Difference between revisions of "Ossec"
(→Check for file system changes on all agents) |
|||
| Line 56: | Line 56: | ||
for i in `/var/ossec/bin/syscheck_control -l -s | cut -d "," -f 1`; do echo "For agent $i" ; /var/ossec/bin/syscheck_control -s -i $i | grep "`date +\"%Y %b %d\"`"; done | for i in `/var/ossec/bin/syscheck_control -l -s | cut -d "," -f 1`; do echo "For agent $i" ; /var/ossec/bin/syscheck_control -s -i $i | grep "`date +\"%Y %b %d\"`"; done | ||
| + | |||
| + | |||
| + | == Re-Add the Mysql Configuration == | ||
| + | |||
| + | This is a manual procedure to remove and re-configure ossec to use mysql. Eventually it will be merged into ASL directly. | ||
| + | |||
| + | |||
| + | 1) Check /etc/asl/config | ||
| + | |||
| + | OSSEC_DATABASE_SERVER="localhost" | ||
| + | OSSEC_DATABASE="tortix" | ||
| + | OSSEC_DATABASE_USERNAME="tortix" | ||
| + | OSSEC_DATABASE_PASSWORD="YOURPASSWORD" | ||
| + | |||
| + | 2) remove any database lines from /var/ossec/etc/ossec.conf, this entire section | ||
| + | |||
| + | |||
| + | <database_output> | ||
| + | <hostname>127.0.0.1</hostname> | ||
| + | <username>tortix</username> | ||
| + | <password>YOURPASSWORD</password> | ||
| + | <database>tortix</database> | ||
| + | <type>mysql</type> | ||
| + | </database_output> | ||
| + | |||
| + | 3) Drop the database: | ||
| + | mysqladmin -u admin -p drop tortix | ||
| + | |||
| + | 4) Remove the tortix user: | ||
| + | mysql -u admin -p`cat /etc/psa/.psa.shadow` mysql -e "delete from user where User = 'tortix';" | ||
| + | |||
| + | 5) re-create the databases and users with: | ||
| + | /var/asl/bin/ossec_database_setup.sh | ||
| + | |||
| + | 6) Update the security policy with (this will also trigger the database activation event in ossec): | ||
| + | asl -s -f | ||
| + | |||
| + | then check your ossec.log to see if it says something like this: | ||
| + | 2009/07/03 10:16:34 ossec-dbd: Connected to database 'tortix' at '127.0.0.1'. | ||
Revision as of 09:22, 3 July 2009
Contents |
Overview
OSSEC is a host based intrusion detection system, it performs numerous local security controls including log analysis, active-response to attacks (shunning), rootkit detection, file integrity checks, and local security policy assessments. Just to name a few. You can read more about OSSEC here: http://www.ossec.net
Announcements
OSSEC 2.0 Final Official 2.0 release has been published to the ASL-2.0 channel
OSSEC 2.0.0-0.090205 test build this update addresses mysql issues mentioned in the troubleshooting section
Troubleshooting
Error: Missing Dependency: libpq.so.3 is needed by package ossec-hids-server
This occurs on CentOS4 systems using the CentOSPlus repository, and updating to OSSEC 2.0. It can be resolved with:
yum install postgresql-devel
Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)
This is a known problem in versions of OSSEC 1.6.1 and lower. Currently to fix this an upgrade to a newer version is required:
Step 1) Upgrade to a CVS snapshot (1.99 or higher)
yum upgrade ossec-hids
Step 2) Update ASL policy
asl -s -f
Step 3) Drop the existing tortix database
mysql -u admin -p`cat /etc/psa/.psa.shadow` drop database tortix;
Step 4) Create a new database, and select it
create database tortix; use tortix; quit
Step 5) Create the new OSSEC database
mysql -u admin -p`cat /etc/psa/.psa.shadow` tortix < /var/ossec/etc/mysql/mysql.schema
Step 6) restart ossec
/etc/init.d/ossec-hids restart
Check for file system changes on all agents
This is a quick little script to poll all agents for recent file system changes
for i in `/var/ossec/bin/syscheck_control -l -s | cut -d "," -f 1`; do echo "For agent $i" ; /var/ossec/bin/syscheck_control -s -i $i | grep "`date +\"%Y %b %d\"`"; done
Re-Add the Mysql Configuration
This is a manual procedure to remove and re-configure ossec to use mysql. Eventually it will be merged into ASL directly.
1) Check /etc/asl/config
OSSEC_DATABASE_SERVER="localhost" OSSEC_DATABASE="tortix" OSSEC_DATABASE_USERNAME="tortix" OSSEC_DATABASE_PASSWORD="YOURPASSWORD"
2) remove any database lines from /var/ossec/etc/ossec.conf, this entire section
<database_output> <hostname>127.0.0.1</hostname> <username>tortix</username> <password>YOURPASSWORD</password> <database>tortix</database> <type>mysql</type> </database_output>
3) Drop the database:
mysqladmin -u admin -p drop tortix
4) Remove the tortix user:
mysql -u admin -p`cat /etc/psa/.psa.shadow` mysql -e "delete from user where User = 'tortix';"
5) re-create the databases and users with:
/var/asl/bin/ossec_database_setup.sh
6) Update the security policy with (this will also trigger the database activation event in ossec):
asl -s -f
then check your ossec.log to see if it says something like this:
2009/07/03 10:16:34 ossec-dbd: Connected to database 'tortix' at '127.0.0.1'.
