How To Set Up a Local OSSEC Installation on Fedora 21

Introduction

OSSEC is an open-source, host-based intrusion detection system (HIDS) that performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. It’s the application to install on your server if you want to keep an eye on what’s happening inside it.

OSSEC can be installed to monitor just the server it is installed on, which is a local installation in OSSEC’s parlance, or be installed as a server to monitor one or more agents. In this tutorial, you’ll learn how to install OSSEC to monitor the Fedora 21 or RHEL server it is installed on: a local OSSEC installation.

Prerequisites

To complete this tutorial you’ll need:

• Fedora 21 Droplet that you’ve set up by following this tutorial.

This tutorial should be followed as a sudo non-root user.

Step 1 — Installing Required Packages

In this section, you’ll install some required packages.

In particular, install bind-utils, gcc, make, and inotify-tools using the following command.

sudo yum install -y bind-utils gcc make inotify-tools

bind-utils provides Domain Name System (DNS) utilities, gcc and make will be used by the OSSEC installer, and inotify-tools is needed by OSSEC for real-time notifications.

Step 2 — Downloading and Verifying OSSEC

OSSEC is delivered as a compressed tarball. In this step, you’ll download it and its checksum file, which verifies that the tarball has not been tampered with.

You can check the project’s website for the latest version. At the time of this writing, OSSEC 2.8.1 is the latest stable release.

First, download the tarball.

wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.1.tar.gz

Then, download the checksum file.

wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.1-checksum.txt

After downloading both files, verify the md5sum of the compressed tarball.

md5sum -c ossec-hids-2.8.1-checksum.txt

The output should be:

ossec-hids-2.8.1.tar.gz: OK
md5sum: WARNING: 1 line is improperly formatted

Follow that by verifying the SHA1 checksum.

sha1sum -c ossec-hids-2.8.1-checksum.txt

Its output should be:

ossec-hids-2.8.1.tar.gz: OK
sha1sum: WARNING: 1 line is improperly formatted

In each case, ignore the WARNING line. The OK line is what confirms that the file is good.

Step 3 — Finding your SMTP Server

When setting up email notifications during OSSEC’s installation, OSSEC will ask for your SMTP server. In this step, we will figure out that information.

To determine the correct SMTP server to use for your email service provider, you can use the dig command to query the provider’s mail exchanger (MX) resource records. Enter the following command, replacing example.com with your email provider’s domain name:

dig -t mx example.com

The output is made up of several sections, but we’re only interested in the ANSWER section, which contains one or more lines. At the end of each line is the SMTP server to use.

For example, if you run the command using fastmail.com:

dig -t mx fastmail.com

The valid SMTP servers for the provider will be at the end of each listing in the ANSWER section, which should read:

;; ANSWER SECTION:
fastmail.com.           3600    IN      MX      10 in1-smtp.messagingengine.com.
fastmail.com.           3600    IN      MX      20 in2-smtp.messagingengine.com.

In this example, you can use either in1-smtp.messagingengine.com. or in2-smtp.messagingengine.com. as an SMTP server.

Copy one of the SMTP servers from your email provider and save it to enter in the next step. Be sure to include the . (period) at the end, too.

Step 4 — Installing OSSEC

In this step, we will install OSSEC.

Before initiating installation, untar it using:

tar xf ossec-hids-2.8.1.tar.gz

It will be unpacked into a directory called ossec-hids-2.8.1. Change into that directory.

cd ossec-hids-2.8.1

Then start the installation.

sudo ./install.sh

Throughout the setup process, you’ll be prompted to provide some input. In most of those cases, all you’ll need to do is press ENTER to accept the default value.

You’ll first be prompted to select the installation language. By default, it is English (en), so press ENTER if that’s your preferred language. Otherwise, type in the 2 letters from the list of supported languages. Then press ENTER again to start the installation.

Question 1 will ask what kind of installation you want. Here, enter local.

1- What kind of installation do you want (server, agent, local, hybrid or help)? local

For all of the following questions, press ENTER to accept the default. Question 3.1 will additionally prompt you for your email address and then ask for your SMTP server ip/host. Here, enter your email address and the SMTP server you saved from Step 3.

If installation is successful, at the end, you should see this output:

 - Configuration finished properly.

...

    More information can be found at http://www.ossec.net

    ---  Press ENTER to finish (maybe more information below). ---

Press ENTER to finish the installation.

Step 5 — Verifying OSSEC’s Email Settings

Here we are going to verify that the email credentials specified in the previous step and the one that OSSEC auto-configured are correct.

The email settings are in OSSEC’s main configuration file, ossec.conf, which is in the /var/ossec/etc directory. To access and modify any OSSEC file, you first need to switch to the root user.

sudo su

Now that you’re root, cd into the directory where OSSEC’s configuration file is.

cd /var/ossec/etc

First, make a backup copy of that file.

cp ossec.conf ossec.conf.00

Then open the original file. Here, we use the nano text editor, but you can use any text editor you like.

nano ossec.conf

The email settings are at the top of the file. Here are descriptions of the fields.

• <email_to> is the email you gave during installation. Alerts will be sent to that email address.
• <email_from> is where OSSEC’s alerts would appear to be coming from. Change that to a valid email address to reduce the odds of your emails being tagged as spam by your email provider’s SMTP server.
• <smtp_server> is the SMTP server you specified during setup.

Note that <email_to> and <email_from> can be the same, and if you have your own email server on the same host as the OSSEC server you can change the <smtp_server> setting to localhost.

Here’s what that section will look like when you’re finished.

<global>
    <email_notification>yes</email_notification>
    <email_to>sammy@example.com</email_to>
    <smtp_server>mail.example.com.</smtp_server>
    <email_from>sammy@example.com</email_from>
</global>

After modifying the email settings, save and close the file. Then start OSSEC.

/var/ossec/bin/ossec-control start

Check your inbox for an email that says that OSSEC has started. If you receive an email from your OSSEC installation, then you know that future alerts will also reach your inbox. If you don’t, check your spam folder.

Step 6 — Adding Alerts

By default, OSSEC will issue alerts on file modifications and other activities on the server, but it will not alert on new file additions and also will not alert in real time — only after the scheduled system scan, which is 79200 seconds (or 22 hours) by default. In this section, we will add alerts on file additions in real time.

First, open ossec.conf.

nano ossec.conf

Then scroll down to the <syscheck> section which begins with this text:

<syscheck>
    <!-- Frequency that syscheck is executed - default to every 22 hours -->
    <frequency>79200</frequency>

Just under the <frequency> tag, add <alert_new_files>yes</alert_new_files>.

<syscheck>
    <!-- Frequency that syscheck is executed - default to every 22 hours -->
    <frequency>79200</frequency>

    <alert_new_files>yes</alert_new_files>

While you still have ossec.conf open, take a look at the list of system directories that OSSEC monitors, which is just under the last line you just modified. It should read:

<!-- Directories to check  (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>

For each list of directories, add the report_changes="yes" and realtime="yes" options. After the modifications have been made, the section should read:

<!-- Directories to check  (perform all possible verifications) -->
<directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories>

Aside from the default list of directories that OSSEC has been configured to monitor, you can also add any that you wish to monitor. For example, you can add monitoring for your home directory, /home/sammy. To do that, add this new line right under other directory lines, substituting in your username:

<directories report_changes="yes" realtime="yes" check_all="yes">/home/sammy</directories>

Now save and close ossec.conf.

The next file to modify is in the /var/ossec/rules directory, so move to that directory.

cd /var/ossec/rules

The /var/ossec/rules directory contains many XML files, including ossec_rules.xml, which contains OSSEC’s default rule definitions, and local_rules.xml, which is where you can add custom rules. local_rules.xml is the only file you should edit in this directory.

In ossec_rules.xml, the rule that fires when a file is added to a monitored directory is rule 554. By default, OSSEC does not send out alerts when that rule is triggered, so the task here is to change that behavior. Here’s what rule 554 looks like by default:

<rule id="554" level="0">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>

OSSEC does not send out an alert if a rule is set to level 0, so we will copy that rule to local_rules.xml and modify it to trigger an alert. To do that, open local_rules.xml.

nano local_rules.xml

Add the following at the end of the file, before the line with the </group> tag.

<rule id="554" level="7" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>

Save and close the file. Now, restart OSSEC to reload the files we edited.

/var/ossec/bin/ossec-control restart

You should now be receiving alerts from OSSEC on monitored directories and log files.

Conclusion

Now you have a basic local OSSEC installation set up. There is a lot of further customization available, which you can explore in its official documentation.

For an idea on how to install OSSEC in a client-server or server-agent mode (instead of local mode), see How To Monitor OSSEC Agents Using an OSSEC Server on Ubuntu 14.04.