OSSEC HIDS Overview
OSSEC is a host based intrusion detection and prevention system (HIDS/HIPS). A host based based intrusion detection system or host based intrusion prevention system serves a similar function as antivirus software. A HIDS can warn you if it discovers that your system has an intrusion or virus, and a HIPS can warn you in real-time, if an intrusion is currently being attempted, and block it. This can greatly increase the security of your system, especially if you are running servers like a webserver. OSSEC is supported by the TrendMicro security company.
OSSEC Installation and Configuration
1. Elevate to root user. Download OSSEC, extract it, change directories and list the directory contents to look for the installation script. Before you can run the installation script you will need to install the GCC compiler.
$ su –
# wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz
# tar -xf ossec-hids-2.7.tar.gz
# cd ossec-hids-2.7
# yum -y install gcc
2. Run the installation script and choose hybrid install. Answer yes to everything else, but no to the active response, you can change that later. For the IP address or hostname of the OSSEC server type in localhost and press enter.
3. Run the service status and the service start commands. When you try to start the program, you will get an error that it is missing the client.keys file.
# service ossec status
# service ossec start
4. Run the ./ossec-control program to see the program options. Run the ./ossec-control enable client-syslog options. When you try to start the program, ./ossec-control start, you will get an error that it is missing the client.keys file. Create an empty client.keys file using the touch command, then start the ossec-control program.
# cd /var/ossec/bin/
# ./ossec-control enable
# ./ossec-control enable client-syslog
# ./ossec-control start
# touch /var/ossec/ossec-agent/etc/client.keys
# ./ossec-control start
5. Using the cd command return to your home directory then download the web user interface using wget. Verify the checksum, extract the tar.gz file and move the contents of the directory to a new directory at /var/www/html/ossec.
# cat ossec-wui-0.3-checksum.txt
# sha1sum ossec-wui-0.3.tar.gz
# tar -xf ossec-wui-0.3.tar.gz
# mv ossec-wui-0.3 /var/www/html/ossec
# cd /var/www/html/ossec/
6. Run the setup script you will be prompted to create a username and password.
7. Recursively change the ossec folder owner and group to apache:apache.
# cd ..
# chown apache:apache -R ossec/
8. Now using Firefox go to the webpage for OSSEC at http://localhost/ossec and you will get a 403 forbidden error message. By examining the httpd error log you can find information related to the error. SELinux may be a potential cause to the problem.
# cat /var/log/httpd/error_log
9. Edit the group file with Vim or Nano. Arrow down to the bottom of the group file and add apache to the ossec group. In Vim you will need to press the i key in order to get to insert mode to edit the text, and the escape key and press the :wq keys in order to save the file.
# vim /etc/group
10. Check to see if selinux is enforced. A 1 means that it is enforced.
# cat /selinux/enforce
11. Since OSSEC was downloaded and extracted from a tar.gz file there was no security context associated with the files. This can be fixed by using the restore context program to restore the security context.
# restorecon -R /var/www/html/ossec/
12. Now change the security context for the OSSEC alerts.log file so it can be read by the Apache server.
# chcon -t httpd_sys_content_t /var/ossec/logs/alerts/alerts.log
# chcon -t httpd_sys_content_t /var/ossec/queue/syscheck/syscheck
13. Restart the Apache and OSSEC services.
# service httpd restart
# service ossec restart
14. Now go to the OSSEC homepage at http://localhost/ossec to see the latest events in your host based intrusion detection system.