Ossec
[edit] Overview
OSSEC is a host based intrusion detection system, it performs numerous local security controls including log analysis, active-response to attacks (shunning), rootkit detection, file integrity checks, and local security policy assessments. Just to name a few. You can read more about OSSEC here: http://www.ossec.net
[edit] Downloads
Please see the OSSEC downloads pahe:
[edit] Announcements
https://atomicrocketturtle.com/forum/viewtopic.php?f=8&t=3295 OSSEC 2.1.1] Testing build for the 2.1.1 release candidate
OSSEC 2.0 Final Official 2.0 release has been published to the ASL-2.0 channel
OSSEC 2.0.0-0.090205 test build this update addresses mysql issues mentioned in the troubleshooting section
[edit] Troubleshooting
[edit] Error: Missing Dependency: libpq.so.3 is needed by package ossec-hids-server
This occurs on CentOS4 systems using the CentOSPlus repository, and updating to OSSEC 2.0. It can be resolved with:
yum install postgresql-devel
[edit] Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)
This is a known problem in versions of OSSEC 1.6.1 and lower. Currently to fix this an upgrade to a newer version is required:
Step 1) Upgrade to a CVS snapshot (1.99 or higher)
yum upgrade ossec-hids
Step 2) Update ASL policy
asl -s -f
Step 3) Drop the existing tortix database
mysql -u admin -p`cat /etc/psa/.psa.shadow` drop database tortix;
Step 4) Create a new database, and select it
create database tortix; use tortix; quit
Step 5) Create the new OSSEC database
mysql -u admin -p`cat /etc/psa/.psa.shadow` tortix < /var/ossec/etc/mysql/mysql.schema
Step 6) restart ossec
/etc/init.d/ossec-hids restart
[edit] Check for file system changes on all agents
This is a quick little script to poll all agents for recent file system changes
for i in `/var/ossec/bin/syscheck_control -l -s | cut -d "," -f 1`; do echo "For agent $i" ; /var/ossec/bin/syscheck_control -s -i $i | grep "`date +\"%Y %b %d\"`"; done
[edit] Re-Add the Mysql Configuration
This is a manual procedure to remove and re-configure ossec to use mysql. Eventually it will be merged into ASL directly.
1) Check /etc/asl/config
OSSEC_DATABASE_SERVER="localhost" OSSEC_DATABASE="tortix" OSSEC_DATABASE_USERNAME="tortix" OSSEC_DATABASE_PASSWORD="YOURPASSWORD"
2) remove any database lines from /var/ossec/etc/ossec.conf, this entire section
<database_output> <hostname>127.0.0.1</hostname> <username>tortix</username> <password>YOURPASSWORD</password> <database>tortix</database> <type>mysql</type> </database_output>
3) Drop the database:
For Plesk:
mysqladmin -u admin -p drop tortix
For Other environments:
mysqladmin -u root -p drop tortix
4) Remove the tortix user:
For Plesk:
mysql -u admin -p`cat /etc/psa/.psa.shadow` mysql -e "drop user 'tortix'@'%';" mysql -u admin -p`cat /etc/psa/.psa.shadow` mysql -e "drop user 'tortix'@'localhost';"
For Other environments:
mysql -u root -p mysql -e "drop user 'tortix'@'%';" mysql -u root -p mysql -e "drop user 'tortix'@'localhost';"
5) re-create the databases and users with:
/var/asl/bin/ossec_database_setup.sh
6) Update the security policy with (this will also trigger the database activation event in ossec):
asl -s -f
then check your ossec.log to see if it says something like this:
2009/07/03 10:16:34 ossec-dbd: Connected to database 'tortix' at '127.0.0.1'.
[edit] Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
This rule means that OSSEC has no further information about this event. The event is not caused by ASL, and is being emailed to the user for further investigation. If you get a 1002 error contact the vendor of that product for assistance with the error.