Thursday, 12 December 2013

OSSEC Installation Tutorial for File Integrity Montoring


We have used Osiris File Integrity Monitor for several years at work, to satisfy PCI DSS Section 11.5. (PCI Compliance, or Payment Card Industry Compliance, is something your business has to achieve to process credit card payments, and includes rules your business must follow. See here.) It has worked well, but lately we have noticed Osiris processes running out-of-control and pinning the CPU on our production servers. We have used compensating controls to produce an Intrusion Detection System, as commercial packages such as Tripwire, though very good,  are very costly (like $30K/year). Osiris has not been under active development since 2007. I updated the fine open-source code and compiled new agents to install on Windows 7 computers, and have happily shared this with many people over the years who discover and decide to use this software. However old, it worked. But it's time to move on...

Still budget-constrained, our organization has decided to go with OSSEC. the Open Source SECurity Host-based Intrusion Detection System. We're just getting started with the File Integrity Monitoring part, but OSSEC also performs log analysis, policy monitoring, real-time alerting and active response. All big-ticket items in PCI Compliance. It will also do rootkit detection, which is a bonus.

Following are some notes on how to get your File Integrity Monitoring (FIM) set up. OSSEC server requires a *nix system, while client agents are available for PC/Linux/Mac/BSD/Solaris.

I will set up the OSSEC server on an Ubuntu Server 12.04 (LTS) VM running in VMPlayer, connected to my Windows 7 box. Our production environment is 100% Windows, so we will need a separate *nix server to use this software. Going forward, using OSSEC will be worth it as we use more features of OSSEC to satisfy our PCI Compliance needs.


This tutorial assumes you are doing this on a Windows machine, and running the test VM on this machine.

Prepare the VM

Download the following files:

Download VMWare Player and Ubuntu Server iso.
Install VMWare Player.
Open VMWare Player, create a new VM. Select Ubuntu, select the iso file you downloaded.
Boot into the Ubuntu VM.
Install gcc:

    sudo apt-get install gcc make 

Install OSSEC



Unpack and verify file intergrity:

    cat ossec-hids-2.7.1-checksum.txt
    [this will show the MD5 and SHA1 hash values]
    sha1sum ossec-hids-2.7.1.tar.gz
    [this will show the SHA1 hash value of the file, can do same with md5sum]
    tar xzvf ossec-hids-2.7.1.tar.gz

Compile source:

    cd ossec-hids-2.7.1/
    sudo ./

Once installed, run:

    /var/ossec/bin/./ossec-control start 

Accept the defaults, but enter your own email address and a valid smtp server. See bottom half of this page if you are uncertain.

You can verify what's running with:

    /var/ossec/bin/ossec-control status

Install OSSEC Agent

 On the Windows host, run the downloaded ossec-agent-win32-2.7.1.exe

Once installed, run the app. It will ask for the server IP and key values.

Back on the Ubuntu server VM, you can get the IP with:


There will be an IP listed under the "eth0" section, second line, 'inet addr:' Enter this in the "OSSEC Server IP" input field in the OSSEC Agent Manager GUI on the Windows Host.

On the Ubuntu server VM:


Here you can List your Agents, Add/Delete Agents, and get existing Keys. 

Select (A) Add an agent.
Give a descriptive name for the host Agent.
Give the IP of the host (in Windows, open Powershell and type: ipconfig. Use the IPv4 Address that is listed under the section "Ethernet adapter VMWare Network Adapter VMnet1:").
Accept the default Agent ID.

Select (E) Extract key for an agent.

Enter this key into the "Authentication Key" input field in the OSSEC Agent Manager GUI on the Windows Host.

(Reference: OSSEC Manual, Working With Agents)

Edit ossec.conf

On the Ubuntu server VM, copy then open the configuration file:

    sudo mv /var/ossec/etc/ossec.conf /var/ossec/etc/ossec-BACKUP.conf
    sudo vi /var/ossec/etc/ossec.conf

Below the <global> section, add:

<rule_id>550, 553, 554</rule_id>
<!-- monitor rules: 550 changes, 553 deleted, 554 added -->

In the <syscheck> section, you can enter types of files to ignore, for example:

<ignore type="sregex">.jpg$|.jpeg$</ignore>

Read through the rest of the config file, it will be self-explanatory where to add directories to monitor or skip.

The rules to monitor changes (550) and deletions (553) are pre-defined. To add the rule to create an alert for new files (554):

    sudo vi /var/ossec/rules/local-rules.xml

Under <rule id="100001" ...>, enter:

<rule id="554" level="7" overwrite="yes">
<description>Added file to system.</description>

Restart OSSEC for rules to apply:

    /var/ossec/bin/ossec-control restart

Add firewall rules on Windows for UDP Port 1514.

IP Tables will be wide open on the Ubuntu server. To lock it down, this is a nice summary of what you can do. Before the final rule to block all remaning traffic, I added:

#allow pings:
sudo iptables -A INPUT -p icmp -j ACCEPT
#ossec port

sudo iptables -A INPUT -p udp -–dport 1514 -j ACCEPT

Hook this up to scheduling and reporting, depending on your needs.

More Info

Agent to Server Connection Issues
Alert Options
OSSEC Google Group
Syscheck File Integrity Monitoring
OSSEC Host-Based Intrusion Detection Guide
Agent Control

Happy Intrusion Detection and File Monitoring!

No comments:

Post a Comment