Difference between revisions of "Ossec"
(6 intermediate revisions by 2 users not shown) | |||
Line 3: | Line 3: | ||
OSSEC is a host based intrusion detection system, it performs numerous local security controls including log analysis, active-response to attacks (shunning), rootkit detection, file integrity checks, and local security policy assessments. Just to name a few. You can read more about OSSEC here: http://www.ossec.net | OSSEC is a host based intrusion detection system, it performs numerous local security controls including log analysis, active-response to attacks (shunning), rootkit detection, file integrity checks, and local security policy assessments. Just to name a few. You can read more about OSSEC here: http://www.ossec.net | ||
+ | == Downloads == | ||
+ | Please see the OSSEC downloads pahe: | ||
+ | |||
+ | [https://atomicorp.com/ossec-downloads/ OSSEC downloads] | ||
== Announcements == | == Announcements == | ||
+ | |||
+ | |||
+ | |||
+ | https://atomicrocketturtle.com/forum/viewtopic.php?f=8&t=3295 OSSEC 2.1.1] Testing build for the 2.1.1 release candidate | ||
[https://atomicrocketturtle.com/forum/viewtopic.php?f=8&t=2885 OSSEC 2.0 Final] Official 2.0 release has been published to the ASL-2.0 channel | [https://atomicrocketturtle.com/forum/viewtopic.php?f=8&t=2885 OSSEC 2.0 Final] Official 2.0 release has been published to the ASL-2.0 channel | ||
[http://atomicrocketturtle.com/forum/viewtopic.php?t=2812 OSSEC 2.0.0-0.090205 test build] this update addresses mysql issues mentioned in the troubleshooting section | [http://atomicrocketturtle.com/forum/viewtopic.php?t=2812 OSSEC 2.0.0-0.090205 test build] this update addresses mysql issues mentioned in the troubleshooting section | ||
− | |||
== Troubleshooting == | == Troubleshooting == | ||
Line 29: | Line 36: | ||
Step 1) Upgrade to a CVS snapshot (1.99 or higher) | Step 1) Upgrade to a CVS snapshot (1.99 or higher) | ||
− | yum | + | yum upgrade ossec-hids |
Step 2) Update ASL policy | Step 2) Update ASL policy | ||
Line 48: | Line 55: | ||
Step 6) restart ossec | Step 6) restart ossec | ||
/etc/init.d/ossec-hids restart | /etc/init.d/ossec-hids restart | ||
+ | |||
+ | |||
+ | |||
+ | == Check for file system changes on all agents == | ||
+ | |||
+ | This is a quick little script to poll all agents for recent file system changes | ||
+ | |||
+ | for i in `/var/ossec/bin/syscheck_control -l -s | cut -d "," -f 1`; do echo "For agent $i" ; /var/ossec/bin/syscheck_control -s -i $i | grep "`date +\"%Y %b %d\"`"; done | ||
+ | |||
+ | |||
+ | == Re-Add the Mysql Configuration == | ||
+ | |||
+ | This is a manual procedure to remove and re-configure ossec to use mysql. Eventually it will be merged into ASL directly. | ||
+ | |||
+ | |||
+ | 1) Check /etc/asl/config | ||
+ | |||
+ | OSSEC_DATABASE_SERVER="localhost" | ||
+ | OSSEC_DATABASE="tortix" | ||
+ | OSSEC_DATABASE_USERNAME="tortix" | ||
+ | OSSEC_DATABASE_PASSWORD="YOURPASSWORD" | ||
+ | |||
+ | 2) remove any database lines from /var/ossec/etc/ossec.conf, this entire section | ||
+ | |||
+ | |||
+ | <database_output> | ||
+ | <hostname>127.0.0.1</hostname> | ||
+ | <username>tortix</username> | ||
+ | <password>YOURPASSWORD</password> | ||
+ | <database>tortix</database> | ||
+ | <type>mysql</type> | ||
+ | </database_output> | ||
+ | |||
+ | 3) Drop the database: | ||
+ | |||
+ | For Plesk: | ||
+ | mysqladmin -u admin -p drop tortix | ||
+ | |||
+ | For Other environments: | ||
+ | mysqladmin -u root -p drop tortix | ||
+ | |||
+ | 4) Remove the tortix user: | ||
+ | |||
+ | For Plesk: | ||
+ | mysql -u admin -p`cat /etc/psa/.psa.shadow` mysql -e "drop user 'tortix'@'%';" | ||
+ | mysql -u admin -p`cat /etc/psa/.psa.shadow` mysql -e "drop user 'tortix'@'localhost';" | ||
+ | |||
+ | For Other environments: | ||
+ | mysql -u root -p mysql -e "drop user 'tortix'@'%';" | ||
+ | mysql -u root -p mysql -e "drop user 'tortix'@'localhost';" | ||
+ | |||
+ | 5) re-create the databases and users with: | ||
+ | /var/asl/bin/ossec_database_setup.sh | ||
+ | |||
+ | 6) Update the security policy with (this will also trigger the database activation event in ossec): | ||
+ | asl -s -f | ||
+ | |||
+ | then check your ossec.log to see if it says something like this: | ||
+ | 2009/07/03 10:16:34 ossec-dbd: Connected to database 'tortix' at '127.0.0.1'. | ||
+ | |||
+ | == Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." == | ||
+ | |||
+ | This rule means that OSSEC has no further information about this event. The event is not caused by ASL, and is being emailed to the user for further investigation. If you get a 1002 error contact the vendor of that product for assistance with the error. |
Latest revision as of 18:11, 27 February 2018
[edit] Overview
OSSEC is a host based intrusion detection system, it performs numerous local security controls including log analysis, active-response to attacks (shunning), rootkit detection, file integrity checks, and local security policy assessments. Just to name a few. You can read more about OSSEC here: http://www.ossec.net
[edit] Downloads
Please see the OSSEC downloads pahe:
[edit] Announcements
https://atomicrocketturtle.com/forum/viewtopic.php?f=8&t=3295 OSSEC 2.1.1] Testing build for the 2.1.1 release candidate
OSSEC 2.0 Final Official 2.0 release has been published to the ASL-2.0 channel
OSSEC 2.0.0-0.090205 test build this update addresses mysql issues mentioned in the troubleshooting section
[edit] Troubleshooting
[edit] Error: Missing Dependency: libpq.so.3 is needed by package ossec-hids-server
This occurs on CentOS4 systems using the CentOSPlus repository, and updating to OSSEC 2.0. It can be resolved with:
yum install postgresql-devel
[edit] Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)
This is a known problem in versions of OSSEC 1.6.1 and lower. Currently to fix this an upgrade to a newer version is required:
Step 1) Upgrade to a CVS snapshot (1.99 or higher)
yum upgrade ossec-hids
Step 2) Update ASL policy
asl -s -f
Step 3) Drop the existing tortix database
mysql -u admin -p`cat /etc/psa/.psa.shadow` drop database tortix;
Step 4) Create a new database, and select it
create database tortix; use tortix; quit
Step 5) Create the new OSSEC database
mysql -u admin -p`cat /etc/psa/.psa.shadow` tortix < /var/ossec/etc/mysql/mysql.schema
Step 6) restart ossec
/etc/init.d/ossec-hids restart
[edit] Check for file system changes on all agents
This is a quick little script to poll all agents for recent file system changes
for i in `/var/ossec/bin/syscheck_control -l -s | cut -d "," -f 1`; do echo "For agent $i" ; /var/ossec/bin/syscheck_control -s -i $i | grep "`date +\"%Y %b %d\"`"; done
[edit] Re-Add the Mysql Configuration
This is a manual procedure to remove and re-configure ossec to use mysql. Eventually it will be merged into ASL directly.
1) Check /etc/asl/config
OSSEC_DATABASE_SERVER="localhost" OSSEC_DATABASE="tortix" OSSEC_DATABASE_USERNAME="tortix" OSSEC_DATABASE_PASSWORD="YOURPASSWORD"
2) remove any database lines from /var/ossec/etc/ossec.conf, this entire section
<database_output> <hostname>127.0.0.1</hostname> <username>tortix</username> <password>YOURPASSWORD</password> <database>tortix</database> <type>mysql</type> </database_output>
3) Drop the database:
For Plesk:
mysqladmin -u admin -p drop tortix
For Other environments:
mysqladmin -u root -p drop tortix
4) Remove the tortix user:
For Plesk:
mysql -u admin -p`cat /etc/psa/.psa.shadow` mysql -e "drop user 'tortix'@'%';" mysql -u admin -p`cat /etc/psa/.psa.shadow` mysql -e "drop user 'tortix'@'localhost';"
For Other environments:
mysql -u root -p mysql -e "drop user 'tortix'@'%';" mysql -u root -p mysql -e "drop user 'tortix'@'localhost';"
5) re-create the databases and users with:
/var/asl/bin/ossec_database_setup.sh
6) Update the security policy with (this will also trigger the database activation event in ossec):
asl -s -f
then check your ossec.log to see if it says something like this:
2009/07/03 10:16:34 ossec-dbd: Connected to database 'tortix' at '127.0.0.1'.
[edit] Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
This rule means that OSSEC has no further information about this event. The event is not caused by ASL, and is being emailed to the user for further investigation. If you get a 1002 error contact the vendor of that product for assistance with the error.