OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows. It also includes agentless monitoring for use with for example Cisco or Juniper hardware.
This tutorial covers the installation of the OSSEC server, the standard OSSEC Web UI and the Analogi dashboard on Ubuntu 12.04. It also covers OSSEC setup with MySQL support, including a Makefile bugfix. Last but not least it shows you how to install the OSSEC agent on a *NIX system.
This tutorial is written for an ubuntu 12.04 OSSEC server, but can be easily adapted to other *NIX operating systems. It only covers basic OSSEC client/server configuration, not automatic blocking or comprehensive configuration settings. It gets you started, the rest is available in the documentation: http://www.ossec.net/doc/
Steps
- Installing development packages
- Installing Apache, PHP and MySQL
- Configuring MySQL
- Compiling the OSSEC server
- Makefile fix for Ubuntu
- Basic OSSEC setup with MySQL
- Installing OSSEC Web UI
Installing Analogi Web Dashboard
Installing and configuring a client
Requirements
- An Ubuntu 12.04 server
- Apache2, PHP, MySQL and development packages
- OSSEC clients to monitor (*NIX or Windows machines, Cisco switches etc).
Installing development packages
OSSEC is installed from source, therefore you need development packages. This is both for the OSSEC clients as for the OSSEC server:
apt-get install build-essential make libssl-dev
Installing Apache, MySQL and PHP
This is fairly simple on Ubuntu. It is all covered with apt:
apt-get install mysql-server libmysqlclient-dev mysql-client apache2 php5 libapache2-mod-php5 php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl
Remember to give a strong root password for MySQL. Next finish MySQL with a secure installation:
mysql_secure_installation
Accept all the suggested options. Now restart all requires services:
/etc/init.d/apache2 restart
/etc/init.d/mysqld restart
Compiling the OSSEC server
Download and verify OSSEC, either via wget or from the website: http://www.ossec.net/?page_id=19
wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz
md5sum ossec-hids-2.7.tar.gz
ossec-hids-2.7.tar.gz: 71cd21a20f22b8eafffa3b57250f0a70
From the OSSEC website:
MD5(ossec-hids-2.7.tar.gz)= 71cd21a20f22b8eafffa3b57250f0a70
SHA1(ossec-hids-2.7.tar.gz)= 721aa7649d5c1e37007b95a89e685af41a39da43
If it is correct, then extract it:
tar -xf ossec-hids-2.7.tar.gz
cd ossec-hids-2.7
We first need to fix MySQL support in the installation. Read the rest of this tutorial on Raymii.org: https://raymii.org/s/tutorials/OSSEC_and_webui_and_analogi_dashboard_installation_on_Ubuntu.html