X Marks the Spot

random commentary on life, the universe, and anything

Wrangling OSSEC on CentOS 6

| 0 comments

Needed to install some sort of host intrusion detection system on various servers. OSSEC server and agent model seemed to fit the bill. Also, I wanted some sort of web interface. Because I’m lazy.

My sources:
How to Install OSSEC on Red Hat or CentOS 6
Installing ossec client on CentOS 6…

1. Add the EPEL repository to meet an inotify-tools dependency. Check to make sure that the release version is the current one by looking at the file directory at http://download.fedoraproject.org/pub/epel/6/x86_64/.

$ sudo rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

2. Fetch/run the atomic repository script to add their repository.

$ wget https://www.atomicorp.com/installers/atomic && sudo chmod +x atomic && sudo ./atomic

3. Use yum to install the ossec server (or client)

$ sudo yum install ossec-hids ossec-hids-server

You’ll see something like this:

$ sudo yum install ossec-hids ossec-hids-server
Loaded plugins: fastestmirror, priorities
Determining fastest mirrors
epel/metalink                                            |  12 kB     00:00     
 * atomic: www5.atomicorp.com
 * base: ftpmirror.your.org
 * epel: fedora-epel.mirror.lstn.net
 * extras: ftpmirror.your.org
 * rpmforge: mirror.us.leaseweb.net
 * updates: ftpmirror.your.org
atomic                                                   | 1.9 kB     00:00     
atomic/primary_db                                        | 517 kB     00:00     
base                                                     | 3.7 kB     00:00     
base/primary_db                                          | 4.4 MB     00:00     
epel                                                     | 4.2 kB     00:00     
epel/primary_db                                          | 5.4 MB     00:01     
extras                                                   | 3.4 kB     00:00     
extras/primary_db                                        |  18 kB     00:00     
rpmforge                                                 | 1.9 kB     00:00     
rpmforge/primary_db                                      | 2.6 MB     00:00     
updates                                                  | 3.4 kB     00:00     
updates/primary_db                                       | 4.4 MB     00:00     
455 packages excluded due to repository priority protections
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ossec-hids.x86_64 0:2.7-20.el6.art will be updated
---> Package ossec-hids.x86_64 0:2.7-24.el6.art will be an update
---> Package ossec-hids-server.x86_64 0:2.7-20.el6.art will be updated
---> Package ossec-hids-server.x86_64 0:2.7-24.el6.art will be an update
--> Processing Dependency: libGeoIP.so.1()(64bit) for package: ossec-hids-server-2.7-24.el6.art.x86_64
--> Running transaction check
---> Package GeoIP.x86_64 0:1.4.8-1.1.el6.art will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                Arch        Version                   Repository   Size
================================================================================
Updating:
 ossec-hids             x86_64      2.7-24.el6.art            atomic       56 k
 ossec-hids-server      x86_64      2.7-24.el6.art            atomic      858 k
Installing for dependencies:
 GeoIP                  x86_64      1.4.8-1.1.el6.art         atomic      619 k

Transaction Summary
================================================================================
Install       1 Package(s)
Upgrade       2 Package(s)

Total download size: 1.5 M
Is this ok [y/N]: y
Downloading Packages:
(1/3): GeoIP-1.4.8-1.1.el6.art.x86_64.rpm                | 619 kB     00:00     
(2/3): ossec-hids-2.7-24.el6.art.x86_64.rpm              |  56 kB     00:00     
(3/3): ossec-hids-server-2.7-24.el6.art.x86_64.rpm       | 858 kB     00:00     
--------------------------------------------------------------------------------
Total                                           1.5 MB/s | 1.5 MB     00:01     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : GeoIP-1.4.8-1.1.el6.art.x86_64                               1/5 
  Updating   : ossec-hids-2.7-24.el6.art.x86_64                             2/5 
  Updating   : ossec-hids-server-2.7-24.el6.art.x86_64                      3/5 
  Cleanup    : ossec-hids-server-2.7-20.el6.art.x86_64                      4/5 
  Cleanup    : ossec-hids-2.7-20.el6.art.x86_64                             5/5 
  Verifying  : ossec-hids-server-2.7-24.el6.art.x86_64                      1/5 
  Verifying  : ossec-hids-2.7-24.el6.art.x86_64                             2/5 
  Verifying  : GeoIP-1.4.8-1.1.el6.art.x86_64                               3/5 
  Verifying  : ossec-hids-server-2.7-20.el6.art.x86_64                      4/5 
  Verifying  : ossec-hids-2.7-20.el6.art.x86_64                             5/5 

Dependency Installed:
  GeoIP.x86_64 0:1.4.8-1.1.el6.art                                              

Updated:
  ossec-hids.x86_64 0:2.7-24.el6.art  ossec-hids-server.x86_64 0:2.7-24.el6.art 

Complete!

4. Start the server.

$ sudo service ossec-hids start
Starting ossec-hids:                                       [  OK  ]

5. Get the OSSEC web user interface.

$ wget http://www.ossec.net/files/ossec-wui-0.3.tar.gz

6. Un-tar and move it to your default http server files location

$ tar xvf ossec-wui-0.3.tar.gz
$ sudo mv ossec-wui-0.3 /var/www/html/ossec-wui

7. Initialize the web UI

$ cd /var/www/html/ossec-wui
sudo ./setup.sh
[sudo] password for xxxxx: 
Setting up ossec ui...

Username: 
New password: 
Re-type new password: 
Adding password for user 

Setup completed successfuly.

8. Add apache user (or whatever user owns your http server) to group ossec

$ sudo gpasswd -a apache ossec

9. Fix permissions and ownership (do as su)

$ sudo -s
# cd /var/ossec
# chmod 770 tmp/
# chgrp apache tmp/

10. Restart ossec and apache

$ sudo service ossec-hids restart
Shutting down ossec-hids:                                  [  OK  ]
Starting ossec-hids:                                       [  OK  ]
$ sudo service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

And now OSSEC server should be running and you can access the web interface at: http://your.host.or.ip/ossec-wui/

Next up: setting up an agent on a client machine.

11. Install the OSSEC HIDS client on the machine you want to monitor

$ sudo yum install ossec-hids-client
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * atomic: www3.atomicorp.com
 * base: centos-mirror.jchost.net
 * epel: fedora-epel.mirror.lstn.net
 * extras: mirror.steadfast.net
 * updates: centos.unmeteredvps.net
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ossec-hids-client.x86_64 0:2.7-24.el6.art will be installed
--> Processing Dependency: ossec-hids = 2.7-24.el6.art for package: ossec-hids-client-2.7-24.el6.art.x86_64
--> Running transaction check
---> Package ossec-hids.x86_64 0:2.7-24.el6.art will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                 Arch         Version                Repository    Size
================================================================================
Installing:
 ossec-hids-client       x86_64       2.7-24.el6.art         atomic       267 k
Installing for dependencies:
 ossec-hids              x86_64       2.7-24.el6.art         atomic        56 k

Transaction Summary
================================================================================
Install       2 Package(s)

Total download size: 323 k
Installed size: 1.5 M
Is this ok [y/N]: y 
Downloading Packages:
(1/2): ossec-hids-2.7-24.el6.art.x86_64.rpm              |  56 kB     00:00     
(2/2): ossec-hids-client-2.7-24.el6.art.x86_64.rpm       | 267 kB     00:00     
--------------------------------------------------------------------------------
Total                                           852 kB/s | 323 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : ossec-hids-2.7-24.el6.art.x86_64                             1/2 
  Installing : ossec-hids-client-2.7-24.el6.art.x86_64                      2/2 

Installed:
  ossec-hids-client.x86_64 0:2.7-24.el6.art                                     

Dependency Installed:
  ossec-hids.x86_64 0:2.7-24.el6.art                                            

Complete!

12. Run the agent management tool on the OSSEC server to add the agent/client

$ sudo -s
# cd /var/ossec/bin
# ./manage_agents

****************************************
* OSSEC HIDS v2.7 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: A

- Adding a new agent (use '\q' to return to the main menu).
  Please provide the following:
   * A name for the new agent: agent_1
   * The IP Address of the new agent: 1.2.3.4
   * An ID for the new agent[001]: 
Agent information:
   ID:001
   Name:agent_1
   IP Address:1.2.3.4

Confirm adding it?(y/n): y
Agent added.

13. Using the agent manager tool (still), extract the client key


****************************************
* OSSEC HIDS v2.7 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: E

Available agents: 
   ID: 001, Name: agent_1, IP: 1.2.3.4
Provide the ID of the agent to extract the key (or '\q' to quit): 001

Agent key information for '001' is: 
a very long key

** Press ENTER to return to the main menu.

****************************************
* OSSEC HIDS v2.7 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: Q     

** You must restart OSSEC for your changes to take effect.

manage_agents: Exiting ..

14. Restart OSSEC

# ./ossec-control restart
Deleting PID file '/var/ossec/var/run/ossec-remoted-18167.pid' not used...
Killing ossec-monitord .. 
Killing ossec-logcollector .. 
ossec-remoted not running ..
Killing ossec-syscheckd .. 
Killing ossec-analysisd .. 
Killing ossec-maild .. 
Killing ossec-execd .. 
OSSEC HIDS v2.7 Stopped
Starting OSSEC HIDS v2.7 (by Trend Micro Inc.)...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.

15. Open up UDP port 1514 in iptables, save the rule, and restart iptables. Make sure that the rule is above any REJECT or BLACKLIST rules (use iptables -I INPUT # … )

# iptables -A INPUT -p udp -m udp --dport 1514 -j ACCEPT
# /sbin/service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
# service iptables restart
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]

16. Almost there. Time to import the key from the OSSEC server on the OSSEC client

# cd /var/ossec/bin
# ./manage_client

****************************************
* OSSEC HIDS v2.7 Agent manager.     *
* The following options are available: *
****************************************
   (I)mport key from the server (I).
   (Q)uit.
Choose your action: I or Q: I

* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.

Paste it here (or '\q' to quit): 
a very long key

Agent information:
   ID:001
   Name:agent_1
   IP Address:1.2.3.4

Confirm adding it?(y/n): y
Added.
** Press ENTER to return to the main menu.

****************************************
* OSSEC HIDS v2.7 Agent manager.     *
* The following options are available: *
****************************************
   (I)mport key from the server (I).
   (Q)uit.
Choose your action: I or Q: q

** You must restart OSSEC for your changes to take effect.

manage_agents: Exiting ..

17. Make sure that the OSSEC server_IP is set correctly in /var/ossec/etc/ossec.conf.

<ossec_config>
  <client>
    <server-ip>10.10.14.1</server-ip>
  </client>

18. Restart OSSEC on the client

# service ossec-hids restart
Shutting down ossec-hids:                                  [  OK  ]
Starting ossec-hids:                                       [  OK  ]

Finished.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.