We have used Osiris File Integrity Monitor for several years at work, to satisfy PCI DSS Section 11.5. (PCI Compliance, or Payment Card Industry Compliance, is something your business has to achieve to process credit card payments, and includes rules your business must follow. See here.) It has worked well, but lately we have noticed Osiris processes running out-of-control and pinning the CPU on our production servers. We have used compensating controls to produce an Intrusion Detection System, as commercial packages such as Tripwire, though very good, are very costly (like $30K/year). Osiris has not been under active development since 2007. I updated the fine open-source code and compiled new agents to install on Windows 7 computers, and have happily shared this with many people over the years who discover and decide to use this software. However old, it worked. But it's time to move on...
Still budget-constrained, our organization has decided to go with OSSEC. the Open Source SECurity Host-based Intrusion Detection System. We're just getting started with the File Integrity Monitoring part, but OSSEC also performs log analysis, policy monitoring, real-time alerting and active response. All big-ticket items in PCI Compliance. It will also do rootkit detection, which is a bonus.
Following are some notes on how to get your File Integrity Monitoring (FIM) set up. OSSEC server requires a *nix system, while client agents are available for PC/Linux/Mac/BSD/Solaris.
I will set up the OSSEC server on an Ubuntu Server 12.04 (LTS) VM running in VMPlayer, connected to my Windows 7 box. Our production environment is 100% Windows, so we will need a separate *nix server to use this software. Going forward, using OSSEC will be worth it as we use more features of OSSEC to satisfy our PCI Compliance needs.
InstructionsThis tutorial assumes you are doing this on a Windows machine, and running the test VM on this machine.
Prepare the VM
Download the following files:
Download VMWare Player and Ubuntu Server iso.
Install VMWare Player.
Open VMWare Player, create a new VM. Select Ubuntu, select the iso file you downloaded.
Boot into the Ubuntu VM.
sudo apt-get install gcc make
Unpack and verify file intergrity:
[this will show the MD5 and SHA1 hash values]
[this will show the SHA1 hash value of the file, can do same with md5sum]
tar xzvf ossec-hids-2.7.1.tar.gz
Once installed, run:
Accept the defaults, but enter your own email address and a valid smtp server. See bottom half of this page if you are uncertain.
You can verify what's running with:
Install OSSEC AgentOn the Windows host, run the downloaded ossec-agent-win32-2.7.1.exe
Once installed, run the app. It will ask for the server IP and key values.
Back on the Ubuntu server VM, you can get the IP with:
There will be an IP listed under the "eth0" section, second line, 'inet addr:' Enter this in the "OSSEC Server IP" input field in the OSSEC Agent Manager GUI on the Windows Host.
On the Ubuntu server VM:
Here you can List your Agents, Add/Delete Agents, and get existing Keys.
Select (A) Add an agent.
Give a descriptive name for the host Agent.
Give the IP of the host (in Windows, open Powershell and type: ipconfig. Use the IPv4 Address that is listed under the section "Ethernet adapter VMWare Network Adapter VMnet1:").
Accept the default Agent ID.
Select (E) Extract key for an agent.
Enter this key into the "Authentication Key" input field in the OSSEC Agent Manager GUI on the Windows Host.
(Reference: OSSEC Manual, Working With Agents)
Edit ossec.confOn the Ubuntu server VM, copy then open the configuration file:
sudo mv /var/ossec/etc/ossec.conf /var/ossec/etc/ossec-BACKUP.conf
sudo vi /var/ossec/etc/ossec.conf
Below the <global> section, add:
<rule_id>550, 553, 554</rule_id>
<!-- monitor rules: 550 changes, 553 deleted, 554 added -->
In the <syscheck> section, you can enter types of files to ignore, for example:
Read through the rest of the config file, it will be self-explanatory where to add directories to monitor or skip.
The rules to monitor changes (550) and deletions (553) are pre-defined. To add the rule to create an alert for new files (554):
sudo vi /var/ossec/rules/local-rules.xml
Under <rule id="100001" ...>, enter:
<rule id="554" level="7" overwrite="yes">
<description>Added file to system.</description>
Restart OSSEC for rules to apply:
Add firewall rules on Windows for UDP Port 1514.
IP Tables will be wide open on the Ubuntu server. To lock it down, this is a nice summary of what you can do. Before the final rule to block all remaning traffic, I added:
sudo iptables -A INPUT -p icmp -j ACCEPT
sudo iptables -A INPUT -p udp -–dport 1514 -j ACCEPT
Hook this up to scheduling and reporting, depending on your needs.
More InfoAgent to Server Connection Issues
OSSEC Google Group
Syscheck File Integrity Monitoring
OSSEC Host-Based Intrusion Detection Guide
Happy Intrusion Detection and File Monitoring!