I.T. Security and Linux Administration

Mar 11 2011   3:17PM GMT

Minimalistic HIDS: OSSEC

Eric Hansen Eric Hansen Profile: Eric Hansen

While this software is far from new in the world of IDSes, I’m not sure just how many people actually know about this IDS (especially since Snort takes the crown most of the time).  However, while I’m not a fan of Trend Micro and their products, they are backing what can easily be a perfect IDS in OSSEC.

What is a HIDS and OSSEC?

Without going into all the gritty details, a HIDS is a host-based intrusion detection system.  Basically, what it does is monitor systems on the network (instead of the network itself, which a NIDS [network intrusion detection system] does).  From what I’ve found, a NIDS is good if you want to monitor the whole network, and a HIDS is useful if you only want to monitor specific systems (such as just an e-mail and web server).  Generally, to compensate for the lack of network-wide detection, HIDS monitor logs as well, such as syslog.  Some also monitor file system activity and the like, but it’s not a priority.

About OSSEC, it pretty much exemplifies what a HIDS is used for.  You install the server itself on a machine (if possible, not on the one you want to monitor), and agents (or sensors) on the machines you want to monitor.  It will monitor the file system for changes, logs and essentially anything else you tell it to (with pug ins).  OSSEC also offers a notification system for those who want to be e-mailed about changes it detects.  Lastly, OSSEC runs on many systems (including Linux, Mac, Windows and Unix), so there is a wide range of support, not including the fact that their mailing list is very active with support.

How Do I Download and Install OSSEC?

First thing that should be pointed out is that Windows offers an agent only, so you will have to use a different operating system for a server.  This might change in the future, but for now, this is how it is.  This will be installed on my home server, and here are the specs:

Linux (Arch Linux) running kernel 2.6.37 on a AMD Sempron 3100+ processor with about 720 MB of RAM (and 7 MB of swap)

I’ll also go through setting up the OSSEC Web UI, as it is quite helpful on monitoring the system as well.  However, this was done using Lighttpd running PHP 5.3.3 (FastCGI).  The Apache installation on OSSEC’s website should be enough for that web server.  For those wondering why I’m not using Apache for this, it’s always been a resource hog (even in it’s 1.x days), and I find Lighttpd easier to maintain and manage.  One last point I’m going to make here is that this will go through how to install the server itself.  Installing and adding sensors will come in a different article as it has its own heartaches and breaks.

Before installing OSSEC, you need to have gcc (or g++) installed (or some other C compiler), htdigest (if you’re using Apache, it’s already there), md5sum and sha1sum.  If a whereis md5sum or whereis sha1sum returns no path, then see if your system has md5 and sha1 (most flavors have one or the other), and create a symlink to it’s sum partner.  In regards to htdigest, here’s a script that’ll work if you don’t want to install Apache just for this tool:

#!/bin/sh
user=$1
realm=$2
pass=$3

hash=`echo -n "$user:$realm:$pass" | md5sum | cut -b -32`

echo "$user:$realm:$hash"

How to use: htdigest “username” “name of OSSEC realm” “password” > ossec.htdigest (example: htdigest “bob” “OSSEC” “denver”). The quotes are required if you’re using a space in any of them.

Step 1: Download and untar

The latest build right now is 2.5.1, and according to their site, they send out a new release (including new rules and definitions) every 3-4 months.  While there’s no change log or anything to indicate release dates, ls -liha shows most files being modified on Oct 12th (I untared the file today).

First, download and extract the latest tarball:

wget http://www.ossec.net/files/ossec-hids-2.5.1.tar.gz && tar -xf ossec-hids-2.5.1.tar.gz

This will create a ossec-hids-2.5.1 folder.  Inside there, it’ll have install.sh, which you need to run:

./install.sh

The first prompt will be which language do you want to use.  The default is English (en), but choose it as needed. After, a message saying that a C compiler needs to be installed, Just hit enter. Here is where you choose what you want to install.

Server: If you are going to have more than one system to monitor, this is the choice to choose. Besides including monitoring the system its installed on, it also offers the ability for remote administration of the agents as well.
Local: Same as server, minus the ability to monitor agents.
Agent: Basically a node on the network (useful if it’s a server that is used at least moderately). Installing OSSEC as an agent allows the computer to connect to the server and send various information.

My personal choice here was server, but local can work as well. If you choose local you’ll receive less options during the following steps, but I’ll go with server just for the full experience.

Choosing the path is pretty simple, the default location (/var/ossec) is generally the best. If you change this, however, make note of it. E-mail notifications are enabled by default, which I kept on as it’s needed. Another thing to make note of here, though, is that if you are using GMail as your SMTP server, you have to use this: gmail-smtp-in.l.google.com

The integrity check daemon runs on the server and monitors important files, and if they are modified (checksums change), it’ll send out a notice. When it comes to the rootkit detection, though, I turn that off. It’s a Linux machine and isn’t used much from the outside so I’m not worried about it. As for active response, it’s best to keep it enabled, especially if you decide to develop your own plug ins for OSSEC later on. This feature basically lets you have OSSEC act as a firewall of sorts as well, depending on what you have it do (i.e.: if php.ini is modified by a user that’s not root, then you can block access to that user). Firewall-drop events are enabled for me, as the server I have OSSEC installed on is heavily used by SSH, so I prefer to just be safer than sorry. All it really is though is allowing you to add iptable rules. Remote syslog is disabled as I don’t have any other Linux machines connecting to the server, but if you do, or plan to, it’s safe to enable this. After this, OSSEC will run it’s make file, compiling all the files needed and the like. Even on my old server it doesn’t take longer than 5 minutes.

Step 2: Getting OSSEC to Run

For some systems, it’ll install an init script at the end of a successful compile. If this doesn’t happen for some reason, though, you can use this simple init script:

#!/bin/sh

/var/ossec/bin/ossec-control "$1"

I tried creating a simple symlink, but the path to ossec-control isn’t hard-coded, so it would cause ossec-control to be run from /etc/rc.d/ instead of /var/ossec. You can pass the generic arguments to it (even status).

Step 3: Installing the Web UI

Once you have OSSEC running, it’s time to install the web UI. The process itself is easy, but there are some configurations that need to be made for it to work correctly. For modules in Lighttpd, you need to have mod_fcgi (for FastCGI use) and mod_auth (for authentication) enabled. The basic set up of Lighttpd + PHP is out of the scope of this article. This assumes that the web-root is in /srv/http. Make the necessary changes to suite your server.

To begin, you need to download and untar the web UI file. For the sake of simplicity, the current directory will be in the web root (/srv/http).

wget http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz && tar -xf ossec-wui-0.3.tar.gz

To make things easier you can rename the folder (mv ossec-wui-0.3 owui). If you changed the install path of OSSEC, make sure that $ossec_dir points to the correct path in ossec_config.php. For Apache, you can run setup.sh to create a user for logging into OSSEC with (that’s all the file does), but if you’re using Lighttpd you can ignore that file.

Step 4: Modify PHP

You can do this step at any point, but since we’ll have to restart the web server anyways, may as well do this now. You need to edit your php.ini file, and add the path of OSSEC to open_basedir. You can skip this step if you wish, but if you get an error later saying that the web UI can’t open the OSSEC directory, this is what fixed it for me.

Step 4: Configure Lighttpd

First, I’ll show what I have set in my config file for Lighttpd, and then explain the important parts.

$HTTP["url"] =~ "ossec" {
auth.backend = "htdigest"
auth.backend.htdigest.userfile = "/etc/lighttpd/ossec_auth"
auth.require = ( "" =>
(
"method" => "digest",
"realm" => "ossec",
"require" => "user=raevin"
)
)
}

The authentication method is up to you, digest is recommended on the OSSEC install guide, however. You don’t even need authentication, but it’s highly recommended. The line:

auth.backend.htdigest.userfile = “/etc/lighttpd/ossec_auth”

Should point to the authentication file (see my script above for more information). After that, make sure that the realm matches what you put into your authentication file, as well as the require-valid-user line below that.

Step 5: Testing the Web UI

Restart the Lighttpd daemon, clear the temp files that FastCGI creates (if you don’t have your init script do that automatically for you), and check to see if you can access the web UI at http://localhost/owui/. If it does work, you should see at least one monitored host (127.0.0.1). If you have any issues, leave a comment and I’ll try to help.

Notes

To uninstall or update your OSSEC files, you will need to download the newest tar file and run install.sh again. After you choose your language, it’ll ask if you wish to update your set up. If you choose no, then it’ll ask if you wish to uninstall OSSEC.

To make plug ins and such for OSSEC, it’s kind of tricky. I’ll try to make a guide on this after I go through how to set up agents.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: