In our previous article we explained the installation of OSSEC on Ubuntu platform. In this part, first we will configure both client and server of OSSEC for rootkit detection, integrity checking and auditing features. Then we will integrate database with OSSEC and web interface for better analysis of logs and alerts.
OSSEC Server Configuration
After successful installation of OSSEC server, following output appears in the terminal. It is shown in the figure that manage_agents is the tool/utility for the management of agents (connect OSSEC agents with server or manager)
Using manage_agents tool, following operations can be performed which are shown in below figure.
1) Add an agent
2) Extract key for an agent
3) List already added agents
4) Remove an agent
Enter "A" to add new agent of OSSEC. Following information required to enter for new agent.
- Name of Agent (ubuntu_machine)
- IP address (192.168.1.11)
- ID of agent (001)
Using List(L) option, we can list already added agents of OSSEC. It is shown in the following figure
OSSEC agent can not communicate with OSSEC server until we import key provided by the server. Enter "E" option for extraction of keys for OSSEC agent from OSSEC server. Extract key option display available agents with ID, IP and host name details.
It is shown in the following figure that we have extracted Key for agent ID 001.
Next step is to import the key on the OSSEC agent so that both can communicate each other. In the next section we explained the key importing process for OSSEC agent.
Agents setting on OPEC Client
Like OSSEC server, OSSEC client uses the same "mange_agents" utility for importing key generated at server/manager.
It is mention in the above figure that
First we have to add agent in the server so that both can communicate with each other.
Import authentication key on agent provided by the OSSEC server.
When we run /var/ossec/bin/manage_agents on the OSSEC client, It will prompt option that press "I" to import key from the server. We can import agent keys by just cut and paste. In the following figure, we copied key from the OSSEC server and paste it on OSSEC client.
On Pressing "Enter", agent information (ID, Name and IP address) will be shown in the same window. If the information is correct then enter "y" to add the key on Client end.
Logs and Alerts on OSSEC Server
Command line interface (CLI)
OSSEC server store logs and alerts under /var/ossec/logs/ directory. Here we can see alerts generated by the OSSEC client on ubuntu machine(192.168.1.11).
It is shown in the following figure that SSH wrong password attempts on Ubuntu machine (192.168.1.11).
Instead of command line view of logs and alerts, OSSEC support web interfaces for better understanding of logs/alerts generated by the agents. OSSEC web interface is dependent on database and mainly it uses mysql. Therefor install mysql-server, mysql-client and libmysqlclient-dev packages. Along mysql packages, also install php packages which is required by mysql.
Database and web interface Integration
1. Install mysql server,client and mysql development library packages.
Otherwise following error will prompt when run make setdb command in OSSEC source code.
2. Recompile the OSSEC on the server end and don't change the earlier configuration of OSSEC server.
3. After successful installation of OSSEC with mysql database, next is the creation of new database and grant permission on it. It is shown in the following figure.
root@test-VirtualBox:/var/www# mysql -u root -p
mysql> create database ossec;
mysql> create database ossec;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec_u;
Query OK, 0 rows affected (0.27 sec)
mysql> set password for ossec_u=PASSWORD('password');
Query OK, 0 rows affected (0.07 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.06 sec)
4. Import the database schema (mysql.schema) which is given in the OSSEC source.
5. Change the database related setting in the ossec.conf file (/var/ossec/etc/ossec.conf) which is given in the following snapshot
6. To apply the above changes, run following ossec commands to enable database with OSSEC
7. After the successful integration of mysql with OSSEC, now we will download OSSEC web interface and change its permission. Download it from OSSEC website, extract it and move under /var/www/ directory of Apache web server. (/var/www is the root directory for Apache)
Also change the permission of /var/ossec directory otherwise web interface will produce "unable to access ossec directory" error.
After changing the permission of necessary directories, type localhost/ossec in the browser. It will show window like given below.
In this part of the article, we learned integration of OSSEC with mysql database so that alerts/logs stored for better analysis. Alerts generated by the OSSEC can be view on CLI and web interface. Therefore we integrated web interface with the OSSEC server installation for better analysis of alerts and managements of OSSEC clients.