Category Archives: OSSEC

OSSEC Agent installation in Linux Step by Step

OSSEC Agent Installation on Linux 

Step 1

Download the ossec agent and issue the below command

tar xf ossec-hids-2.8.1.tar.gz

 Step 2

It will be unpacked into a directory called ossec-hids-2.8.1.                 Go to that directory.

cd ossec-hids-2.8.1/

 Step 3

Then start the installation.

Select agent mode while OSSEC installation on  server machines and end hosts.

OSSEC-Agent-Linux-1

 

 

 

Step 4

Set the configuration path (/var/ossec is by default)

OSSEC-Agent-Linux-2

 

 

Step 5

Enter the IP address of the OSSEC server/manager (Example:192.168.1.10)

OSSEC-Agent-Linux-3

 

 

Step 6

Enable Integrity check feature of OSSEC in client mode.

OSSEC-Agent-Linux-4

 

Step 7

Enable the rootkit detection and active response features

OSSEC-Agent-Linux-5

 

OSSEC-Agent-Linux-6

 

 

 

Step 8

Press “Enter” button to start installation process.

OSSEC-Agent-Linux-7

 

 

 

Step 9

Following window shows the start/stop scripts and configuration path for OSSEC. Press “Enter” button to complete the installation process.

OSSEC-Agent-Linux-8

 

 

 

 

 

Step 10

Add Agent to Server and Extract Its Key

On the OSSEC server, start the process of adding the agent.

/var/ossec/bin/manage_agents

You will then be presented the options shown below. Choose “A” to add an agent.

(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.Choose your action: A,E,L,R or Q: A

Then you’ll be prompted to specify a name for the agent, its IP address, and an ID. Make the name unique, because it will help you in filtering alerts received from the server.

For the ID, you may accept the default by pressing ENTER.

When you enter all three fields, enter y to confirm.

- Adding a new agent (use '\q' to return to the main menu).  Please provide the following:   * A name for the new agent: agentUbuntu   * The IP Address of the new agent: your_agent_ip   *
An ID for the new agent[001]:Agent information:   ID:001
Name:agentUbuntu
IP Address:111.111.111.111 Confirm adding it?(y/n): y

Agent added.

Step 11

 After that, you’ll be returned to the main menu. Now you have to extract the agent’s key, Make sure you copy it, because you’ll have to enter it for the agent.

... Choose your action: A,E,L,R or Q: e

Available agents:   ID: 001,

Name: agentUbuntu,

IP: 111.111.111.111

Provide the ID of the agent to extract the key (or '\q' to quit): 001
Agent key information for '001' is:MDAxIGFnZW50VWJ1bnyEwNjI5MjI4ODBhMDkzMzA4MR1IXXwNC4yMzYuMjIyLjI1MSBiMTI2U3MTI4YWYzYzg4M2YyNTRlYzM5M2FmNGVhNDYTIwNDE3NDI1NWVkYmQw **
Press ENTER to return to the main menu.

Step 12

After pressing ENTER, you’ll be returned to the main menu again. Type q to quit.

... Choose your action: A,E,L,R or Q: q 
** You must restart OSSEC for your changes to take effect. manage_agents: Exiting ..

Step 13

Import The Key From Server to Agent

This section has to be completed on the agent, and it involves importing (copying) the agent’s key extracted on the server and pasting it on the agent’s terminal. To start, change to root by typing:

sudo su

Then type:

/var/ossec/bin/manage_agents

You’ll be presented with these options:

   (I)mport key from the server (I).   (Q)uit.
Choose your action: I or Q: i

After typing the correct option, follow the directions to copy and paste the key generated from the server.

Agent information:   ID:001   Name:test   IP Address:104.236.222.251 Confirm adding it?(y/n): y

Added.** Press ENTER to return to the main menu.

Back to the main menu, type q to quit:

Choose your action: I or Q: q

This completes the agent installation in Linux.

Share this:

OSSEC Agent Installation in windows Step-by-Step

Installing OSSEC agent in a Windows server

Step 1

Create a new OSSEC key for the agent from the Server

Step 2

manage_agents on the OSSEC server

The server version of manage_agents provides an interface to:

  • add an OSSEC agent to the OSSEC server
  • extract the key for an agent already added to the OSSEC server
  • remove an agent from the OSSEC server
  • list all agents already added to the OSSEC server.

Step 3:

To add an agent type the below command

/var/ossec/bin/manage_agents

The manage_agents menu:

 

****************************************
* OSSEC HIDS v2.5-SNP-100809 Agent manager.*
* The following options are available:*
***************************************

 

(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).   
(R)emove an agent (R).   
(Q)uit.
Choose your action: A,E,L,R or Q:

Type the  letter and hit enter will initiate that function.

Step 4:

Adding an agent

To add an agent type a in the start screen:

Choose your action: A,E,L,R or Q: A 

You are then prompted to provide a name for the new agent. This can be the hostname or another string to identify the system. In this example the agent name will be agent1.

Adding a new agent (use '\q' to return to the main menu).  
Please provide the following:   * A name for the new agent: agent1

After that you have to specify the IP address for the agent

The IP Address of the new agent: 192.168.2.1/32

The last information you will be asked for is the ID you want to assign to the agent.

An ID for the new agent[001]:

As the final step in creating an agent,

you have to confirm adding the agent: Agent information:   ID:002   Name:agent1   IP Address:192.168.2.1/32
Confirm adding it?(y/n): y

Agent added. After that manage_agents appends the agent information to /var/ossec/etc/client.keys and goes back to the start screen

Step 5:

Extracting the key for an agent

After adding an agent, a key is created. This key must be copied to the agent. To extract the key, use the e option in the manage_agents start screen. You will be given a list of all agents on the server. To extract the key for an agent, simply type in the agent ID. It is important to note that you have to enter all digits of the ID

Choose your action: A,E,L,R or Q: E
Available agents:   ID: 001, Name: agent1, IP: 192.168.2.1/32
Provide the ID of the agent to extract the key (or '\q' to quit): 001
Agent key information for '001' is:MDAyIGFnZW50MSAxOTIuMTY4LjIuMC8yNCBlNmY3N2RiMTdmMTJjZGRmZjg5YzA4ZDk5m

** Press ENTER to return to the main menu.

The key is encoded in the string (shortened for this example) MDAyIGFnZW50MSAxOTIuMTY4LjIuMC8yNCBlNmY3N2RiMTdmMTJjZGRmZjg5YzA4ZDk5Mm and includes information about the agent. This string can be added to the agent through the agent version of manage_agents.

Step 6:

Download the OSSEC agent for windows and kept in the place where we need to install

OSSEC-Agent-1

 

 

 

 

 

 

OSSEC-Agent-2

 

 

 

 

 

 

OSSEC-Agent-4 OSSEC-Agent-3 OSSEC-Agent-5

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

OSSEC-Agent-6

 

 

 

 

 

 

Step 7

OSSEC-Agent-6

 

 

 

 

 

 

Step 7

In the OSSEC Server IP column give the IP address of the OSSEC Server

In the Authentication column give the key which we have extracted earlier.

Step 8

OSSEC-Agent-7

 

 

 

 

 

 

Click Save and press manage and restart the OSSEC.

 

 

 

 

 

 

 

 

 

 

Share this:

PCI-DSS v3.1 Compliance with Zero cost

ossec-hidsWhat is OSSEC?

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting.

Can I address PCI-DSS v3.1 requirements using OSSEC?

Yes. By Installing and Configuring OSSEC in the VPC, we can easily address the below PCI-DSS v3.1 requirements with zero cost.

PCI-DSS v3.1 requirements related to OSSEC

PCI DSS Requirements Testing Procedures Guidance
10.2 Implement automated audit trails for all system components to reconstruct the following events: 10.2 Through interviews of responsible personnel, observation of audit logs, and examination of audit log settings, perform the following:

 

Generating audit trails of suspect activities alerts the system administrator, sends data to other monitoring mechanisms (like intrusion detection systems), and provides a history trail for post-incident follow-up. Logging of the following events enables an organization to identify and trace potentially malicious activities

 

10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).

 

10.5.5 Examine system settings, monitored files, and results from monitoring activities to verify the use of file-integrity monitoring or change-detection software on logs.

 

File-integrity monitoring or change-detection systems check for changes to critical files, and notify when such changes are noted. For file-integrity monitoring purposes, an entity usually monitors files that don’t regularly change, but when changed indicate a possible compromise.

 

10.6.1 Review the following at least daily:

·  All security events

· Logs of all system components that store, process, or transmit CHD and/or SAD, or that could impact the security of CHD and/or SAD

· Logs of all critical system components

· Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).

 

10.6.1.a Examine security policies and procedures to verify that procedures are defined for reviewing the following at least daily, either manually or via log tools:

·         All security events

·          Logs of all system components that store, process, or transmit CHD and/or SAD, or that could impact the security of CHD and/or SAD

·         Logs of all critical system components

·         Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.)

 

Many breaches occur over days or months before being detected. Checking logs daily minimizes the amount of time and exposure of a potential breach.

 

Daily review of security events—for example, notifications or alerts that identify suspicious or anomalous activities—as well as logs from critical system components, and logs from systems that perform security functions, such as firewalls, IDS/IPS, file-integrity monitoring (FIM) systems, etc. is necessary to identify potential issues. Note that the determination of “security event” will vary for each organization and may include consideration for the type of technology, location, and function of the device. Organizations may also wish to maintain a baseline of “normal” traffic to help identify anomalous behavior.

10.6.1.b Observe processes and interview personnel to verify that the following are reviewed at least daily:

·  All security events

·  Logs of all system components that store, process, or transmit CHD and/or SAD, or that could impact the security of CHD and/or SAD

· Logs of all critical system components

· Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).

11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.

Keep all intrusion-detection and prevention engines, baselines, and signatures up to date.

11.4.a Examine system configurations and network diagrams to verify that techniques (such as intrusion-detection systems and/or intrusion-prevention systems) are in place to monitor all traffic:

·  At the perimeter of the cardholder data environment

·  At critical points in the cardholder data environment.

Intrusion detection and/or intrusion prevention techniques (such as IDS/IPS) compare the traffic coming into the network with known “signatures” and/or behaviors of thousands of compromise types (hacker tools, Trojans, and other malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these techniques should be monitored so that the attempted intrusions can be stopped.

 

11.4.b Examine system configurations and interview responsible personnel to confirm intrusion-detection and/or intrusion-prevention techniques alert personnel of suspected compromises.

 

11.4.c Examine IDS/IPS configurations and vendor documentation to verify intrusion-detection and/or intrusion-prevention techniques are configured, maintained, and updated per vendor instructions to ensure optimal protection.
11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

Note: For change-detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change-detection mechanisms such as file-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider).

11.5.a Verify the use of a change-detection mechanism within the cardholder data environment by observing system settings and monitored files, as well as reviewing results from monitoring activities.

 

Examples of files that should be monitored:

 · System executables

· Application executables

· Configuration and parameter files

· Centrally stored, historical or archived, log and audit files

· Additional critical files determined by entity (for example, through risk assessment or other means).

 

Change-detection solutions such as file-integrity monitoring (FIM) tools check for changes to critical files, and notify when such changes are detected. If not implemented properly and the output of the change-detection solution monitored, a malicious individual could alter configuration file contents, operating system programs, or application executables. Unauthorized changes, if undetected, could render existing security controls ineffective and/or result in cardholder data being stolen with no perceptible impact to normal processing.

 

11.5.b Verify the mechanism is configured to alert personnel to unauthorized modification of critical files, and to perform critical file comparisons at least weekly.

 

12.10.5 Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems.

 

12.10.5 Verify through observation and review of processes that monitoring and responding to alerts from security monitoring systems, including detection of unauthorized wireless access points, are covered in the incident response plan.

 

These monitoring systems are designed to focus on potential risk to data, are critical in taking quick action to prevent a breach, and must be included in the incident-response processes.

 

 

OSSEC INSTALLATION

STEP 1:

Install necessary package

apt-get update

apt-get install build-essential inotify-tools

Step 2 — Download and Verify OSSEC

wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.1.tar.gz

Step 3 — Install OSSEC

OSSEC can be installed in serveragentlocal or hybrid mode. The below installation steps is meant for monitoring the instances where OSSEC agent is installed.

Before installation can start, we have to expand the file

tar -zxf ossec-hids-2.8.1.tar.gz
cd ossec-hids-2.8.1

To see the contents of the directory that you’re now in, use the ls command by typing:

ls –l

we have to see these files and directories:

drwxrwxr-x  4  4096 Sep  8 21:03 active-response
-rw-rw-r--  1   542 Sep  8 21:03 BUGS
-rw-rw-r--  1   289 Sep  8 21:03 CONFIG
drwxrwxr-x  6  4096 Sep  8 21:03 contrib
-rw-rw-r--  1  3196 Sep  8 21:03 CONTRIBUTORS
drwxrwxr-x  4  4096 Sep  8 21:03 doc
drwxrwxr-x  4  4096 Sep  8 21:03 etc
-rw-rw-r--  1  1848 Sep  8 21:03 INSTALL
-rwxrwxr-x  1 32019 Sep  8 21:03 install.sh
-rw-rw-r--  1 24710 Sep  8 21:03 LICENSE
-rw-rw-r--  1  1664 Sep  8 21:03 README.md
drwxrwxr-x 30  4096 Sep  8 21:03 src

 

To install OSSEC type the below command  ./install.sh Select language is English, press ENTER. Otherwise, type the two letters for your language and press ENTER.

(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]:

After selecting the language, you should see this:

OSSEC HIDS v2.8 Installation Script – http://www.ossec.net  You are about to start the installation process of the OSSEC HIDS. You must have a C compiler pre-installed in your system. If you have any questions or comments, please send an e-mail to dcid@ossec.net (or daniel.cid@gmail.com).   – System: Linux kuruji 3.13.0-36-generic  – User: root  – Host: kuruji   — Press ENTER to continue or Ctrl-C to abort. —

After pressing ENTER, you should get:

1- What kind of installation do you want (server, agent, local, hybrid or help)? local

Type local and press ENTER. You should get:

  - Local installation chosen. 2- Setting up the installation environment.   - Choose where to install the OSSEC HIDS [/var/ossec]:

Accept the default and press ENTER. After that, you’ll get:

    - Installation will be made at  /var/ossec . 3- Configuring the OSSEC HIDS.   - Do you want e-mail notification? (y/n) [y]:

Press ENTER.

  - What's your e-mail address? test@example.com

Type the email address where you want to receive notifications from OSSEC.

  - We found your SMTP server as: mail.example.com.  - Do you want to use it? (y/n) [y]: --- Using SMTP server:  mail.example.com.

Press ENTER unless you have specific SMTP server settings you want to use.

Now’s time to let OSSEC know what checks it should be running. In response to any prompt from the script, accept the default by pressing ENTER.

ENTER for the integrity check daemon.

- Do you want to run the integrity check daemon? (y/n) [y]: - Running syscheck (integrity check daemon).

ENTER for rootkit detection.

  - Do you want to run the rootkit detection engine? (y/n) [y]: - Running rootcheck (rootkit detection).

ENTER for active response.

  - Active response allows you to execute a specific command based on the events received.      Do you want to enable active response? (y/n) [y]:    Active response enabled.

Accept the defaults for firewall-drop response. Your output may show some IPv6 options – that’s fine.

  Do you want to enable the firewall-drop response? (y/n) [y]: - firewall-drop enabled (local) for levels >= 6    - Default white list for the active response:      - 8.8.8.8      - 8.8.4.4    - Do you want to add more IPs to the white list? (y/n)? [n]:

You may add your IP address here, but that’s not necessary.

OSSEC will now present a default list of files that it will monitor. Additional files can be added after installation, so press ENTER.

Step 4 — Start OSSEC

By default OSSEC is configured to start at boot, but the first time, you’ll have to start it manually.

If you want to check its current status, type:

/var/ossec/bin/ossec-control status

That tells you that none of OSSEC’s processes are running.

To start OSSEC, type:

/var/ossec/bin/ossec-control start

You should see it starting up:

Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)…Started ossec-maild…Started ossec-execd…Started ossec-analysisd…Started ossec-logcollector…Started ossec-syscheckd…Started ossec-monitord…Completed.

If you check the status again, you should get confirmation that OSSEC is now running.

/var/ossec/bin/ossec-control status

This output shows that OSSEC is running:

ossec-monitord is running...ossec-logcollector is running...ossec-syscheckd is running...ossec-analysisd is running...ossec-maild is running...ossec-execd is running...

Right after starting OSSEC, you should get an email that reads like this:

OSSEC HIDS Notification.2014 Nov 30 11:15:38 Received From: ossec2->ossec-monitordRule: 502 fired (level 3) -> "Ossec server started."Portion of the log(s): ossec: Ossec started.

OSSEC is successfully Installed. We will see how to install and configure agents in the next post.

 

 

 

 

 

 

Share this: