{"id":396,"date":"2020-07-03T18:09:43","date_gmt":"2020-07-03T18:09:43","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?page_id=396"},"modified":"2020-07-03T18:14:31","modified_gmt":"2020-07-03T18:14:31","slug":"how-to-install-ossec","status":"publish","type":"page","link":"https:\/\/defragged.org\/ossec\/how-to-install-ossec\/","title":{"rendered":"How To Install OSSEC"},"content":{"rendered":"\n

People often ask us how we like to setup OSSEC or how we use it internally on my own servers. We always do a set of customizations to make sure we use it the best way possible.<\/p>\n\n\n\n

In this article we will show step by step those steps and hopefully it can be helpful to other OSSEC users out there.<\/p>\n\n\n\n

Note that we will be focusing on a standalone install, but the principles apply to the agent\/manager setup as well.<\/p>\n\n\n\n

1- Download and Install<\/h1>\n\n\n\n

Installing OSSEC is pretty simple, so we won\u2019t spend too much time on it. We always like to use the\u00a0https:\/\/bitbucket.org\/dcid\/ossec-hids\/get\/tip.tar.gz<\/a>\u00a0package from Bitbucket:<\/p>\n\n\n\n

$<\/strong> wget https:\/\/bitbucket.org\/dcid\/ossec-hids\/get\/tip.tar.gz\n$<\/strong> tar -zxvf tip.tar.gz\n$<\/strong> cd dcid-ossec-hids-*\n#<\/strong> .\/install.sh\n<\/pre>\n\n\n\n
Tip is the latest source on Bitbucket and we always keep it stable, so the risk of it breaking something is very low.<\/p>\n\n\n\n
If you run into issues, check if make, gcc and libc are installed:<\/p>\n\n\n\n
#<\/strong> yum install gcc make libc-dev   (for <\/strong>Redhat\/fedora\/centos)\n#<\/strong> apt-get install gcc make libc-dev\n<\/pre>\n\n\n\n
2- Finding the logs<\/h1>\n\n\n\n
Once OSSEC is installed, we can start tunning it to the server. The first thing we do is find what is running and what type of logs are available.<\/p>\n\n\n\n
we generally use lsof to list what is there:<\/p>\n\n\n\n
#<\/strong> lsof | grep log\nhttpd     30764 apache   19w      REG      202,0    5856044    2088893 \/var\/log\/httpd\/site4.access.log\nhttpd     30764 apache   20w      REG      202,0     413775    2088897 \/var\/log\/httpd\/site3.access.log\nhttpd     32200 apache    2w      REG      202,0       2894    2088895 \/var\/log\/httpd\/error_log\nhttpd     32200 apache    7w      REG      202,0       2894    2088895 \/var\/log\/httpd\/error_log\nhttpd     32200 apache    8w      REG      202,0   11293853    2088903 \/var\/log\/httpd\/site2.error.log\nsyslogd    2220   root    2w      REG      202,0        317     121533 \/var\/log\/messages\nsyslogd    2220   root    3w      REG      202,0       3474     121774 \/var\/log\/secure\nsyslogd    2220   root    4w      REG      202,0     147252     121855 \/var\/log\/maillog\nsyslogd    2220   root    5w      REG      202,0      46954     121875 \/var\/log\/cron\nsyslogd    2220   root    6w      REG      202,0          0     121873 \/var\/log\/spooler\nsyslogd    2220   root    7w      REG      202,0          0     121874 \/var\/log\/boot.log\nmysqld     2359  mysql    1w      REG      202,0      20162     121188 \/var\/log\/mysqld.log\nmysqld     2359  mysql    2w      REG      202,0      20162     121188 \/var\/log\/mysqld.log\n.. and many more...\n<\/pre>\n\n\n\n
And we compare with what OSSEC added automatically<\/p>\n\n\n\n
#<\/strong> cat \/var\/ossec\/etc\/ossec.conf  |grep \"&lt;location>\/\"\n&lt;location>\/var\/log\/auth.log&lt;\/location>\n&lt;location>\/var\/log\/syslog&lt;\/location>\n&lt;location>\/var\/log\/dpkg.log&lt;\/location>\n<\/pre>\n\n\n\n
The logs that are missing we add manually using the util.sh tool that comes with OSSEC:<\/p>\n\n\n\n
#<\/strong> \/var\/ossec\/bin\/util.sh addfile \/var\/log\/httpd\/site4.access.log\n\/var\/ossec\/bin\/util.sh: File \/var\/log\/httpd\/site4.access.log added.\n\n#<\/strong> \/var\/ossec\/bin\/util.sh addfile \/var\/log\/mysqld.log\n\/var\/ossec\/bin\/util.sh: File \/var\/log\/mysqld.log added.\n.. for all others ..\n<\/pre>\n\n\n\n
We also check using netstat -tanep to see what is running on the server to see if we might have missed something:<\/p>\n\n\n\n
#<\/strong> netstat -tanep |grep LISTEN\ntcp       0     0 127.0.0.1:3306    0.0.0.0:*        LISTEN      27        4659      2359\/mysqld\ntcp       0     0 :::22             0.0.0.0:*        LISTEN      0         4561      2278\/sshd\ntcp       0     0 :::80             :::*             LISTEN      0         4793      2411\/httpd\n<\/pre>\n\n\n\n
3- Testing the logs<\/h1>\n\n\n\n
Before even putting into production, we like to test if OSSEC is able to parse all the logs properly.<\/p>\n\n\n\n
For that, we use the tool ossec-logtest with the -a option to analyse old events and compare with a manual audit of the logs.<\/p>\n\n\n\n
On my desktop, if we run it against the \/var\/log\/syslog I get:<\/p>\n\n\n\n
#<\/strong> cat \/var\/log\/syslog | \/var\/ossec\/bin\/ossec-logtest -a\n2012\/03\/29 17:49:48 ossec-testrule: INFO: Reading local decoder file.\n2012\/03\/29 17:49:48 ossec-testrule: INFO: Started (pid: 7440).\n** Alert 1333054188.1: mail  - syslog,errors,\n2012 Mar 29 17:49:48 goiabada->stdin\nRule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'\nMar 29 10:11:04 goiabada kernel: [604548.729517] chrome[11541]: segfault at 60 ip b3d27f27 sp bf940a50\nerror 4 in libgtk-x11-2.0.so.0.2400.6[b3c34000+461000]\n\n** Alert 1333054188.2: mail  - syslog,errors,\n2012 Mar 29 17:49:48 goiabada->stdin\nRule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'\nMar 29 10:29:06 goiabada kernel: [605630.394325] chrome[20438]: segfault at cc ip b37a6d87 sp bfa6e024\nerror 4 in libpthread-2.13.so[b379e000+17000]\n<\/pre>\n\n\n\n
We can also run without the -a to see if it is properly decoding the logs:<\/p>\n\n\n\n
4- Monitoring commands<\/h1>\n\n\n\n
We use the command monitoring on OSSEC to be able to track state changes and to get a full picture of all my agents.<\/p>\n\n\n\n
Those are the commands we like to monitor:<\/p>\n\n\n\n
&lt;localfile&gt;\n   &lt;log_format>full_command&lt;\/log_format&gt;\n   &lt;command>\/sbin\/iptables -nL&lt;\/command&gt;\n &lt;\/localfile>\n\n&lt;localfile&gt;\n   &lt;log_format&gt;full_command&lt;\/log_format&gt;\n   &lt;command&gt;netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort&lt;\/command&gt;\n&lt;\/localfile&gt;\n\n&lt;localfile&gt;\n   &lt;log_format&gt;full_command&lt;\/log_format&gt;\n   &lt;command&gt;last -n 5&lt;\/command&gt;\n&lt;\/localfile&gt;\n<\/pre>\n\n\n\n
We specially like the last, netstat, df, iptables and similar commands since they allow me to view the current state of the system.<\/p>\n\n\n\n
We can go to the queue directory and see the state from all the systems, like who logged in on all of them:<\/p>\n\n\n\n
#<\/strong> cat \/var\/ossec\/queue\/diff\/*\/535\/last-entry\nossec: output: 'last -n 5':\nroot     pts\/0        1.2.3.4   Mon Jun  4 21:00 - 03:04  (06:04)\nroot     pts\/0        2.3.4.5   Mon May  7 20:59 - 20:46 (4+23:46)\ndaniel   pts\/1        2.3.3.4   Fri May  4 22:34 - 22:34  (00:00)\n<\/pre>\n\n\n\n
5- Adding Decoders\/Rules<\/h1>\n\n\n\n
It is not often that we need to write custom rules\/decoders, but it is always good to be ready for them when needed.<\/p>\n\n\n\n
to be added later<\/em><\/p>\n\n\n\n
6- Integrity checking<\/h1>\n\n\n\n
Integrity checking is one of the most misused options on OSSEC. It can range from very annoying to completely useless if you don\u2019t do it properly. The default options from OSSEC don\u2019t help much with that as well.<\/p>\n\n\n\n
The real goal of integrity checking is to verify that the integrity of the files are still intact (they haven\u2019t changed). However, if a file changes many times per week, it becomes very hard to distinguish between a normal and a malicious change.<\/p>\n\n\n\n
How we use integrity checking:<\/p>\n\n\n\n
1- On real time 2- Only on a few set of files 3- Storing the changes so I can compare if needed<\/p>\n\n\n\n
The real time option is specially important, because I can tie it with my policy rules to alert when they happen on times it shouldn\u2019t.<\/p>\n\n\n\n
So, on my web servers, we add the following in there:<\/p>\n\n\n\n
&lt;directories realtime=\"yes\" report_changes=\"yes\" restrict=\".php|.js\">\/var\/www&lt;\/directories>\n<\/pre>\n\n\n\n
Which restricts the integrity checking to the files we care (generally .php, .js, .htm, etc) and monitors those in real time. So when a file changes I get the alert showing what was modified as well.<\/p>\n\n\n\n
7- Conclusion<\/h1>\n\n\n\n
This is not a finished document, we will keep updating it as time permits. But if you have questions or concerns, please don’t hesitate to ask. <\/p>\n","protected":false},"excerpt":{"rendered":"
People often ask us how we like to setup OSSEC or how we use it internally on my own servers. We always do a set of customizations to make sure we use it the best way possible. In this article we will show step by step those steps and hopefully it can be helpful to […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/pages\/396"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=396"}],"version-history":[{"count":2,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/pages\/396\/revisions"}],"predecessor-version":[{"id":400,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/pages\/396\/revisions\/400"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=396"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}