Tuesday, January 17, 2012

Basic OSSEC

Posted by at 8:12 PM
I've been using OSSEC for about a year now, and if you run any systems that you are actually concerned about the security of then you should be running it too...

For those that have no idea what OSSEC is:

"OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows. A list with all supported platforms is available here."

They've also made it trivial to install, to the point where I just wrapped the process into a shell script that I can deploy automatically on my own systems or those of customers. This one is for CentOS Linux, but it could be easily modified to do a source build for other distros...


 #!/bin/bash  
 log=/tmp/setup.log  
 wget -q -O atomicossec_installer.sh https://www.atomicorp.com/installers/atomic  
 chmod +x atomicossec_installer.sh  
 ./atomicossec_installer.sh  
 yum -y install ossec-hids ossec-hids-server >> $log 2>&1  
 cp -f ossec.conf.default /var/ossec/etc/ossec.conf  
 /var/ossec/bin/ossec-control enable client-syslog  
 /etc/init.d/ossec-hids start >> $log 2>&1  
 chkconfig ossec-hids on

Notes:
1. ossec.conf.default is your own modified ossec.conf file, a template you want to reuse on multiple similar hosts. If you don't have one, ignore that line.

2. "/var/ossec/bin/ossec-control enable client-syslog" is necessary to allow the ossec server to collect raw syslog from other hosts. You will also need a section in your ossec.conf like the following in order to grant hosts/networks the permission to send them:

 <remote>  
   <connection>syslog</connection>  
   <allowed-ips>192.168.148.103</allowed-ips>  
   <allowed-ips>192.168.1.0/24</allowed-ips>  
   <port>514</port>  
 </remote>


3. For email alerts to work you'll need to modify the ossec.conf file to set the email_alerts value to "yes", and set a valid email address for it to send alerts to.
0 comments Links to this post
Labels: , ,

Friday, March 18, 2011

mention map

Posted by at 10:23 AM
this is just a really cool twitter visualization, I've added it to my twitter page..

0 comments Links to this post
Labels: ,

Saturday, February 5, 2011

Virtual Testbed

Posted by at 6:20 PM
So I've found it necessary to test IDS that's currently under development on multiple linux systems.. continuously.

So I will ofcourse be shamelessly shilling for VirtualBox, even though they're controlled by oracle now... mixed feelings aside, it still beats vmware for a desktop solution... and setting up snapshots of clean installs of various popular linux distributions.

So far I've got my little virtual network running CentOS, Debian, ubuntu, Fedora, and RHEL.. since we mostly support apt/yum systems so far.

Initial observations: CentOS and RHEL, obviously almost identical.. Debian, not that far off from CentOS, strangely... and everything works just like it should. Fedora and Ubuntu are a whole different world at times, they don't play by the same rules as their metaphorical parents and so far have been where I've spent the most time trying to get things to work.

Any others I should add to this test setup?


0 comments Links to this post
Labels: , ,
Subscribe to: Posts (Atom)