OSSEC is used
to meet PCI Compliance central logging and intrusion monitoring requirements
with a free and self-managed solution. OSSEC monitors all types of logs such as
syslog, apache, maillogs, mysql logs, ftp logs, and more.
1.
Deploying OSSEC
core server:
2.
Extract the compressed OSSEC package and run the “./install.sh” script (It will
guide you through the installation).
# tar -xvf ossec-hids-2.7.tar.gz
# cd ossec-hids-2.7
# ./install.sh
The interactive
installation begins and during this process it prompts for installation type
either server
or agent
or local.
However, installation path for OSSEC can be defined but by default it installs
in (/var/ossec) directory. It is advised to select default settings and follow
accordingly till the end of the installation. Finally, it is compiled and
installed successfully according to the specification provided.
Select the language (in this example it is EN)
Select the type of installation as server
Accept the default folder, unless you want to change
it:
Enable email notification by specifying the email
address which will be used to send email alerts FROM:
If setup fails to determine your SMTP gateway
automatically, you may specify it manually (change the IP as necessary to
reflect your environment):
Enable integrity check daemon:
Enable rootkit detection daemon:
Whether or not you want to have “Active response”
enabled is up to you. Although in prod environment, it can be quite risky.
We will not be using Syslog daemon feature in this
example, so disable it.
OSSEC core server installation is now completed.
1. Generating client keys
OSSEC server with the agent names in order to generate
unique authentication keys required to bind the agent to the corresponding
OSSEC server.
a. Firstly, create agents.TXT file containing the IPs
and names separated by comma, of all target Linux Servers:
192.168.9.101,rwca1
...
…
….
Save:wq!
b. Place this file to /var/ossec folder on
OSSEC server.
c. Now execute the
following command: /var/ossec/bin/manage_agents
-f /agents.txt
1.
Start OSSEC Server
# /var/ossec/bin/ossec-control start
# /var/ossec/bin/ossec-control restart
#/var/ossec/bin/ossec-control stop
# /var/ossec/bin/ossec-control start
# /var/ossec/bin/ossec-control restart
#/var/ossec/bin/ossec-control stop
2. Install the OSSEC Agents
Follow above server
installation steps, instead of server choose type agent
# tar -xvf ossec-hids-2.7.tar.gz
# cd ossec-hids-2.7
# ./install.sh
Select the type of installation as agent
3. Add Agents to OSSEC Manager
To add an agent to an OSSEC manager with manage_agents
you need to follow the steps below.
- Run manage_agents on
the OSSEC server.
- Add an agent.
- Extract the key for
the agent.
- Copy that key to the
agent.
- Run manage_agents on
the agent.
- Import the key copied
from the manager.
- Restart the manager’s
OSSEC processes.
- Start and restart the
agent.
Follow online Guide: http://www.ossec.net/doc/manual/agent/agent-management.html#running-manage-agents-and-start-screen
4.
Verify successful
installation of the agent
Then verify that the client has been installed successfully
and communicating with the OSSEC server.
# tail –f /var/ossec/log/ossec.log
5.
Deploy OSSEC Web UI
dashboard
Install PHP for OSSEC UI
# yum install php-mysql php-devel php-gd php-pecl-memcache php-pspell
php-snmp php-xmlrpc php-xml
# Start Apache:
/etc/init.d/httpd start
# Configure
Apache autostart: /sbin/chkconfig
httpd on
# Restart
Apache: /etc/init.d/httpd
restart
Download OSSEC webUI module
# cd /var/ww/html/
# tar –xvf ossec-wui-0.8-alpha-0.tar.gz
# mv ossec-wui-0.8-alpha ossec-wui
# Switch
to the ossec-wui and run
./setup.sh -
specify user and password to protect Web UI.
# Add apache
user to ossec group:
Change
permissions for /var/ossec/tmp
directory:
# chmod 770 /var/ossec/ tmp/
# chgrp apache /var/ossec/tmp/
# /etcinit.d/httpd restart
# /var/ossec/bin/ossec-control restart (restart the OSSEC server)
in the above URL replace your-ip-address with ip address where you installed ossec-wui
