In this article our focus is OSSEC which is an Open Source Host-based Intrusion Detection System (HIDS). It can be installed on Linux,Windows and MacOS. In this article, we will install OSSEC and web interface on Ubuntu distribution. In our case, client and server of OSSEC will be linux machine. We assume that mysql and php related packages are already installed. It provides following features.
- Performs log analysis
- File integrity checking
- Policy monitoring
- Rootkit detection
- Real-time alerting and
- Active response.
OSSEC tool can be download from the OSSEC web site which is shown in the figure. Downloaded compress file can be used as a server and client of OSSEC. Server/client mode selected during installation process.
Now extract the *.tar.gz file with following command and go inside which is shown below.
#tar -xf ossec-hids-2.8.1.tar.gz
Run the ./install.sh script in the terminal which will prompt for following options.
OSSEC Server side installation
First of all, we will install OSSEC tool in server mode.Select language from prompt shown in the following figure. This window will be same in all installation mode of OSSEC.
Following window appears which shows the system detail, terminal user and hostname. Press enter to start installation process.
It shows following installation modes/types of OSSEC on the machine.
It is the central piece of the OSSEC deployment which interact with agents / client. Server stores the databases for file integrity checking , events, the logs and system auditing entries. It also stores rules, decoders, and major configuration options. It makes easy administrative of large number of agents.
In this mode, OSSEC agent sent events,logs, audit entries to Server/Manager..
3. Local mode
Local mode installation is similar as server /agent installation , except that the server is configured to listen for communication from the agents.
In this mode, same host act as a server and client/agent.
In this article , we will install client/server modes of OSSEC. This machine (192.168.1.10) will be the manager or server and OSSEC agent will be on 192.168.1.11 machine.
1. Select server mode from the given installation types as shown in the following window.
2. Select installation directory for OSSEC HIDS . By default, installation path is /var/ossec.
3. OSSEC provides notification via email which is an important feature. Next option is for the setting of email and smtp address.
4. OSSEC has syscheck component performs the periodic integrity checking of any configured file (such as /etc/password on linux ) or any registry entry on Windows platform. Integrity checking is an importantpart of HIDS which detects changes on the system. OSSEC calculates the hash (MD5/SHA1) of the key files in the system and on the Windows registry. Agent running on the machine, periodically scans the complete system and send all the hashes to the central OSSEC. The server stores them and continuously watch for any modifications on them.
5. OSSEC provides the feature for rootkit detection using Rootcheck which is an open source tool for rootkit detection and system auditing . Rootcheck tool scans the whole system and detects presence of known/unknown rootkits. In addition to that, it detects kernel level rootkits and checks system configuration for insecure options.
6. Active Response feature within OSSEC can run applications on an agent or server in response to triggers such as specific alerts, alert levels. This feature helps to block log in attempts on machine through SSH using iptables.
7. Using this feature OSSEC server sends the OSSEC alerts (sent by Agents) to centralized SYSLOG server like Alienvault. As shown in the figure, OSSEC will send auth.log,syslog,dpkg and apache logs to SYSLOG server.
8. After above setting, OSSEC prompts for start installation by pressing "ENTER" button which is shown below.
9. Before installation complete, it shows few information such has the OS detail, starting/stoping OSSEC scripts and the path of OSSEC configuration file.
10. Pressing "ENTER" will finish the OSSEC installation as a Server. It is shown in the following figure that agents can be added/remove using 'manage_agents utility.
OSSEC Client Side installation
Now we will install OSSEC client mode installation on an agent for integrity and root kit detection.
1. Select agent mode while OSSEC installation on server machines and end hosts.
2. Set the configuration path (/var/ossec is by default)
3. Enter the IP address of the OSSEC server/manager (192.168.1.10)
4. Enable Integrity check feature of OSSEC in client mode.
5. Enable the rootkit detection and active response features
6. Press "Enter" button to start installation process .
7. Following window shows the start/stop scripts and configuration path for OSSEC. Press "Enter" button to complete the installation process.
In this part of article we have installed the open source HIDS tool, OSSEC on Ubuntu platform . In next second part of article we will configure OSSEC for windows and linux based clients (addition/listing/deletion of client, fetching Keys from server etc). OSSEC clients need keys generated by the OSSEC server. In the end , we will monitor OSSEC client/server from the web interface.