Difference between revisions of "Ossec"

From Atomicorp Wiki
Jump to: navigation, search
(Check for file system changes on all agents)
(Announcements)
Line 6: Line 6:
  
 
== Announcements ==
 
== Announcements ==
 +
 +
https://atomicrocketturtle.com/forum/viewtopic.php?f=8&t=3295 OSSEC 2.1.1] Testing build for the 2.1.1 release candidate
  
 
[https://atomicrocketturtle.com/forum/viewtopic.php?f=8&t=2885 OSSEC 2.0 Final] Official 2.0 release has been published to the ASL-2.0 channel
 
[https://atomicrocketturtle.com/forum/viewtopic.php?f=8&t=2885 OSSEC 2.0 Final] Official 2.0 release has been published to the ASL-2.0 channel
  
 
[http://atomicrocketturtle.com/forum/viewtopic.php?t=2812 OSSEC 2.0.0-0.090205 test build] this update addresses mysql issues mentioned in the troubleshooting section
 
[http://atomicrocketturtle.com/forum/viewtopic.php?t=2812 OSSEC 2.0.0-0.090205 test build] this update addresses mysql issues mentioned in the troubleshooting section
 
  
 
== Troubleshooting ==
 
== Troubleshooting ==

Revision as of 10:43, 3 July 2009

Contents

Overview

OSSEC is a host based intrusion detection system, it performs numerous local security controls including log analysis, active-response to attacks (shunning), rootkit detection, file integrity checks, and local security policy assessments. Just to name a few. You can read more about OSSEC here: http://www.ossec.net


Announcements

https://atomicrocketturtle.com/forum/viewtopic.php?f=8&t=3295 OSSEC 2.1.1] Testing build for the 2.1.1 release candidate

OSSEC 2.0 Final Official 2.0 release has been published to the ASL-2.0 channel

OSSEC 2.0.0-0.090205 test build this update addresses mysql issues mentioned in the troubleshooting section

Troubleshooting

Error: Missing Dependency: libpq.so.3 is needed by package ossec-hids-server

This occurs on CentOS4 systems using the CentOSPlus repository, and updating to OSSEC 2.0. It can be resolved with:


yum install postgresql-devel


Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)

This is a known problem in versions of OSSEC 1.6.1 and lower. Currently to fix this an upgrade to a newer version is required:


Step 1) Upgrade to a CVS snapshot (1.99 or higher)

 yum  upgrade ossec-hids

Step 2) Update ASL policy

 asl -s -f

Step 3) Drop the existing tortix database

 mysql -u admin -p`cat /etc/psa/.psa.shadow`
 drop database tortix;

Step 4) Create a new database, and select it

 create database tortix;
 use tortix;
 quit

Step 5) Create the new OSSEC database

 mysql -u admin -p`cat /etc/psa/.psa.shadow` tortix < /var/ossec/etc/mysql/mysql.schema

Step 6) restart ossec

 /etc/init.d/ossec-hids restart


Check for file system changes on all agents

This is a quick little script to poll all agents for recent file system changes

for i in `/var/ossec/bin/syscheck_control -l -s | cut -d "," -f 1`; do echo "For agent $i" ; /var/ossec/bin/syscheck_control -s -i $i | grep "`date +\"%Y %b %d\"`"; done


Re-Add the Mysql Configuration

This is a manual procedure to remove and re-configure ossec to use mysql. Eventually it will be merged into ASL directly.


1) Check /etc/asl/config

 OSSEC_DATABASE_SERVER="localhost"
 OSSEC_DATABASE="tortix"
 OSSEC_DATABASE_USERNAME="tortix"
 OSSEC_DATABASE_PASSWORD="YOURPASSWORD"

2) remove any database lines from /var/ossec/etc/ossec.conf, this entire section


 <database_output>
   <hostname>127.0.0.1</hostname>
   <username>tortix</username>
   <password>YOURPASSWORD</password>
   <database>tortix</database>
   <type>mysql</type>
 </database_output>

3) Drop the database:

 mysqladmin -u admin -p drop tortix

4) Remove the tortix user:

 mysql -u admin -p`cat /etc/psa/.psa.shadow` mysql -e "delete from user where User = 'tortix';"

5) re-create the databases and users with:

 /var/asl/bin/ossec_database_setup.sh

6) Update the security policy with (this will also trigger the database activation event in ossec):

 asl -s -f

then check your ossec.log to see if it says something like this:

 2009/07/03 10:16:34 ossec-dbd: Connected to database 'tortix' at '127.0.0.1'.
Personal tools