Difference between revisions of "Ossec"

From Atomicorp Wiki
Jump to: navigation, search
(Re-Add the Mysql Configuration)
Line 86: Line 86:
  
 
4) Remove the tortix user:
 
4) Remove the tortix user:
  mysql -u admin -p`cat /etc/psa/.psa.shadow` mysql -e "delete from user where User = 'tortix';"
+
 
 +
mysql -u admin -p`cat /etc/psa/.psa.shadow` mysql -e "drop user 'tortix'@'%';"
 +
mysql -u admin -p`cat /etc/psa/.psa.shadow` mysql -e "drop user 'tortix'@'localhost';"
  
 
5) re-create the databases and users with:
 
5) re-create the databases and users with:

Revision as of 13:25, 4 August 2010

Contents

Overview

OSSEC is a host based intrusion detection system, it performs numerous local security controls including log analysis, active-response to attacks (shunning), rootkit detection, file integrity checks, and local security policy assessments. Just to name a few. You can read more about OSSEC here: http://www.ossec.net


Announcements

https://atomicrocketturtle.com/forum/viewtopic.php?f=8&t=3295 OSSEC 2.1.1] Testing build for the 2.1.1 release candidate

OSSEC 2.0 Final Official 2.0 release has been published to the ASL-2.0 channel

OSSEC 2.0.0-0.090205 test build this update addresses mysql issues mentioned in the troubleshooting section

Troubleshooting

Error: Missing Dependency: libpq.so.3 is needed by package ossec-hids-server

This occurs on CentOS4 systems using the CentOSPlus repository, and updating to OSSEC 2.0. It can be resolved with:


yum install postgresql-devel


Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)

This is a known problem in versions of OSSEC 1.6.1 and lower. Currently to fix this an upgrade to a newer version is required:


Step 1) Upgrade to a CVS snapshot (1.99 or higher)

 yum  upgrade ossec-hids

Step 2) Update ASL policy

 asl -s -f

Step 3) Drop the existing tortix database

 mysql -u admin -p`cat /etc/psa/.psa.shadow`
 drop database tortix;

Step 4) Create a new database, and select it

 create database tortix;
 use tortix;
 quit

Step 5) Create the new OSSEC database

 mysql -u admin -p`cat /etc/psa/.psa.shadow` tortix < /var/ossec/etc/mysql/mysql.schema

Step 6) restart ossec

 /etc/init.d/ossec-hids restart


Check for file system changes on all agents

This is a quick little script to poll all agents for recent file system changes

for i in `/var/ossec/bin/syscheck_control -l -s | cut -d "," -f 1`; do echo "For agent $i" ; /var/ossec/bin/syscheck_control -s -i $i | grep "`date +\"%Y %b %d\"`"; done


Re-Add the Mysql Configuration

This is a manual procedure to remove and re-configure ossec to use mysql. Eventually it will be merged into ASL directly.


1) Check /etc/asl/config

 OSSEC_DATABASE_SERVER="localhost"
 OSSEC_DATABASE="tortix"
 OSSEC_DATABASE_USERNAME="tortix"
 OSSEC_DATABASE_PASSWORD="YOURPASSWORD"

2) remove any database lines from /var/ossec/etc/ossec.conf, this entire section


 <database_output>
   <hostname>127.0.0.1</hostname>
   <username>tortix</username>
   <password>YOURPASSWORD</password>
   <database>tortix</database>
   <type>mysql</type>
 </database_output>

3) Drop the database:

 mysqladmin -u admin -p drop tortix

4) Remove the tortix user:

mysql -u admin -p`cat /etc/psa/.psa.shadow` mysql -e "drop user 'tortix'@'%';"
mysql -u admin -p`cat /etc/psa/.psa.shadow` mysql -e "drop user 'tortix'@'localhost';"

5) re-create the databases and users with:

 /var/asl/bin/ossec_database_setup.sh

6) Update the security policy with (this will also trigger the database activation event in ossec):

 asl -s -f

then check your ossec.log to see if it says something like this:

 2009/07/03 10:16:34 ossec-dbd: Connected to database 'tortix' at '127.0.0.1'.

Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."

This rule means that OSSEC has no further information about this event. The event is not caused by ASL, and is being emailed to the user for further investigation. If you get a 1002 error contact the vendor of that product for assistance with the error.

Personal tools