Install OSSEC (HIDS) and Prewikka (WebUI)

This article will tell you how to install an OSSEC intrusion detection system and bring the OSSEC alerts to a relatively convenient and informative Web interface. OSSEC can output alerts to syslog, DBMS or send them to another IDS - Prelude . In recent years, this IDS practically does not develop, but incorporates a good Web-interface - Prewikka. This system also allows you to connect to other IDS besides OSSEC - Snort, for example. First we install Prelude IDS, then Prewikk. Then connect the OSSEC to the Prelude. In the process will need to create two bases. One will be used by Prewikka for storing user settings, etc. The second one is for the prelude-manager to save information on events, and Prewikka will read it from there.

For installation, I will use a virtual machine with CentOS 6.4 installed. You must first install the Prelude-IDS. The developers provided installation instructions from packages and sources for almost all popular platforms. Here you can download the source code, RPM and SRPM.

Install Prelude Manager

We connect the repository for CentOS / RHEL:

[root@ossec ~]# yum install https://www.prelude-ids.org/attachments/download/297/prelude-ids-rhel-2-1.noarch.rpm 

Next, install the Prelude Manager and the packages needed to work with the common database:

 [root@ossec ~]# yum install prelude-manager prelude-manager-db-plugin libpreludedb-mysql 

We start MySQL:

 [root@ossec ~]# /etc/init.d/mysqld start [root@ossec ~]# chkconfig mysqld on 

Now create a database and user:

 [root@ossec ~]# mysql -u root -p mysql> CREATE database prelude; Query OK, 1 row affected (0.00 sec) mysql> GRANT ALL PRIVILEGES ON prelude.* TO prelude@'localhost' IDENTIFIED BY 'preludepasswd'; Query OK, 0 rows affected (0.00 sec) [root@ossec ~]# mysql -u root prelude -p < /usr/share/libpreludedb/classic/mysql.sql 

Edit the Prelude Manager config:

 [root@ossec ~]# vim /etc/prelude-manager/prelude-manager.conf 

Add the following lines there (or remove comments):

 [db] type = mysql host = localhost port = 3306 name = prelude user = prelude pass = preludepasswd 

Now you need to create a profile for the Prelude Manager:

 [root@ossec ~]# prelude-admin add "prelude-manager" --uid 0 --gid 0 Generating 2048 bits RSA private key... This might take a very long time. [Increasing system activity will speed-up the process]. Generation in progress... 

There is one moment. As the program warns, key generation can take a very long time.
It is possible to speed up this process:

 [root@ossec ~]# yum install rng-tools [root@ossec ~]# rngd -r /dev/urandom 

After the key generation is complete, you can run the Prelude Manager:

 [root@ossec ~]# /etc/init.d/prelude-manager restart 

Make sure that the server started normally:

 Aug 19 05:36:33 ossec prelude-manager: INFO: server started (listening on 127.0.0.1 port 4690). Aug 19 05:36:33 ossec prelude-manager: INFO: Subscribing db[default] to active reporting plugins. Aug 19 05:36:33 ossec prelude-manager: INFO: Generating 1024 bits Diffie-Hellman key for TLS... 

')

Prewikka installation

Install the necessary packages:

 [root@ossec ~]# yum install prewikka libpreludedb-python 

Create another base for Prewikka:

 [root@ossec ~]# mysql -u root -p Enter password: mysql> CREATE database prewikka; Query OK, 1 row affected (0.00 sec) mysql> GRANT ALL PRIVILEGES ON prewikka.* TO prewikka@'localhost' IDENTIFIED BY 'prewikkapasswd'; Query OK, 0 rows affected (0.01 sec) [root@ossec ~]# mysql -u root prewikka -p < /usr/share/prewikka/database/mysql.sql 

Now edit the Prewikka configuration file and specify the correct databases:

 [root@ossec ~]# vim /etc/prewikka/prewikka.conf 

In our case, you need to add (or edit) the following lines:

 [idmef_database] type: mysql host: localhost user: prelude pass: preludepasswd name: prelude [database] type: mysql host: localhost user: prewikka pass: prewikkapasswd name: prewikka 

Now put Apache:

 [root@ossec ~]# yum install httpd 

Create a virtual host:

 [root@ossec ~]# vim /etc/httpd/conf.d/prewikka.conf 

 <VirtualHost *:80> ServerName my.server.org Setenv PREWIKKA_CONFIG "/etc/prewikka/prewikka.conf" <Location "/"> AllowOverride None Options ExecCGI <IfModule mod_mime.c> AddHandler cgi-script .cgi </IfModule> Order allow,deny Allow from all </Location> Alias /prewikka/ /usr/share/prewikka/htdocs/ ScriptAlias / /usr/share/prewikka/cgi-bin/prewikka.cgi </VirtualHost> 

It would seem that everything is ready, but here we are waited by several pitfalls. First, you need to disable or configure SELinux, second, open port 80 on the local firewall; third, set permissions for the folder with the configuration file:

 [root@ossec ~]# chmod o+x /etc/prewikka/ 

However, if you try to log in to Prewikk now, an error will occur.
Check the logs:

 [root@ossec ~]# tail -f /var/log/httpd/error_log [Mon Aug 19 06:26:53 2013] [error] [client 172.16.86.1] from prewikka import utils, siteconfig, cairoplot [Mon Aug 19 06:26:53 2013] [error] [client 172.16.86.1] File "/usr/lib/python2.6/site-packages/prewikka/cairoplot.py", line 34, in <module> [Mon Aug 19 06:26:53 2013] [error] [client 172.16.86.1] [Mon Aug 19 06:26:53 2013] [error] [client 172.16.86.1] import cairo [Mon Aug 19 06:26:53 2013] [error] [client 172.16.86.1] ImportError [Mon Aug 19 06:26:53 2013] [error] [client 172.16.86.1] : [Mon Aug 19 06:26:53 2013] [error] [client 172.16.86.1] No module named cairo 

Install the missing module:

 [root@ossec ~]# yum install cairo 

Now you can log into the server and log in with the admin / admin login / password pair.

OSSEC installation

Download the latest version of OSSEC archives here . On the same page it is written that RPM for RHEL / CentOS can be taken from the AtomiCorp repository . This option is not suitable for us, since OSSEC in that repository is compiled without libprelud support, however, when installing agents on end servers, it can be used.

So, download and unpack the latest version of OSSEC.

 [root@ossec ~]# wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz [root@ossec ~]# tar xvzf ossec-hids-2.7.tar.gz 

Now, in order to compile OSSEC, put libprelude-devel, compiler and make

 [root@ossec ~]# yum install libprelude-devel gcc make 

Set compilation options:

 [root@ossec ~]# cd ossec-hids-2.7/src/ [root@ossec src]# make setprelude 

Run the installation

 [root@ossec src]# ../install.sh 

The installation script will ask a few questions - what language to use, type of installation, etc. The most important thing is to specify the correct type of installation. In our case, the server. I also do not recommend enabling the active response function without first reading the manual for it and setting it up for yourself.

 OSSEC HIDS v2.7 Installation Script - http://www.ossec.net You are about to start the installation process of the OSSEC HIDS. You must have a C compiler pre-installed in your system. If you have any questions or comments, please send an e-mail to dcid@ossec.net (or daniel.cid@gmail.com). - System: Linux ossec 2.6.32-358.el6.x86_64 - User: root - Host: ossec -- Press ENTER to continue or Ctrl-C to abort. -- 1- What kind of installation do you want (server, agent, local, hybrid or help)? server - Server installation chosen. 2- Setting up the installation environment. - Choose where to install the OSSEC HIDS [/var/ossec]: - Installation will be made at /var/ossec . 3- Configuring the OSSEC HIDS. 3.1- Do you want e-mail notification? (y/n) [y]: n --- Email notification disabled. 3.2- Do you want to run the integrity check daemon? (y/n) [y]: - Running syscheck (integrity check daemon). 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: - Running rootcheck (rootkit detection). 3.4- Active response allows you to execute a specific command based on the events received. For example, you can block an IP address or disable access for a specific user. More information at: http://www.ossec.net/en/manual.html#active-response - Do you want to enable active response? (y/n) [y]: n - Active response disabled. 3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: - Remote syslog enabled. 3.6- Setting the configuration to analyze the following logs: -- /var/log/messages -- /var/log/secure -- /var/log/maillog -- /var/log/httpd/error_log (apache log) -- /var/log/httpd/access_log (apache log) - If you want to monitor any other file, just change the ossec.conf and add a new localfile entry. Any questions about the configuration can be answered by visiting us online at http://www.ossec.net . --- Press ENTER to continue --- 

After final pressing the “enter” key, OSSEC will start compiling and copying it to the installation directory (by default, this is / var / ossec /).

We specify in the configuration file that the events need to be sent to the prelude-manager.

 [root@ossec src]# vim /var/ossec/etc/ossec.conf 

In the section, add the line <prelude_output> yes </ prelude_output>.
It should look like this:

 <ossec_config> <global> <email_notification>no</email_notification> <prelude_output>yes</prelude_output> </global> <rules> <include>rules_config.xml</include> <include>pam_rules.xml</include> <include>sshd_rules.xml</include> ... 

Now connect the OSSEC to the prelude. Run the registration server in one console:

 [root@ossec ~]# prelude-admin registration-server prelude-manager The "p9gnqy98" password will be requested by "prelude-admin register" in order to connect. Please remove the quotes before using it. Generating 1024 bits Diffie-Hellman key for anonymous authentication... Waiting for peers install request on 0.0.0.0:5553... Waiting for peers install request on :::5553... 

In the other, we register OSSEC with the command:

 [root@ossec ~]# prelude-admin register OSSEC "idmef:w" 127.0.0.1 --uid ossec --gid ossec Generating 2048 bits RSA private key... This might take a very long time. [Increasing system activity will speed-up the process]. Generation in progress... X 

Like last time, we can speed up key generation with the command:

 [root@ossec ~]# rngd -r /dev/urandom 

As soon as the key generation is completed, you will be prompted to enter a one-time password in the second console. In this case, it is "p9gnqy98".
Now restart both daemons.

 [root@ossec ~]# /etc/init.d/prelude-manager start [root@ossec ~]# /etc/init.d/ossec start 

If you now log in to Prewikk, you can see notifications and alarms coming from OSSEC.
If you go to the Agents tab, the list of agents should be prelude-manager and OSSEC.

Results

So, we installed Prelude IDS on our server. We set up the output of its alerts in the MySQL DBMS installed on the same server. We also created another database for the Prewikka Web interface, which is part of Prelude IDS. After all this, we compiled OSSEC HIDS with special options that allow you to send OSSEC events not only to a syslog or DBMS, but also directly to the Prelude.
Now, when suspicious events appear in the logs, OSSEC will generate an alert, write it to the /var/ossec/logs/ossec.log file, send it to Prelude IDS. Prelude, in turn, will write it to the database, and Prewiika, when entering it, will provide a display of all these events in a readable form.

In this article I have not described quite a lot of things, which, if interested readers are, you can devote more than one article.
For example, how to install OSSEC on a server without a compiler, how to configure and maintain databases for the Prelude, how to install and configure OSSEC agents on other servers, how to configure your own event generation rules for OSSEC.