Ossec

From Atomicorp Wiki
Revision as of 14:27, 4 August 2010 by Scott (Talk | contribs)

Jump to: navigation, search

Contents

Overview

OSSEC is a host based intrusion detection system, it performs numerous local security controls including log analysis, active-response to attacks (shunning), rootkit detection, file integrity checks, and local security policy assessments. Just to name a few. You can read more about OSSEC here: http://www.ossec.net


Announcements

https://atomicrocketturtle.com/forum/viewtopic.php?f=8&t=3295 OSSEC 2.1.1] Testing build for the 2.1.1 release candidate

OSSEC 2.0 Final Official 2.0 release has been published to the ASL-2.0 channel

OSSEC 2.0.0-0.090205 test build this update addresses mysql issues mentioned in the troubleshooting section

Troubleshooting

Error: Missing Dependency: libpq.so.3 is needed by package ossec-hids-server

This occurs on CentOS4 systems using the CentOSPlus repository, and updating to OSSEC 2.0. It can be resolved with:


yum install postgresql-devel


Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)

This is a known problem in versions of OSSEC 1.6.1 and lower. Currently to fix this an upgrade to a newer version is required:


Step 1) Upgrade to a CVS snapshot (1.99 or higher)

 yum  upgrade ossec-hids

Step 2) Update ASL policy

 asl -s -f

Step 3) Drop the existing tortix database

 mysql -u admin -p`cat /etc/psa/.psa.shadow`
 drop database tortix;

Step 4) Create a new database, and select it

 create database tortix;
 use tortix;
 quit

Step 5) Create the new OSSEC database

 mysql -u admin -p`cat /etc/psa/.psa.shadow` tortix < /var/ossec/etc/mysql/mysql.schema

Step 6) restart ossec

 /etc/init.d/ossec-hids restart


Check for file system changes on all agents

This is a quick little script to poll all agents for recent file system changes

for i in `/var/ossec/bin/syscheck_control -l -s | cut -d "," -f 1`; do echo "For agent $i" ; /var/ossec/bin/syscheck_control -s -i $i | grep "`date +\"%Y %b %d\"`"; done


Re-Add the Mysql Configuration

This is a manual procedure to remove and re-configure ossec to use mysql. Eventually it will be merged into ASL directly.


1) Check /etc/asl/config

 OSSEC_DATABASE_SERVER="localhost"
 OSSEC_DATABASE="tortix"
 OSSEC_DATABASE_USERNAME="tortix"
 OSSEC_DATABASE_PASSWORD="YOURPASSWORD"

2) remove any database lines from /var/ossec/etc/ossec.conf, this entire section


 <database_output>
   <hostname>127.0.0.1</hostname>
   <username>tortix</username>
   <password>YOURPASSWORD</password>
   <database>tortix</database>
   <type>mysql</type>
 </database_output>

3) Drop the database:

For Plesk:

 mysqladmin -u admin -p drop tortix

For Other environments:

 mysqladmin -u root -p drop tortix

4) Remove the tortix user:

For Plesk:

mysql -u admin -p`cat /etc/psa/.psa.shadow` mysql -e "drop user 'tortix'@'%';"
mysql -u admin -p`cat /etc/psa/.psa.shadow` mysql -e "drop user 'tortix'@'localhost';"

For Other environments:

mysql -u root -p mysql -e "drop user 'tortix'@'%';"
mysql -u root -p mysql -e "drop user 'tortix'@'localhost';"

5) re-create the databases and users with:

 /var/asl/bin/ossec_database_setup.sh

6) Update the security policy with (this will also trigger the database activation event in ossec):

 asl -s -f

then check your ossec.log to see if it says something like this:

 2009/07/03 10:16:34 ossec-dbd: Connected to database 'tortix' at '127.0.0.1'.

Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."

This rule means that OSSEC has no further information about this event. The event is not caused by ASL, and is being emailed to the user for further investigation. If you get a 1002 error contact the vendor of that product for assistance with the error.

Personal tools