Difference between revisions of "Ossec"

From Atomicorp Wiki
Jump to: navigation, search
 
(6 intermediate revisions by 2 users not shown)
Line 3: Line 3:
 
OSSEC is a host based intrusion detection system, it performs numerous local security controls including log analysis, active-response to attacks (shunning), rootkit detection, file integrity checks, and local security policy assessments. Just to name a few. You can read more about OSSEC here: http://www.ossec.net
 
OSSEC is a host based intrusion detection system, it performs numerous local security controls including log analysis, active-response to attacks (shunning), rootkit detection, file integrity checks, and local security policy assessments. Just to name a few. You can read more about OSSEC here: http://www.ossec.net
  
 +
== Downloads ==
  
 +
Please see the OSSEC downloads pahe:
 +
 +
[https://atomicorp.com/ossec-downloads/ OSSEC downloads]
  
 
== Announcements ==
 
== Announcements ==
 +
 +
 +
 +
https://atomicrocketturtle.com/forum/viewtopic.php?f=8&t=3295 OSSEC 2.1.1] Testing build for the 2.1.1 release candidate
  
 
[https://atomicrocketturtle.com/forum/viewtopic.php?f=8&t=2885 OSSEC 2.0 Final] Official 2.0 release has been published to the ASL-2.0 channel
 
[https://atomicrocketturtle.com/forum/viewtopic.php?f=8&t=2885 OSSEC 2.0 Final] Official 2.0 release has been published to the ASL-2.0 channel
  
 
[http://atomicrocketturtle.com/forum/viewtopic.php?t=2812 OSSEC 2.0.0-0.090205 test build] this update addresses mysql issues mentioned in the troubleshooting section
 
[http://atomicrocketturtle.com/forum/viewtopic.php?t=2812 OSSEC 2.0.0-0.090205 test build] this update addresses mysql issues mentioned in the troubleshooting section
 
  
 
== Troubleshooting ==
 
== Troubleshooting ==
Line 29: Line 36:
  
 
Step 1) Upgrade to a CVS snapshot (1.99 or higher)
 
Step 1) Upgrade to a CVS snapshot (1.99 or higher)
   yum --enablerepo=asl-2.0-testing upgrade ossec-hids
+
   yum upgrade ossec-hids
  
 
Step 2) Update ASL policy
 
Step 2) Update ASL policy
Line 48: Line 55:
 
Step 6) restart ossec
 
Step 6) restart ossec
 
   /etc/init.d/ossec-hids restart
 
   /etc/init.d/ossec-hids restart
 +
 +
 +
 +
== Check for file system changes on all agents ==
 +
 +
This is a quick little script to poll all agents for recent file system changes
 +
 +
for i in `/var/ossec/bin/syscheck_control -l -s | cut -d "," -f 1`; do echo "For agent $i" ; /var/ossec/bin/syscheck_control -s -i $i | grep "`date +\"%Y %b %d\"`"; done
 +
 +
 +
== Re-Add the Mysql Configuration ==
 +
 +
This is a manual procedure to remove and re-configure ossec to use mysql. Eventually it will be merged into ASL directly.
 +
 +
 +
1) Check /etc/asl/config
 +
 +
  OSSEC_DATABASE_SERVER="localhost"
 +
  OSSEC_DATABASE="tortix"
 +
  OSSEC_DATABASE_USERNAME="tortix"
 +
  OSSEC_DATABASE_PASSWORD="YOURPASSWORD"
 +
 +
2) remove any database lines from /var/ossec/etc/ossec.conf, this entire section
 +
 +
 +
  <database_output>
 +
    <hostname>127.0.0.1</hostname>
 +
    <username>tortix</username>
 +
    <password>YOURPASSWORD</password>
 +
    <database>tortix</database>
 +
    <type>mysql</type>
 +
  </database_output>
 +
 +
3) Drop the database:
 +
 +
For Plesk:
 +
  mysqladmin -u admin -p drop tortix
 +
 +
For Other environments:
 +
  mysqladmin -u root -p drop tortix
 +
 +
4) Remove the tortix user:
 +
 +
For Plesk:
 +
mysql -u admin -p`cat /etc/psa/.psa.shadow` mysql -e "drop user 'tortix'@'%';"
 +
mysql -u admin -p`cat /etc/psa/.psa.shadow` mysql -e "drop user 'tortix'@'localhost';"
 +
 +
For Other environments:
 +
mysql -u root -p mysql -e "drop user 'tortix'@'%';"
 +
mysql -u root -p mysql -e "drop user 'tortix'@'localhost';"
 +
 +
5) re-create the databases and users with:
 +
  /var/asl/bin/ossec_database_setup.sh
 +
 +
6) Update the security policy with (this will also trigger the database activation event in ossec):
 +
  asl -s -f
 +
 +
then check your ossec.log to see if it says something like this:
 +
  2009/07/03 10:16:34 ossec-dbd: Connected to database 'tortix' at '127.0.0.1'.
 +
 +
== Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." ==
 +
 +
This rule means that OSSEC has no further information about this event.  The event is not caused by ASL, and is being emailed to the user for further investigation.  If you get a 1002 error contact the vendor of that product for assistance with the error.

Latest revision as of 18:11, 27 February 2018

Contents

[edit] Overview

OSSEC is a host based intrusion detection system, it performs numerous local security controls including log analysis, active-response to attacks (shunning), rootkit detection, file integrity checks, and local security policy assessments. Just to name a few. You can read more about OSSEC here: http://www.ossec.net

[edit] Downloads

Please see the OSSEC downloads pahe:

OSSEC downloads

[edit] Announcements

https://atomicrocketturtle.com/forum/viewtopic.php?f=8&t=3295 OSSEC 2.1.1] Testing build for the 2.1.1 release candidate

OSSEC 2.0 Final Official 2.0 release has been published to the ASL-2.0 channel

OSSEC 2.0.0-0.090205 test build this update addresses mysql issues mentioned in the troubleshooting section

[edit] Troubleshooting

[edit] Error: Missing Dependency: libpq.so.3 is needed by package ossec-hids-server

This occurs on CentOS4 systems using the CentOSPlus repository, and updating to OSSEC 2.0. It can be resolved with:


yum install postgresql-devel


[edit] Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)

This is a known problem in versions of OSSEC 1.6.1 and lower. Currently to fix this an upgrade to a newer version is required:


Step 1) Upgrade to a CVS snapshot (1.99 or higher)

 yum  upgrade ossec-hids

Step 2) Update ASL policy

 asl -s -f

Step 3) Drop the existing tortix database

 mysql -u admin -p`cat /etc/psa/.psa.shadow`
 drop database tortix;

Step 4) Create a new database, and select it

 create database tortix;
 use tortix;
 quit

Step 5) Create the new OSSEC database

 mysql -u admin -p`cat /etc/psa/.psa.shadow` tortix < /var/ossec/etc/mysql/mysql.schema

Step 6) restart ossec

 /etc/init.d/ossec-hids restart


[edit] Check for file system changes on all agents

This is a quick little script to poll all agents for recent file system changes

for i in `/var/ossec/bin/syscheck_control -l -s | cut -d "," -f 1`; do echo "For agent $i" ; /var/ossec/bin/syscheck_control -s -i $i | grep "`date +\"%Y %b %d\"`"; done


[edit] Re-Add the Mysql Configuration

This is a manual procedure to remove and re-configure ossec to use mysql. Eventually it will be merged into ASL directly.


1) Check /etc/asl/config

 OSSEC_DATABASE_SERVER="localhost"
 OSSEC_DATABASE="tortix"
 OSSEC_DATABASE_USERNAME="tortix"
 OSSEC_DATABASE_PASSWORD="YOURPASSWORD"

2) remove any database lines from /var/ossec/etc/ossec.conf, this entire section


 <database_output>
   <hostname>127.0.0.1</hostname>
   <username>tortix</username>
   <password>YOURPASSWORD</password>
   <database>tortix</database>
   <type>mysql</type>
 </database_output>

3) Drop the database:

For Plesk:

 mysqladmin -u admin -p drop tortix

For Other environments:

 mysqladmin -u root -p drop tortix

4) Remove the tortix user:

For Plesk:

mysql -u admin -p`cat /etc/psa/.psa.shadow` mysql -e "drop user 'tortix'@'%';"
mysql -u admin -p`cat /etc/psa/.psa.shadow` mysql -e "drop user 'tortix'@'localhost';"

For Other environments:

mysql -u root -p mysql -e "drop user 'tortix'@'%';"
mysql -u root -p mysql -e "drop user 'tortix'@'localhost';"

5) re-create the databases and users with:

 /var/asl/bin/ossec_database_setup.sh

6) Update the security policy with (this will also trigger the database activation event in ossec):

 asl -s -f

then check your ossec.log to see if it says something like this:

 2009/07/03 10:16:34 ossec-dbd: Connected to database 'tortix' at '127.0.0.1'.

[edit] Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."

This rule means that OSSEC has no further information about this event. The event is not caused by ASL, and is being emailed to the user for further investigation. If you get a 1002 error contact the vendor of that product for assistance with the error.

Personal tools