Tuesday, May 5, 2015

Installing and configuring OSSEC for host based intrusion detection system (HIDS) on RHEL 7

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. You can get the latest version from their site - http://www.ossec.net/

To install a local version of OSSEC on RHEL 7, you can follow the steps below:-

1. Install gcc compiler and also "wget" package

$sudo yum -y install gcc wget

2. Download latest version of OSSEC

$wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.1.tar.gz

3. Uncompress the source into a folder

$tar xvfz ossec-hids-2.8.1.tar.gz

4. change directory to the unzipped ossec folder

$cd /home/ec2-user/ossec-hids-2.8.1

5. Execute the install.sh script

$sudo ./install.sh

6. Enter responses to the questions asked by OSSEC

*************
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]:
1- What kind of installation do you want (server, agent, local, hybrid or help)? local
2- Setting up the installation environment.
  - Choose where to install the OSSEC HIDS [/var/ossec]:/var/ossec
3- Configuring the OSSEC HIDS.
  3.1- Do you want e-mail notification? (y/n) [y]:y
     - What's your e-mail address? test@example.com
     - We found your SMTP server as: mail.example.com.
     - Do you want to use it? (y/n) [y]:
     --- Using SMTP server:  mail.example.com.
  3.2- Do you want to run the integrity check daemon? (y/n) [y]:y
     - Running syscheck (integrity check daemon).
  3.3- Do you want to run the rootkit detection engine? (y/n) [y]:y
     - Running rootcheck (rootkit detection).
  3.4- Active response allows you to execute a specific command based on the events received.
     - Do you want to enable active response? (y/n) [y]:y
       Active response enabled.
....
Accept defaults for the rest
*************

7., You can start the ossec services by running

$sudo /var/ossec/bin/ossec-control start
Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...
ossec-maild already running...
ossec-execd already running...
ossec-analysisd already running...
ossec-logcollector already running...
ossec-syscheckd already running...
ossec-monitord already running...
Completed.

8. To stop the ossec services, you can run

$sudo /var/ossec/bin/ossec-control stop
Killing ossec-monitord ..
Killing ossec-logcollector ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
Killing ossec-maild ..
Killing ossec-execd ..
OSSEC HIDS v2.8 Stopped

9. Important configuration files can below located in the below folders:-

Rules - /var/ossec/rules
Configuration - /var/ossec/etc/ossec.conf
logs - /var/ossec/logs/ossec.log

10. In case of errors sending email via smtp, you will see the below errors in /var/ossec/logs/ossec.log

*************
2015/05/06 01:43:42 ossec-maild(1223): ERROR: Error Sending email to <ip address> (smtp server)
2015/05/06 01:44:22 ossec-maild(1223): ERROR: Error Sending email to  <ip address>(smtp server)

*************

NOTE - for similar steps on ubuntu you can refer to - https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-ossec-security-notifications-on-ubuntu-14-04

No comments:

Post a Comment