OSSEC is a HIDS (Host-based Intrusion Detection System) that can perform real-time logfile analysis, rootkit detection, file integrity checking, and notification.
OSSEC works by assembling a “safe” profile of your system and then continuously checking files and processes for deviation from this profile. In particular, for a server that runs one or more public network services, real-time checksum monitoring is a very, very good idea.
Fortunately, this is easy to set up on Ubuntu 16. It’s also easy to use in a client-server configuration, but here we’re going to use a local-only installation.
OSSEC Installation and Setup
Install your compilation tools, inotify, and a SMTP system:
root@ubuntu:/# apt-get install build-essential inotify-tools postfix
Grab and install the current version of OSSEC:
root@ubuntu:/opt/# wget https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz root@ubuntu:/opt/# tar -xvzf ossec-hids-2.8.3.tar.gz root@ubuntu:/opt/# ossec-hids-2.8.3/install.sh
For now, we’ll mostly accept the installation defaults:
OSSEC HIDS v2.8.3 Installation Script - http://www.ossec.net You are about to start the installation process of the OSSEC HIDS. You must have a C compiler pre-installed in your system. If you have any questions or comments, please send an e-mail to firstname.lastname@example.org (or email@example.com). - System: Linux myserver.com 4.4.0-31-generic - User: root - Host: myserver.com -- Press ENTER to continue or Ctrl-C to abort. -- 1- What kind of installation do you want (server, agent, local, hybrid or help)? local - Local installation chosen. 2- Setting up the installation environment. - Choose where to install the OSSEC HIDS [/var/ossec]: - Installation will be made at /var/ossec . 3- Configuring the OSSEC HIDS. 3.1- Do you want e-mail notification? (y/n) [y]: - What's your e-mail address? firstname.lastname@example.org - What's your SMTP server ip/host? localhost 3.2- Do you want to run the integrity check daemon? (y/n) [y]: - Running syscheck (integrity check daemon). 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: - Running rootcheck (rootkit detection). 3.4- Active response allows you to execute a specific command based on the events received. For example, you can block an IP address or disable access for a specific user. More information at: http://www.ossec.net/en/manual.html#active-response - Do you want to enable active response? (y/n) [y]: - Active response enabled. - By default, we can enable the host-deny and the firewall-drop responses. The first one will add a host to the /etc/hosts.deny and the second one will block the host on iptables (if linux) or on ipfilter (if Solaris, FreeBSD or NetBSD). - They can be used to stop SSHD brute force scans, portscans and some other forms of attacks. You can also add them to block on snort events, for example. - Do you want to enable the firewall-drop response? (y/n) [y]: - firewall-drop enabled (local) for levels >= 6 - Default white list for the active response: - 18.104.22.168 - 22.214.171.124 - Do you want to add more IPs to the white list? (y/n)? [n]: 3.6- Setting the configuration to analyze the following logs: -- /var/log/auth.log -- /var/log/syslog -- /var/log/dpkg.log - If you want to monitor any other file, just change the ossec.conf and add a new localfile entry. Any questions about the configuration can be answered by visiting us online at http://www.ossec.net . --- Press ENTER to continue --- 5- Installing the system - Running the Makefile INFO: Little endian set. *** Making zlib (by Jean-loup Gailly and Mark Adler) *** make: Entering directory '/opt/ossec-hids-2.8.3/src/external' cd zlib-1.2.8/; ./configure; make libz.a; Checking for gcc... Checking for shared library support... Building shared library libz.so.1.2.8 with gcc. Checking for off64_t... Yes. Checking for fseeko... Yes. Checking for strerror... Yes. Checking for unistd.h... Yes. Checking for stdarg.h... Yes. [etc.] - System is Debian (Ubuntu or derivative). - Init script modified to start OSSEC HIDS during boot. - Configuration finished properly. - To start OSSEC HIDS: /var/ossec/bin/ossec-control start - To stop OSSEC HIDS: /var/ossec/bin/ossec-control stop - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf Thanks for using the OSSEC HIDS. If you have any question, suggestion or if you find any bug, contact us at email@example.com or using our public maillist at firstname.lastname@example.org ( http://www.ossec.net/main/support/ ). More information can be found at http://www.ossec.net --- Press ENTER to finish (maybe more information below). ---
Since we installed Postfix, we’re using localhost as our SMTP server. If you’re running ufw, you probably don’t need to open tcp/25 since egress is permitted by default.
Next, we’ll examine the main configuration file at /var/ossec/etc/ossec.conf. Here are the email notification settings:
<ossec_config> <global> <email_notification>yes</email_notification> <email_to>email@example.com</email_to> <smtp_server>localhost</smtp_server> <email_from>firstname.lastname@example.org</email_from> </global>
Here you see the email credentials you specified during installation. If you need to specify a different email address and/or SMTP server, this is the place to do so. Note that most email providers will bounce any incoming messages without a valid email_from value, so be sure to specify something like email@example.com.
By default, the OSSEC mailer sends 12 emails per hour, so you won’t be flooded with email alerts. You can increase or decrease that value by adding the
<email_notification>yes</email_notification> <email_to>firstname.lastname@example.org</email_to> <smtp_server>localhost</smtp_server> <email_from>email@example.com</email_from> <email_maxperhour>50</email_maxperhour>
The rules files are stored in /var/ossec/rules.
Next, start everything up:
root@ubuntu:/# /var/ossec/bin/ossec-control start Starting OSSEC HIDS v2.8.3 (by Trend Micro Inc.)... Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-syscheckd... Started ossec-monitord... Completed.
Check your email. If email notifications are working properly, you’ll see something like this:
OSSEC HIDS Notification. 2016 Dec 14 08:38:32 Received From: myserver.com->ossec-monitord Rule: 502 fired (level 3) -> "Ossec server started." Portion of the log(s): ossec: Ossec started. --END OF NOTIFICATION
If you don’t get a notification, syslog or mail.log will show you the fate of your missing email.
Real-Time Checksum Monitoring
To turn on real-time file change notification, go back into your /var/ossec/etc/ossec.conf file and look for the syscheck section:
<syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>79200</frequency> <!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> [etc.] </syscheck>
Change the frequency to 600 (seconds), add a few additional directives, and then adjust the
<syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>600</frequency> <alert_new_files>yes</alert_new_files> <scan_on_start>no</scan_on_start> <auto_ignore>no</auto_ignore> <!-- Directories to check (perform all possible verifications) --> <directories check_all="yes" report_changes="yes" realtime="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes" report_changes="yes" realtime="yes">/bin,/sbin</directories> [etc.] </syscheck>
If you want to monitor your web directory, you can add something like this:
<directories report_changes="yes" realtime="yes" restrict=".php|.js|.py|.pl|.cgi|.sh|.html|.shtml" check_all="yes">/var/www</directories>
The “restrict” value restricts checking to only the specified filetypes.
Save the config file and restart everything (/var/ossec/bin/ossec-control restart). Next, try editing one of your system files, like /etc/sshd_config. The checksum of the file will change, triggering a syscheck notification:
OSSEC HIDS Notification. 2016 Dec 13 11:08:05 Received From: myserver.com->syscheck Rule: 550 fired (level 7) -> "Integrity checksum changed." Portion of the log(s): Integrity checksum changed for: '/etc/sshd_config' Old md5sum was: '0a7681e49e3c9fd82521273577bc579e' New md5sum is : '3df91f96d471ed54e0879b75cd6e2366' Old sha1sum was: 'b2fbe1fa175d4e18396dfc93217b065532e480b5' New sha1sum is : '339fe3061debb78c0a600090ea9a7ff7f655ac7c' --END OF NOTIFICATION
Obviously you’ll want to adjust ossec.conf to establish some reasonable notification types and frequency.
A Word About “New Files”
“Real-time” checking and new files are a big source of confusion. The software relies on inotify, which does not magically detect the addition of new files to a directory as they happen. Rather, the syscheck daemon performs scheduled full scans of the specified directories, assembles a list of files, compares this list to its checksums database, and then generates warnings for any files that don’t exist in the checksums database (/var/ossec/queue/syscheck/syscheck on Ubuntu). The point being that new files warnings will only happen when full scans are run. Since full scans are resource intensive, they only happen every few minutes at most.
New files warnings are also off by default. To enable them, you need to add one additional directive to the /var/ossec/rules/local_rules.xml (this in addition to the main syscheck configuration above):
<rule id="554" level="10" overwrite="yes"> <category>ossec</category> <decoded_as>syscheck_new_entry</decoded_as> <description>File added to the system.</description> <group>syscheck,</group> </rule>
Remember to restart OSSEC again after changing its config files. The “level” sets the warning threshold (by default, only levels 7 and above generate email warnings), while “overwrite” ensures this rule is acknowledged over the default 554 rule in /var/ossec/rules/ossec_rules.xml.
Test it out:
root@ubuntu:/# touch /etc/omg_hax
After a little while — on my test system it took about 30 minutes — you’ll get your email warning:
OSSEC HIDS Notification. 2016 Dec 14 12:03:56 Received From: myserver.com->syscheck Rule: 554 fired (level 10) -> "File added to the system." Portion of the log(s): New file '/etc/omg_hax' added to the file system. --END OF NOTIFICATION