Installing OSSEC on Centos 5.7


OSSEC is an open source host-based IDS that performs log analysis, and is able to correlate and analyse logs for a number of Linux (and Windows, but that is outside the scope of this blog post) servers. The software architecture of OSSEC and the use of agents, lends OSSEC to flexible deployment and management [1].

Set-up the Atomic repository that already has the appropriate OSSEC packages and install them would be the easiest way. However I have a strong dislike for the use of the /var partition (most system administrators, hmm… well at-least I have always, set this up as a separate partition for ease of management and security reasons) as an install location, esp. when it has been specified as a “noexec” partition.

*Please Note: * Firstly, there are a number of dependencies of some of the set-up below, such as Apache, PHP, MySQL, but the installation and secure configuration of these services are beyond the scope of this blog post. Secondly, the configuration below is only to set-up OSSEC as a monitor and not run it in IPS, i.e. as an active response alert handler.

Installation using the repository

  1. wget https://www.atomicorp.com/installers/atomic -O atomic.sh
  2. . ./atomic.sh
  3. yum -y update
  4. yum -y install ossec-hids ossec-hids-server ossec-wui

Installation using the tar ball source

Download, compile and install the source

wget http://www.ossec.net/files/ossec-hids-2.6.tar.gz

tar zxvf ossec-hids-2.6.tar.gz

cd ossec-hids-2.6/src

make clean

make setdb

make all

cd ..

./install.sh

  1. en
  2. local
  3. /opt/ossec
  4. y
  5. user@domain
  6. mx.domain
  7. y
  8. y
  9. n

Setup mysql DB for logging

Grant access to database

  1. mysql -u root -p
  2. grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossecuser@localhost;
  3. set password for ossecuser@localhost=PASSWORD(‘PASSWD’);
  4. quit;

Create database and tables

  1. mysqladmin -u root -p create ossec
  2. mysql -u root -p ossec < src/os_dbd/mysql.schema

Edit the /opt/ossec/etc/ossec.conf file

  1. Check the wiki to setup logging to the database and syslog [2]

Install the Web User Interface, you will need Apache and php

Again, the installation and secure configuration of Apache is beyond the scope of this blog post. 

wget http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz

tar zxvf ossec-wui-0.3.tar.gz

mkdir -p /var/www/html/ossec-wui

cp -rf ./ossec-wui-0.3/* /var/www/html/ossec-wui/

cd /var/www/html/ossec-wui/

./setup.sh

Edit the ossec_conf.php to point to the ossec installation completed in the previous stage

  1. $ossec_dir=”/opt/ossec”;

Start the OSSEC services

  1. /opt/ossec/bin/ossec-control enable database
  2. /opt/ossec/bin/ossec-control enable client-syslog
  3. /opt/ossec/bin/ossec-control start

Possible Errors:

When executing OSSEC-WUI you may get a page that displays. "Unable to access OSSEC directory”. Ensure that the user that your Apache web server runs as, e.g. httpd or apache is added to the ossec group

  1. usermod -a -G ossec apache.

"Unable to retrieve alerts”. Ensure that you web server is able to open the alerts file. This issue is two fold, firstly ensure that the web server has permissions to open the file and secondly that the fopen command is enabled in PHP.

  1. safe_mode Off
  2. safe_mode_gid On

These two are no so much error, but warning that will be annoy your syslog server, but depend on your PHP configuration.

PHP Warning:  shell_exec() has been disabled for security reasons - This is because of a uname -a query in the /var/www/html/ossec-wui/lib/os_lib_agent.php script;

  1. //$agent_list[$agent_count]{‘os’} = `uname -a`;
  2. $agent_list[$agent_count]{‘os’} = “Linux”;

PHP Warning:  fseek() expects parameter 3 to be long - This may be a simple programming error in the /var/www/html/ossec-wui/lib/os_lib_alerts.php

  1. //fseek($fp, $seek_place, “SEEK_SET”);
  2. fseek($fp, $seek_place );

References:

  1. http://en.wikipedia.org/wiki/OSSEC
  2. http://www.ossec.net/wiki

See also