Instruction: we implement HIDS OSSEC
OSSEC (Open Source Host-based Intrusion Detection System) is a host intrusion detection system. If you have the task of checking the integrity of files on your servers, logging various actions on servers, receiving security events from your servers (as well as any others) and notifications about these events, outputting various reports and much more, then HIDS OSSEC is an excellent solution for these tasks. OSSEC can work locally, according to the scheme agent + server and in hybrid mode (agent-> server-> server). We will consider the scheme agent + server and work in a hybrid mode.
OSSEC installation
Configure the OSSEC configuration file
Adding agents
Configuring the configuration file for agents
Email Alerts
Working with agents and receiving reports
Data output to other systems
OSSEC operation in hybrid mode
Install on Ubuntu OS 14.04. Install the necessary packages for the OSSEC installation:
Downloading OSSEC from offsite:
Run the installation script ./install.sh. Choose a language (en). We answer questions:
')
We are waiting for the completion of the installation.
By default, OSSEC will be installed in the / var / ossec / directory. Directories with binary files - / var / ossec / bin /. Directories with configuration files - / var / ossec / etc /. Directories with logs - / var / ossec / logs /. For agents to work with the server, you must open port 1514udp.
Open the config file.
nano /var/ossec/etc/ossec.conf.
Section global.
In this section, we set up email alerts:
Syscheck section This section contains the file integrity check parameters:
Let us analyze additional parameters for checking the integrity of files. If we need to run the scan at a specific time, then we can use the scan_time or scan_day parameter:
If we need constant monitoring of integrity of any files, in this case there is a realtime parameter:
Constant monitoring of specific files cannot be included; you must specify the directory where this file is located. You can also enable the launch of the scan when the OS starts:
If we need to enable notifications about new files appearing in directories, we can use the alert_new_files parameter:
The rootcheck section contains files with rootkit signatures.
The localfile sections indicate the log files that ossec will monitor.
Based on the decoders and rules that are in /var/ossec/etc/decoders.xml and / var / ossec / rules /, OSSEC will process the events from these log files. By default, OSSEC has a fairly large number of rules, you can connect / disconnect them in the rules section. If these rules are not enough for you or some of them are outdated, no one bothers you to change them or write your own.
The command and active-response sections contain IPS mode configurations. You can customize the response to any event. In / var / ossec / active-response / bin / there are default scripts that can be used upon the occurrence of an event. With a lack of these scripts, you can add your own.
Install OSSEC agent from the same distribution, only when installing, select agent mode.
3.1- What's the IP Address or OSSEC HIDS server? We specify the IP address of our OSSEC server. Turn on the integrity and rootkit scanner module again. We are waiting for the installation to complete. Now we need to connect the ossec agent with our server. There are two ways to do this.
Go to the server and launch the agent management manager:
Choose A (A) dd an agent (A). Next, write the name of our agent. Specify the ip address of our agent. Select the agent ID, you can leave the id that offers OSSEC.
Confirm adding it? (Y / n): y
Confirm the addition of the agent. Next, select (E) xtract key for an agent. We specify the id of our new agent. Copy the base64 line and press Enter. Select the Q output from the agent work manager. Restart server for successful agent addition:
Next, go to our agent and go to the manager of work with agents:
Select (I) mport key from the server to add the key that we copied. Insert the key and add the agent and exit. Then you can run our agent.
There should be a mail notification that the new agent is connected. We go to the server to check whether the agent is connected.
We should see your agent as Active in the list. Also in /var/ossec/logs/alerts.alerts.log we should see the event.
New ossec agent connected.
Agent successfully added.
We go to the server. We generate a certificate for our server:
We start the daemon that will wait for the registration of agents on port 1515:
Go to the car with the agent:
Add an agent
We start the agent /etc/init.d/ossec start. Go back to the server and see if our agent has appeared:
We need to see the new agent, the agent name will be the same as the hostname. To successfully connect the agent, you must restart the OSSEC server. This method of adding is very convenient, as it does not require many actions on working with keys from the OSSEC server administrator. For this mode to work, both on the server and on the agent, it is necessary to install OSSEC with the libssl-dev package.
Configuring the configuration file for agents is not much different from configuring this file for the server. It also has syschek, rootkit, localfile and other sections. But it is more convenient to keep one configuration file for agents on the server, and the agents themselves will pick up this config file and its changes.
To do this, we need to create an agent.conf file on the server in / var / ossec / etc / shared / - this will be our common configuration file. In this file, you can make different configurations for our agents, which can be divided into several types:
- Agent name. You can configure multiple agents and list their names.
- Server profile. You can make configurations for server groups (for example, web servers, databases, etc.):
- OS type. You can make configurations depending on the type of OS:
To verify the syntax in the config file for agents, you can use:
As a result, in /var/ossec/etc/ossec.conf you can leave several lines on the agent:
The agent will pick up the rest of the configuration from the server.
We have already specified the settings for email alerts in the global section of the OSSEC configuration file of the server. In each event of the ossec rules there is a level of severity, if we want to receive email notifications not below a certain level, we can configure this in the alerts section:
We can also set up email alerts for events from any specific groups of messages (groups are specified in the ossec rules).
If we want to receive sms messages, then ossec has a special format for this.
Get a list of all agents:
Obtaining information about the agent is interesting here checksum configuration file. It can be compared with the configuration on the server:
If the checksums do not match, then the agent did not pick up the config from the server.
Restarting the agent is usually necessary to apply changes in the config for agents.
Forced start of integrity check and rootkit scan on all agents:
The same, but only for a specific agent:
Zeroing checksum files counters:
To receive reports in the console, you can use this:
Examples:
You can receive reports on the change of checksums of files of a specific agent or any file.
In addition to displaying events in the alerts files and in the form of email alerts, OSSEC can be configured to display events in other systems or in the database.
To output events in the SIEM Prelude, you must install the libprelude-dev package before installing the OSSEC server and add prelude support
Make a conclusion from ossec in PreludeManager. To do this, open /var/ossec/etc/ossec.conf. In the global section, add the line <prelude_output> yes </ prelude_output>.
Now connect the OSSEC to the prelude. Run in one terminal:
The "p9dfqy34" password will be requested by "pre-admin register"
in order to connect. Please remove the quotes before using it.
Generating 1024 bits Diffie-Hellman key for anonymous authentication ...
Waiting for peers install request on 0.0.0.0 Oc555 ...
Waiting for peers install request on ::: 5553 ...
In another terminal, we add OSSEC with the command:
Generating 2048 bits RSA private key ... This might take a very long time.
[Increasing system activity will speed up the process].
Generation in progress ... X
Now we will start both demons.
Now we can observe events from OSSEC in Prelude.
To display event events in the database, you must add database support before installing OSSEC:
Later add the parameters to connect to the database in the configuration file. Example:
Supported databases: MySQL and PostgreSQL.
Database schemas are in off-documentation.
Next, you need to enable output to the database:
You need to add the following lines to the config file:
Enable output:
Often, syslog from OSSEC displays events in SPLUNK, Logstash, various SIEM.
Hybrid mode in OSSEC is used to build the Agent -> Server -> Primary server schema, in other words, to forward events to the main OSSEC server. In this mode, both the OSSEC agent and the OSSEC server are running on the server.
To install OSSEC in a hybrid mode, you must run the installation script and select the hybrid installation mode, answer all questions and specify the ip address of the main server during the installation process.
All files from the agent are located in the / var / ossec / ossec-agent / directory.
Start, Stop, Restart Agent is performed using:
To add this agent to the main server, you must also install a key created on the main server.
Now this agent will read the file /var/ossec/logs/alerts/alerts.log and send these events to the main server.
When I worked with this mode, the agent stopped reading this log after some time. Installation of this patch helped with the problem: github.com/ddpbsd/ossec-hids/tree/ossecalert
Now there are 135 agents on my OSSEC server, there are both servers on Windows and Linux (Ubuntu, Debian, CentOS).
- www.ossec.net
- Book OSSEC HIDS Host-Based Intrusion Detection Guide
Content
OSSEC installation
Configure the OSSEC configuration file
Adding agents
Configuring the configuration file for agents
Email Alerts
Working with agents and receiving reports
Data output to other systems
OSSEC operation in hybrid mode
OSSEC installation
Install on Ubuntu OS 14.04. Install the necessary packages for the OSSEC installation:
apt-get install make gcc libssl-dev Downloading OSSEC from offsite:
http://www.ossec.net/files/ossec-hids-2.8.2.tar.gz tar -xvf ossec-hids-2.8.2.tar.gz cd ossec-hids-2.8.2 Run the installation script ./install.sh. Choose a language (en). We answer questions:
')
1) What kind of installation do you want (server, agent, local, hybrid or help)? server. 2) . 3) Do you want e-mail notification? (y/n) [y]: smtp email . 4) Do you want to run the integrity check daemon? (y/n) [y]: . 5) Do you want to run the rootkit detection engine? (y/n) [y]: . 6) Do you want to enable active response? (y/n) [n]: IPS. . 7) Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: y We are waiting for the completion of the installation.
By default, OSSEC will be installed in the / var / ossec / directory. Directories with binary files - / var / ossec / bin /. Directories with configuration files - / var / ossec / etc /. Directories with logs - / var / ossec / logs /. For agents to work with the server, you must open port 1514udp.
Configure the OSSEC configuration file
Open the config file.
nano /var/ossec/etc/ossec.conf.
Section global.
In this section, we set up email alerts:
<ossec_config> <global> <email_notification>yes</email_notification> <email_to>ivanov@ossec.ru</email_to> <smtp_server>mail.ossec.ru</smtp_server> SMTP <email_from>ossec@ossec.ru</email_from> <email_maxperhour>100</email_maxperhour> </global> Syscheck section This section contains the file integrity check parameters:
<syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>18000</frequency> <!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/etc,/usr/bin,/usr/sbin,/boot,/opt,/lib,/lib64</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> </syscheck> Let us analyze additional parameters for checking the integrity of files. If we need to run the scan at a specific time, then we can use the scan_time or scan_day parameter:
<scan_time>04:00</scan_time> # 4 If we need constant monitoring of integrity of any files, in this case there is a realtime parameter:
<directories realtime="yes">/etc,/usr/bin,/usr/sbin</directories> Constant monitoring of specific files cannot be included; you must specify the directory where this file is located. You can also enable the launch of the scan when the OS starts:
<scan_on_start>yes</scan_on_start> If we need to enable notifications about new files appearing in directories, we can use the alert_new_files parameter:
<alert_new_files>yes</alert_new_files> The rootcheck section contains files with rootkit signatures.
The localfile sections indicate the log files that ossec will monitor.
Based on the decoders and rules that are in /var/ossec/etc/decoders.xml and / var / ossec / rules /, OSSEC will process the events from these log files. By default, OSSEC has a fairly large number of rules, you can connect / disconnect them in the rules section. If these rules are not enough for you or some of them are outdated, no one bothers you to change them or write your own.
The command and active-response sections contain IPS mode configurations. You can customize the response to any event. In / var / ossec / active-response / bin / there are default scripts that can be used upon the occurrence of an event. With a lack of these scripts, you can add your own.
Adding agents
apt-get install make gcc libssl-dev Install OSSEC agent from the same distribution, only when installing, select agent mode.
3.1- What's the IP Address or OSSEC HIDS server? We specify the IP address of our OSSEC server. Turn on the integrity and rootkit scanner module again. We are waiting for the installation to complete. Now we need to connect the ossec agent with our server. There are two ways to do this.
1st method
Go to the server and launch the agent management manager:
/var/ossec/bin/manage_agents Choose A (A) dd an agent (A). Next, write the name of our agent. Specify the ip address of our agent. Select the agent ID, you can leave the id that offers OSSEC.
Confirm adding it? (Y / n): y
Confirm the addition of the agent. Next, select (E) xtract key for an agent. We specify the id of our new agent. Copy the base64 line and press Enter. Select the Q output from the agent work manager. Restart server for successful agent addition:
/etc/init.d/ossec restart Next, go to our agent and go to the manager of work with agents:
/var/ossec/bin/manage_agents Select (I) mport key from the server to add the key that we copied. Insert the key and add the agent and exit. Then you can run our agent.
/etc/init.d/ossec start There should be a mail notification that the new agent is connected. We go to the server to check whether the agent is connected.
/var/ossec/bin/agent_control –l We should see your agent as Active in the list. Also in /var/ossec/logs/alerts.alerts.log we should see the event.
New ossec agent connected.
Agent successfully added.
2nd method
We go to the server. We generate a certificate for our server:
# openssl genrsa -out /var/ossec/etc/sslmanager.key 2048 # openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365 We start the daemon that will wait for the registration of agents on port 1515:
/var/ossec/bin/ossec-authd -p 1515 >/dev/null 2>&1 & Go to the car with the agent:
Add an agent
/var/ossec/bin/agent-auth -m 192.168.1.113(ip ) -p 1515 We start the agent /etc/init.d/ossec start. Go back to the server and see if our agent has appeared:
/var/ossec/bin/agent_control –l We need to see the new agent, the agent name will be the same as the hostname. To successfully connect the agent, you must restart the OSSEC server. This method of adding is very convenient, as it does not require many actions on working with keys from the OSSEC server administrator. For this mode to work, both on the server and on the agent, it is necessary to install OSSEC with the libssl-dev package.
Configuring the agent configuration file
Configuring the configuration file for agents is not much different from configuring this file for the server. It also has syschek, rootkit, localfile and other sections. But it is more convenient to keep one configuration file for agents on the server, and the agents themselves will pick up this config file and its changes.
To do this, we need to create an agent.conf file on the server in / var / ossec / etc / shared / - this will be our common configuration file. In this file, you can make different configurations for our agents, which can be divided into several types:
- Agent name. You can configure multiple agents and list their names.
<agent_config name="agentname1|agenname2|agentname3"> </agent_config> - Server profile. You can make configurations for server groups (for example, web servers, databases, etc.):
<agent_config profile="web-servers"> </agent_config> - OS type. You can make configurations depending on the type of OS:
<agent_config os="Linux,Windows"> </agent_config> To verify the syntax in the config file for agents, you can use:
/var/ossec/bin/verify-agent-conf As a result, in /var/ossec/etc/ossec.conf you can leave several lines on the agent:
<ossec_config> <client> <server-hostname>dns__ </server-hostname> # <server-ip>ip_</server-ip> <config-profile>_, lowmemory</config-profile> </client> </ossec_config> The agent will pick up the rest of the configuration from the server.
Email Alerts
We have already specified the settings for email alerts in the global section of the OSSEC configuration file of the server. In each event of the ossec rules there is a level of severity, if we want to receive email notifications not below a certain level, we can configure this in the alerts section:
<alerts> <log_alert_level>1</log_alert_level> <email_alert_level>7</email_alert_level> </alerts> We can also set up email alerts for events from any specific groups of messages (groups are specified in the ossec rules).
<email_alerts> <email_to>web_admin@ossec.ru</email_to> <group>apache</group> </email_alerts> If we want to receive sms messages, then ossec has a special format for this.
<email_alerts> <email_to>admin@ossec.ru</email_to> <level>7</level> <format>sms</format> </email_alerts> Working with agents and receiving reports
/var/ossec/bin/agent_control –l Get a list of all agents:
/var/ossec/bin/agent_control –i id_ Obtaining information about the agent is interesting here checksum configuration file. It can be compared with the configuration on the server:
md5sum /var/ossec/etc/shared/agent.conf If the checksums do not match, then the agent did not pick up the config from the server.
/var/ossec/bin/agent_control –R id_ Restarting the agent is usually necessary to apply changes in the config for agents.
/var/ossec/bin/agent_control -r –a Forced start of integrity check and rootkit scan on all agents:
/var/ossec/bin/agent_control -r –u id_ The same, but only for a specific agent:
/var/ossec/bin/syscheck_update -h Zeroing checksum files counters:
/var/ossec/bin/syscheck_update -h -l List available agents. -a Update (clear) syscheck database for all agents. -u <id> Update (clear) syscheck database for a specific agent. -u local Update (clear) syscheck database locally. To receive reports in the console, you can use this:
/var/ossec/bin/ossec-reportd Examples:
- cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -s - zcat /var/ossec/logs/alerts/2014/Dec/ossec-alerts-29.log.gz | /var/ossec/bin/ossec-reportd -s - cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -s -f group syscheck - cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -s -f rule 5503 ssh - cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -s -f rule 5716 - cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -s -f rule 2902 - cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -s -f rule 2903 ssh - cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -s -f rule 5712 - zcat /var/ossec/logs/alerts/2009/Jul/*.gz | /var/ossec/bin/ossec-reportd -s You can receive reports on the change of checksums of files of a specific agent or any file.
/var/ossec/bin/syscheck_control Data output to other systems
In addition to displaying events in the alerts files and in the form of email alerts, OSSEC can be configured to display events in other systems or in the database.
SIEM Prelude output
To output events in the SIEM Prelude, you must install the libprelude-dev package before installing the OSSEC server and add prelude support
cd ossec-hids-2.8.2/src/ # make setprelude cd .. ./install.sh Make a conclusion from ossec in PreludeManager. To do this, open /var/ossec/etc/ossec.conf. In the global section, add the line <prelude_output> yes </ prelude_output>.
Now connect the OSSEC to the prelude. Run in one terminal:
prelude-admin registration-server prelude-manager The "p9dfqy34" password will be requested by "pre-admin register"
in order to connect. Please remove the quotes before using it.
Generating 1024 bits Diffie-Hellman key for anonymous authentication ...
Waiting for peers install request on 0.0.0.0 Oc555 ...
Waiting for peers install request on ::: 5553 ...
In another terminal, we add OSSEC with the command:
# prelude-admin register OSSEC "idmef:w" 127.0.0.1 --uid ossec --gid ossec Generating 2048 bits RSA private key ... This might take a very long time.
[Increasing system activity will speed up the process].
Generation in progress ... X
Now we will start both demons.
/etc/init.d/prelude-manager start /etc/init.d/ossec restart Now we can observe events from OSSEC in Prelude.
Conclusion of events in a DB
To display event events in the database, you must add database support before installing OSSEC:
cd ossec-hids-2.8.2/src/ # make setdb cd .. ./install.sh Later add the parameters to connect to the database in the configuration file. Example:
<ossec_config> <database_output> <hostname>192.168.2.32</hostname> <username>db_test</username> <password>db_pass1</password> <database>ossecdb</database> <type>mysql</type> </database_output> </ossec_config> Supported databases: MySQL and PostgreSQL.
Database schemas are in off-documentation.
Next, you need to enable output to the database:
/var/ossec/bin/ossec-control enable database /var/ossec/bin/ossec-control restart Output to other systems via syslog
You need to add the following lines to the config file:
<syslog_output> <server>ip_address</server> <port>514</port> <format>default</format> </syslog_output> Enable output:
/var/ossec/bin/ossec-control enable client-syslog Often, syslog from OSSEC displays events in SPLUNK, Logstash, various SIEM.
OSSEC operation in hybrid mode
Hybrid mode in OSSEC is used to build the Agent -> Server -> Primary server schema, in other words, to forward events to the main OSSEC server. In this mode, both the OSSEC agent and the OSSEC server are running on the server.
To install OSSEC in a hybrid mode, you must run the installation script and select the hybrid installation mode, answer all questions and specify the ip address of the main server during the installation process.
All files from the agent are located in the / var / ossec / ossec-agent / directory.
Start, Stop, Restart Agent is performed using:
/var/ossec/ossec-agent/bin/ossec-control start|stop|restart To add this agent to the main server, you must also install a key created on the main server.
/var/ossec/ossec-agent/bin/manage_agents Now this agent will read the file /var/ossec/logs/alerts/alerts.log and send these events to the main server.
When I worked with this mode, the agent stopped reading this log after some time. Installation of this patch helped with the problem: github.com/ddpbsd/ossec-hids/tree/ossecalert
Now there are 135 agents on my OSSEC server, there are both servers on Windows and Linux (Ubuntu, Debian, CentOS).
Links
- www.ossec.net
- Book OSSEC HIDS Host-Based Intrusion Detection Guide
Source: https://habr.com/ru/post/262479/
All Articles