_64 2.7-24.el6.art atomic 56 k Transaction Summary ================================================================================ Install 2 Package(s) Total download size: 323 k Installed size: 1.5 M Is this ok [y/N]: y Downloading Packages: (1/2): ossec-hids-2.7-24.el6.art.x86_64.rpm | 56 kB 00:00 (2/2): ossec-hids-client-2.7-24.el6.art.x86_64.rpm | 267 kB 00:00 -------------------------------------------------------------------------------- Total 852 kB/s | 323 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : ossec-hids-2.7-24.el6.art.x86_64 1/2 Installing : ossec-hids-client-2.7-24.el6.art.x86_64 2/2 Installed: ossec-hids-client.x86_64 0:2.7-24.el6.art Dependency Installed: ossec-hids.x86_64 0:2.7-24.el6.art Complete!
12. Run the agent management tool on the OSSEC server to add the agent/client
$ sudo -s
# cd /var/ossec/bin
# ./manage_agents **************************************** * OSSEC HIDS v2.7 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: A - Adding a new agent (use '\q' to return to the main menu). Please provide the following: * A name for the new agent: agent_1 * The IP Address of the new agent: 1.2.3.4 * An ID for the new agent[001]: Agent information: ID:001 Name:agent_1 IP Address:1.2.3.4 Confirm adding it?(y/n): y Agent added.
13. Using the agent manager tool (still), extract the client key
**************************************** * OSSEC HIDS v2.7 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: E Available agents: ID: 001, Name: agent_1, IP: 1.2.3.4 Provide the ID of the agent to extract the key (or '\q' to quit): 001 Agent key information for '001' is: a very long key ** Press ENTER to return to the main menu. **************************************** * OSSEC HIDS v2.7 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: Q ** You must restart OSSEC for your changes to take effect. manage_agents: Exiting ..
14. Restart OSSEC
# ./ossec-control restart Deleting PID file '/var/ossec/var/run/ossec-remoted-18167.pid' not used... Killing ossec-monitord .. Killing ossec-logcollector .. ossec-remoted not running .. Killing ossec-syscheckd .. Killing ossec-analysisd .. Killing ossec-maild .. Killing ossec-execd .. OSSEC HIDS v2.7 Stopped Starting OSSEC HIDS v2.7 (by Trend Micro Inc.)... Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-remoted... Started ossec-syscheckd... Started ossec-monitord... Completed.
15. Open up UDP port 1514 in iptables, save the rule, and restart iptables. Make sure that the rule is above any REJECT or BLACKLIST rules (use iptables -I INPUT # … )
# iptables -A INPUT -p udp -m udp --dport 1514 -j ACCEPT
# /sbin/service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
# service iptables restart iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ]
16. Almost there. Time to import the key from the OSSEC server on the OSSEC client
# cd /var/ossec/bin
# ./manage_client **************************************** * OSSEC HIDS v2.7 Agent manager. * * The following options are available: * **************************************** (I)mport key from the server (I). (Q)uit. Choose your action: I or Q: I * Provide the Key generated by the server. * The best approach is to cut and paste it. *** OBS: Do not include spaces or new lines. Paste it here (or '\q' to quit): a very long key Agent information: ID:001 Name:agent_1 IP Address:1.2.3.4 Confirm adding it?(y/n): y Added. ** Press ENTER to return to the main menu. **************************************** * OSSEC HIDS v2.7 Agent manager. * * The following options are available: * **************************************** (I)mport key from the server (I). (Q)uit. Choose your action: I or Q: q ** You must restart OSSEC for your changes to take effect. manage_agents: Exiting ..
17. Make sure that the OSSEC server_IP
is set correctly in /var/ossec/etc/ossec.conf
.
<ossec_config> <client> <server-ip>10.10.14.1</server-ip> </client>
18. Restart OSSEC on the client
# service ossec-hids restart Shutting down ossec-hids: [ OK ] Starting ossec-hids: [ OK ]
Finished.