How to Audit Information Security using Open Source Security tool OSSEC

Learn | Teach Open Source Technologies

How to Audit Information Security using Open Source Security tool OSSEC

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, root-kit detection, real-time alerting and active response. It runs on most operating systems, including Linux, Mac OS, Solaris, HP-UX, AIX and Windows.

OSSEC is a popular host-based intrusion detection system (HIDS) that is an open source project owned and sponsored by Trend Micro. The OSSEC customer list includes the likes of such high profile companies as Netflix, Samsung, Apple, Barnes & Noble, NASA and others who use OSSEC to monitor system logs, do file integrity checks, look for root-kits, check for registry changes (on Windows systems) and take actions based on security events that are detected.

OSSEC operates as an agent-server system. Agents handle monitoring logs, files and (Windows) registries then sending back relevant logs in encrypted form to the OSSEC server over UDP port 1514 (default port). On the server the logs are parsed with decoders and interpreted with rules that generate security alerts found in the log stream. OSSEC comes with a rich set of decoders and rules to track important system events, such as file changes, root logins, and much more. Users can add custom decoders and rules to monitor any files and generate alerts specific to their needs.

No matter how large or small your company is, you need to have a plan to ensure the security of your information assets. Such a plan is called a security program by information security professionals. Whether yours is five or 200 pages long, the process of creating a security program will make you think holistically about your organization’s security. A security program provides the framework for keeping your company at a desired security level by assessing the risks you face, deciding how you will mitigate them, and planning for how you keep the program and your security practices up to date.

How do you keep track of authorized and unauthorized activity on your server?

You, of course, need to have a server that you want to monitor. This tutorial assumes that you already have one and that it’s already set up for use. It can be a server that you just set up today or that you’ve been using for months. The most important thing is that you have access to it and can log in via SSH. Setting up OSSEC is not something you want to undertake when you still don’t know how to ssh into your server.

Prerequisites

  • Ubuntu 14.04 server
  • You should create a sudo user on the server.
sudo su
  • Optional: If you want to send mail from a local SMTP server, you should install Post-fix for simple email sending
  • Installation of OSSEC involves some compiling, so you need gcc and make installed. You can install both by installing a single package called build-essential
  • You also need to install a package called inotify-tools, which is required for real-time alerting to work

To install all required packages, first update the server:

apt-get update

The install the packages:

apt-get install build-essential inotify-tools

Now that we have the preliminaries sorted out, let’s get to the fun part.

Step 1 — Download and Verify OSSEC

In this step, you’ll download the OSSEC tarball and a file containing its cryptographic checksums.

Since this a security article, we’re going to do a little extra work to verify that we’re installing valid software. The idea is that you generate the MD5 and SHA1 checksums of the downloaded OSSEC tarball and compare them with those in the checksum file. If they match, then you can assume that the tarball has not been tampered with.

At the time of writing, the latest server edition of OSSEC is version 2.8.1. To download it, type:

wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.1.tar.gz

To download the checksum file, type:

wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.1-checksum.txt

To verify that both files are in place, type:

ls -l ossec*

You should see the files:

ossec-hids-2.8.1-checksum.txt
ossec-hids-2.8.1.tar.gz

Now, let’s examine the checksum file with the cat command, like so:

cat ossec-hids-2.8.1-checksum.txt

Expected output:

MD5(ossec-hids-2.8.1.tar.gz)= c2ffd25180f760e366ab16eeb82ae382
SHA1(ossec-hids-2.8.1.tar.gz)= 0ecf1df09558dc8bb4b6f65e1fb2ca7a7df9817c

In the above output, the important parts are those to the right of the = sign. Those are the MD5 and SHA1 checksums of the tarball.

Now we’ll make sure the checksums we generate for the tarball match the checksums we downloaded.

To generate the MD5sum of the tarball, type:

md5sum ossec-hids-2.8.1.tar.gz

Expected output:

c2ffd25180f760e366ab16eeb82ae382  ossec-hids-2.8.1.tar.gz

Compare the generated MD5 checksum with the one in the checksum file. They should match.

Do the same for the SHA1 checksum by typing:

sha1sum  ossec-hids-2.8.1.tar.gz

Expected output:

0ecf1df09558dc8bb4b6f65e1fb2ca7a7df9817c  ossec-hids-2.8.1.tar.gz

If both match, you’re good to go. Step Two beckons.

Step 2 — Install OSSEC

In this step, you’ll install OSSEC.

OSSEC can be installed in serveragentlocal or hybrid mode. This installation is for monitoring the server that OSSEC is installed on. That means a local installation.

Before installation can start, you have to expand the file. You do that by typing:

tar -zxf ossec-hids-2.8.1.tar.gz

After that, you should have a directory named ossec-hids-2.8.1. To start installation, you have to change (cd) into that directory, which you do by typing:

cd ossec-hids-2.8.1

To see the contents of the directory that you’re now in, use the ls command by typing:

ls -lgG

The only file of interest to us in that listing is install.sh. That’s the OSSEC installation script. To initiate installation, type:

./install.sh

You will be prompted to answer some installation questions.

The first task that will be required of you is the selection of the language. As shown in the output below, the default is English. Throughout the installation process, if you’re required to make a selection, any entry in square brackets is the default. If the default is what you want, press the ENTER key to accept the default. Other than having to type your email address, we recommend that you accept all the defaults — unless you know what you’re doing.

Entries are shown in red.

So if your language is English, press ENTER. Otherwise, type the two letters for your language and press ENTER.

(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]:

After selecting the language, you should see this:

OSSEC HIDS v2.8 Installation Script – http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.

You must have a C compiler pre-installed in your system.

  - System: Linux kuruji 3.13.0-36-generic
- User: root
- Host: kuruji
-- Press ENTER to continue or Ctrl-C to abort. --

After pressing ENTER, you should get:

  1.  What kind of installation do you want (server, agent, local, hybrid or help)? local

Type local and press ENTER. You should get:

– Local installation chosen.

2.   Setting up the installation environment.

– Choose where to install the OSSEC HIDS [/var/ossec]:

Accept the default and press ENTER. After that, you’ll get:

– Installation will be made at  /var/ossec .

3.   Configuring the OSSEC HIDS.

3.1- Do you want e-mail notification? (y/n) [y]:

Press ENTER.

– What’s your e-mail address? [email protected]

Type the email address where you want to receive notifications from OSSEC.

– We found your SMTP server as: mail.example.com.

– Do you want to use it? (y/n) [y]:

— Using SMTP server:  mail.example.com.

Press ENTER unless you have specific SMTP server settings you want to use.

Now’s time to let OSSEC know what checks it should be running. In response to any prompt from the script, accept the default by pressing ENTER.

ENTER for the integrity check daemon.

3.2- Do you want to run the integrity check daemon? (y/n) [y]:

– Running syscheck (integrity check daemon).

ENTER for rootkit detection.

3.3- Do you want to run the rootkit detection engine? (y/n) [y]:

– Running rootcheck (rootkit detection).

ENTER for active response.

3.4- Active response allows you to execute a specific command based on the events received.

Do you want to enable active response? (y/n) [y]:

Active response enabled.

Accept the defaults for firewall-drop response. Your output may show some IPv6 options – that’s fine.

Do you want to enable the firewall-drop response? (y/n) [y]:

– firewall-drop enabled (local) for levels >= 6

– Default white list for the active response:

- 8.8.8.8
- 8.8.4.4

– Do you want to add more IPs to the white list? (y/n)? [n]:

You may add your IP address here, but that’s not necessary.

OSSEC will now present a default list of files that it will monitor. Additional files can be added after installation, so press ENTER.

3.6- Setting the configuration to analyze the following logs:

-- /var/log/auth.log
-- /var/log/syslog
-- /var/log/dpkg.log

– If you want to monitor any other file, just change

the ossec.conf and add a new localfile entry.

Any questions about the configuration can be answered

by visiting us online at http://www.ossec.net .

— Press ENTER to continue —

By this time, the installer has all the information it needs to install OSSEC. Kick back and let the installer do its thing. Installation takes about 5 minutes. If installation is successful, you are now ready to start and configure OSSEC.

Note: One reason installation might fail is if a compiler is not installed. In that case, you’ll get an error like this:

5.  Installing the system

– Running the Makefile

./install.sh: 85: ./install.sh: make: not found

Error 0x5.

Building error. Unable to finish the installation.

If you get that error, then you need to install build-essential, as explained in the Prerequisites section of the tutorial.

If installation succeeds, you should see this type of output:

– System is Debian (Ubuntu or derivative).

– Init script modified to start OSSEC HIDS during boot.

– Configuration finished properly.

– To start OSSEC HIDS:

/var/ossec/bin/ossec-control start

– To stop OSSEC HIDS:

/var/ossec/bin/ossec-control stop

– The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

—  Press ENTER to finish (maybe more information below). —

OSSEC is now installed. The next step is to start it.

Step 3 — Start OSSEC

By default OSSEC is configured to start at boot, but the first time, you’ll have to start it manually.

If you want to check its current status, type:

/var/ossec/bin/ossec-control status

Expected output:

ossec-monitord not running...
ossec-logcollector not running...
ossec-syscheckd not running...
ossec-analysisd not running...
ossec-maild not running...
ossec-execd not running...

That tells you that none of OSSEC’s processes are running.

To start OSSEC, type:

/var/ossec/bin/ossec-control start

You should see it starting up:

Starting OSSEC HIDS v2.8
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-syscheckd...
Started ossec-monitord...

Completed.

If you check the status again, you should get confirmation that OSSEC is now running.

/var/ossec/bin/ossec-control status

This output shows that OSSEC is running:

ossec-monitord is running...
ossec-logcollector is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...