OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. You can get the latest version from their site - http://www.ossec.net/
To install a local version of OSSEC on RHEL 7, you can follow the steps below:-
1. Install gcc compiler and also "wget" package
$sudo yum -y install gcc wget
2. Download latest version of OSSEC
$wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.1.tar.gz
3. Uncompress the source into a folder
$tar xvfz ossec-hids-2.8.1.tar.gz
4. change directory to the unzipped ossec folder
$cd /home/ec2-user/ossec-hids-2.8.1
5. Execute the install.sh script
$sudo ./install.sh
6. Enter responses to the questions asked by OSSEC
*************
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]:
1- What kind of installation do you want (server, agent, local, hybrid or help)? local
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]:/var/ossec
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) [y]:y
- What's your e-mail address? test@example.com
- We found your SMTP server as: mail.example.com.
- Do you want to use it? (y/n) [y]:
--- Using SMTP server: mail.example.com.
3.2- Do you want to run the integrity check daemon? (y/n) [y]:y
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]:y
- Running rootcheck (rootkit detection).
3.4- Active response allows you to execute a specific command based on the events received.
- Do you want to enable active response? (y/n) [y]:y
Active response enabled.
....
Accept defaults for the rest
*************
7., You can start the ossec services by running
$sudo /var/ossec/bin/ossec-control start
Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...
ossec-maild already running...
ossec-execd already running...
ossec-analysisd already running...
ossec-logcollector already running...
ossec-syscheckd already running...
ossec-monitord already running...
Completed.
8. To stop the ossec services, you can run
$sudo /var/ossec/bin/ossec-control stop
Killing ossec-monitord ..
Killing ossec-logcollector ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
Killing ossec-maild ..
Killing ossec-execd ..
OSSEC HIDS v2.8 Stopped
9. Important configuration files can below located in the below folders:-
Rules - /var/ossec/rules
Configuration - /var/ossec/etc/ossec.conf
logs - /var/ossec/logs/ossec.log
10. In case of errors sending email via smtp, you will see the below errors in /var/ossec/logs/ossec.log
*************
2015/05/06 01:43:42 ossec-maild(1223): ERROR: Error Sending email to <ip address> (smtp server)
2015/05/06 01:44:22 ossec-maild(1223): ERROR: Error Sending email to <ip address>(smtp server)
*************
NOTE - for similar steps on ubuntu you can refer to - https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-ossec-security-notifications-on-ubuntu-14-04
To install a local version of OSSEC on RHEL 7, you can follow the steps below:-
1. Install gcc compiler and also "wget" package
$sudo yum -y install gcc wget
2. Download latest version of OSSEC
$wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.1.tar.gz
3. Uncompress the source into a folder
$tar xvfz ossec-hids-2.8.1.tar.gz
4. change directory to the unzipped ossec folder
$cd /home/ec2-user/ossec-hids-2.8.1
5. Execute the install.sh script
$sudo ./install.sh
6. Enter responses to the questions asked by OSSEC
*************
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]:
1- What kind of installation do you want (server, agent, local, hybrid or help)? local
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]:/var/ossec
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) [y]:y
- What's your e-mail address? test@example.com
- We found your SMTP server as: mail.example.com.
- Do you want to use it? (y/n) [y]:
--- Using SMTP server: mail.example.com.
3.2- Do you want to run the integrity check daemon? (y/n) [y]:y
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]:y
- Running rootcheck (rootkit detection).
3.4- Active response allows you to execute a specific command based on the events received.
- Do you want to enable active response? (y/n) [y]:y
Active response enabled.
....
Accept defaults for the rest
*************
7., You can start the ossec services by running
$sudo /var/ossec/bin/ossec-control start
Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...
ossec-maild already running...
ossec-execd already running...
ossec-analysisd already running...
ossec-logcollector already running...
ossec-syscheckd already running...
ossec-monitord already running...
Completed.
8. To stop the ossec services, you can run
$sudo /var/ossec/bin/ossec-control stop
Killing ossec-monitord ..
Killing ossec-logcollector ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
Killing ossec-maild ..
Killing ossec-execd ..
OSSEC HIDS v2.8 Stopped
9. Important configuration files can below located in the below folders:-
Rules - /var/ossec/rules
Configuration - /var/ossec/etc/ossec.conf
logs - /var/ossec/logs/ossec.log
10. In case of errors sending email via smtp, you will see the below errors in /var/ossec/logs/ossec.log
*************
2015/05/06 01:43:42 ossec-maild(1223): ERROR: Error Sending email to <ip address> (smtp server)
2015/05/06 01:44:22 ossec-maild(1223): ERROR: Error Sending email to <ip address>(smtp server)
NOTE - for similar steps on ubuntu you can refer to - https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-ossec-security-notifications-on-ubuntu-14-04
No comments:
Post a Comment