OSSEC is an open-source, host-based intrusion detection system (HIDS) that performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. It’s a must-have security application on any server.
OSSEC can be installed to monitor just the server it’s installed on (a local installation), or be installed as a server to monitor one or more agents. In this tutorial, you’ll learn how to install OSSEC to monitor CentOS 7 as a local installation.
ssh -l joe server-ip-address
OSSEC will be compiled from source, so you need a compiler to make that possible. It also requires an extra package for notifications. Install them by typing:
sudo yum install -y gcc inotify-tools
OSSEC is delivered as a compressed tarball that has to be downloaded from the project’s website. The checksum file, which will be used to verify that the tarball has not be tampered with, also has to be downloaded. At the time of this publication, the latest version of OSSEC is 2.8.2. Check the project’s download page and download whatever the latest version is.
To download the tarball, type:
wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.2.tar.gz
For the checksum file, type:
wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.2-checksum.txt
With both files downloaded, the next step is to verify the MD5 and SHA1 checksums of the tarball. For the MD5sum, type:
md5sum -c ossec-hids-2.8.2-checksum.txt
The expected output is:
ossec-hids-2.8.2.tar.gz: OK
md5sum: WARNING: 1 line is improperly formatted
To verify the SHA1 hash, type:
sha1sum -c ossec-hids-2.8.2-checksum.txt
And its expected output is:
ossec-hids-2.8.2.tar.gz: OK
sha1sum: WARNING: 1 line is improperly formatted
During OSSEC’s installation process, you’ll be prompted to specify an SMTP server for your email address. If you don’t know what it is, the easiest method to find out is by issuing this command from your local machine (replace the fake email address with your real one):
dig -t mx you@example.com
The relevant section in the output is shown in this code block. In this sample output, the SMTP server for the queried email address is at the end of the line – mail.vivaldi.net. . Note that the dot at the end is included.
;; ANSWER SECTION:
vivaldi.net. 300 IN MX 10 mail.vivaldi.net.
To install OSSEC, you first need to unpack the tarball, which you do by typing:
tar xf ossec-hids-2.8.2.tar.gz
It will be unpacked into a directory that bears the name and version of the program. Change or cd
into it. OSSEC 2.8.2, the version installed for this article, has a minor bug that needs to be fixed before starting the installation. By the time the next stable version is released, which should be OSSEC 2.9, this should not be necessary, because the fix is already in the master branch. Fixing it for OSSEC 2.8.2 just means editing one file, which is found in the active-response
directory. The file is hosts-deny.sh
, so open it using:
nano active-response/hosts-deny.sh
Towards the end of the file, look for this block of code:
# Deleting from hosts.deny
elif [ "x$" = "xdelete" ]; then
lock;
TMP_FILE = `mktemp /var/ossec/ossec-hosts.XXXXXXXXXX`
if [ "X$" = "X" ]; then
# Cheap fake tmpfile, but should be harder then no random data
TMP_FILE = "/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 `"
fi
On the lines that start with TMP_FILE, delete the spaces around the = sign. After removing the spaces, that portion of the file should be as shown in the block of code below. Save and close the file.
# Deleting from hosts.deny
elif [ "x$" = "xdelete" ]; then
lock;
TMP_FILE=`mktemp /var/ossec/ossec-hosts.XXXXXXXXXX`
if [ "X$" = "X" ]; then
# Cheap fake tmpfile, but should be harder then no random data
TMP_FILE="/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 `"
fi
Now that the fix is in, we can start the installation process, which you do by typing:
sudo ./install.sh
Throughout the installation process, you’ll be prompted to provide some input. In most cases, you only have to press ENTER to accept the default. First, you’ll be prompted to select the installation language, which by default, is English (en). So press ENTER if that’s your preferred language. Otherwise, input the 2 letters from the list of supported languages. Afterwards, press ENTER again.
The first question will ask you what type of installation you want. Here, enter local.
1- What kind of installation do you want (server, agent, local, hybrid or help)? local
For subsequent questions, press ENTER to accept the default. Question 3.1 will prompt you for your email address and then ask for your SMTP server. For that question, enter a valid email address and the SMTP server you determined in Step 3.
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) [y]:
- What's your e-mail address? you@example.com
- What's your SMTP server ip/host?
If installation is successful, you should see this output:
- Configuration finished properly.
...
More information can be found at http://www.ossec.net
--- Press ENTER to finish (maybe more information below). ---
Press ENTER to finish the installation.
OSSEC has been installed, but not started. To start it, first switch to the root account.
sudo su
Then, start it by issuing the following command.
/var/ossec/bin/ossec-control start
Afterwards, check your Inbox. There should be an alert from OSSEC informing you that it has been started. With that, you now know that OSSEC is installed and will be sending alerts as needed.
The default configuration of OSSEC works fine, but there are settings you can tweak to make it protect your server better. The first file to customize is the main configuration file – ossec.conf
, which you’ll find in the /var/ossec/etc
directory. Open the file:
nano /var/ossec/etc/ossec.conf
The first item to verify is an email setting, which you’ll find in the global section of the file:
<global>
<email_notification>yes</email_notification>
<email_to>finid@vivaldi.net</email_to>
<smtp_server>mail.vivaldi.net.</smtp_server>
<email_from>ossecm@aklwebhost.guest</email_from>
</global>
Make sure that the email_from address is a valid email. Otherwise, some email provider’s SMTP server’s will mark alerts from OSSEC as Spam. If the FQDN of the server is not set, the domain part of the email is set to the hostname of the server, so this is a setting that you really want to have a valid email address.
Another setting that you want to customize, especially while testing the system, is the frequency with which OSSEC runs its audits. That setting is in the syscheck section, and, by default, it is run every 22 hours. To test OSSEC’s alerting features, you might want to set it to a lower value, but reset it to the default afterwards.
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>79200</frequency>
By default, OSSEC does not alert when a new file is added to the server. To change that, add a new tag just under the < frequency > tag. When completed, the section should now contain:
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>79200</frequency>
<alert_new_files>yes</alert_new_files>
One last setting that’s good to change is in the list to directories that OSSEC should check. You’ll find them right after the previous setting. Be default, the directories are shown as:
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
Modify both lines to make OSSEC report changes in real-time. When finished, they should read:
<directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories>
Save and close the file.
The next file that we’ll need to modify is local_rules.xml
in the /var/ossec/rules
directory. So cd
into that directory:
cd /var/ossec/rules
That directory holds OSSEC’s rule files, none of which should be modified, except the local_rules.xml
file. In that file, we add custom rules. The rule we need to add is the one that fires when a new file is added. That rule, numbered 554, does not trigger an alert by default. That’s because OSSEC does not send out alerts when a rule with level set to zero is triggered.
Here’s what rule 554 looks like by default.
<rule id="554" level="0">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>
We need to add a modified version of that rule in the local_rules.xml
file. That modified version is given in the block of code below. Copy and add it to the bottom of the file just before the closing tag.
<rule id="554" level="7" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>
Save and close the file, then restart OSSEC.
/var/ossec/bin/ossec-control restart
OSSEC is a very powerful piece of software, and this article just touched on the basics. You will find more customization settings in the official documentation.