How To Install OSSEC HIDS on a CentOS 7 Server

Published on: Thu, Jun 18, 2015 at 12:15 am EST
CentOS Security Server Apps

Introduction

OSSEC is an open-source, host-based intrusion detection system (HIDS) that performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. It's a must-have security application on any server.

OSSEC can be installed to monitor just the server it's installed on (a local installation), or be installed as a server to monitor one or more agents. In this tutorial, you'll learn how to install OSSEC to monitor CentOS 7 as a local installation.

Prerequisites

  • A CentOS 7 server preferably setup with SSH keys and customized using Initial Setup of a CentOS 7 Server. Log into the server using the standard user account. Assume that username is joe.

    ssh -l joe server-ip-address
    

Step 1: Install Required Packages

OSSEC will be compiled from source, so you need a compiler to make that possible. It also requires an extra package for notifications. Install them by typing:

sudo yum install -y gcc inotify-tools

Step 2 - Download and Verify OSSEC

OSSEC is delivered as a compressed tarball that has to be downloaded from the project's website. The checksum file, which will be used to verify that the tarball has not be tampered with, also has to be downloaded. At the time of this publication, the latest version of OSSEC is 2.8.2. Check the project's download page and download whatever the latest version is.

To download the tarball, type:

wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.2.tar.gz

For the checksum file, type:

wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.2-checksum.txt

With both files downloaded, the next step is to verify the MD5 and SHA1 checksums of the tarball. For the MD5sum, type:

md5sum -c ossec-hids-2.8.2-checksum.txt

The expected output is:

ossec-hids-2.8.2.tar.gz: OK
md5sum: WARNING: 1 line is improperly formatted

To verify the SHA1 hash, type:

sha1sum -c ossec-hids-2.8.2-checksum.txt

And its expected output is:

ossec-hids-2.8.2.tar.gz: OK
sha1sum: WARNING: 1 line is improperly formatted

Step 3: Determine Your SMTP Server

During OSSEC's installation process, you'll be prompted to specify an SMTP server for your email address. If you don't know what it is, the easiest method to find out is by issuing this command from your local machine (replace the fake email address with your real one):

dig -t mx you@example.com

The relevant section in the output is shown in this code block. In this sample output, the SMTP server for the queried email address is at the end of the line - mail.vivaldi.net. . Note that the dot at the end is included.

;; ANSWER SECTION:
vivaldi.net.        300 IN  MX  10 mail.vivaldi.net.

Step 4: Install OSSEC

To install OSSEC, you first need to unpack the tarball, which you do by typing:

tar xf ossec-hids-2.8.2.tar.gz

It will be unpacked into a directory that bears the name and version of the program. Change or cd into it. OSSEC 2.8.2, the version installed for this article, has a minor bug that needs to be fixed before starting the installation. By the time the next stable version is released, which should be OSSEC 2.9, this should not be necessary, because the fix is already in the master branch. Fixing it for OSSEC 2.8.2 just means editing one file, which is found in the active-response directory. The file is hosts-deny.sh, so open it using:

nano active-response/hosts-deny.sh

Towards the end of the file, look for this block of code:

# Deleting from hosts.deny
elif [ "x$" = "xdelete" ]; then
   lock;
   TMP_FILE = `mktemp /var/ossec/ossec-hosts.XXXXXXXXXX`
   if [ "X$" = "X" ]; then
      # Cheap fake tmpfile, but should be harder then no random data
      TMP_FILE = "/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 `"
   fi

On the lines that start with TMP_FILE, delete the spaces around the = sign. After removing the spaces, that portion of the file should be as shown in the block of code below. Save and close the file.

# Deleting from hosts.deny
elif [ "x$" = "xdelete" ]; then
   lock;
   TMP_FILE=`mktemp /var/ossec/ossec-hosts.XXXXXXXXXX`
   if [ "X$" = "X" ]; then
      # Cheap fake tmpfile, but should be harder then no random data
      TMP_FILE="/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -1 `"
   fi

Now that the fix is in, we can start the installation process, which you do by typing:

sudo ./install.sh

Throughout the installation process, you'll be prompted to provide some input. In most cases, you only have to press ENTER to accept the default. First, you'll be prompted to select the installation language, which by default, is English (en). So press ENTER if that's your preferred language. Otherwise, input the 2 letters from the list of supported languages. Afterwards, press ENTER again.

The first question will ask you what type of installation you want. Here, enter local.

1- What kind of installation do you want (server, agent, local, hybrid or help)? local

For subsequent questions, press ENTER to accept the default. Question 3.1 will prompt you for your email address and then ask for your SMTP server. For that question, enter a valid email address and the SMTP server you determined in Step 3.

3- Configuring the OSSEC HIDS.

   3.1- Do you want e-mail notification? (y/n) [y]: 
      - What's your e-mail address? you@example.com
      - What's your SMTP server ip/host?

If installation is successful, you should see this output:

- Configuration finished properly.

...

    More information can be found at http://www.ossec.net

    ---  Press ENTER to finish (maybe more information below). ---

Press ENTER to finish the installation.

Step 5: Start OSSEC

OSSEC has been installed, but not started. To start it, first switch to the root account.

sudo su

Then, start it by issuing the following command.

/var/ossec/bin/ossec-control start

Afterwards, check your Inbox. There should be an alert from OSSEC informing you that it has been started. With that, you now know that OSSEC is installed and will be sending alerts as needed.

Step 6: Customize OSSEC

The default configuration of OSSEC works fine, but there are settings you can tweak to make it protect your server better. The first file to customize is the main configuration file - ossec.conf, which you'll find in the /var/ossec/etc directory. Open the file:

nano /var/ossec/etc/ossec.conf

The first item to verify is an email setting, which you'll find in the global section of the file:

<global>
   <email_notification>yes</email_notification>
   <email_to>finid@vivaldi.net</email_to>
   <smtp_server>mail.vivaldi.net.</smtp_server>
   <email_from>ossecm@vultr.guest</email_from>
</global>

Make sure that the email_from address is a valid email. Otherwise, some email provider's SMTP server's will mark alerts from OSSEC as Spam. If the FQDN of the server is not set, the domain part of the email is set to the hostname of the server, so this is a setting that you really want to have a valid email address.

Another setting that you want to customize, especially while testing the system, is the frequency with which OSSEC runs its audits. That setting is in the syscheck section, and, by default, it is run every 22 hours. To test OSSEC's alerting features, you might want to set it to a lower value, but reset it to the default afterwards.

<syscheck>
   <!-- Frequency that syscheck is executed - default to every 22 hours -->
   <frequency>79200</frequency>

By default, OSSEC does not alert when a new file is added to the server. To change that, add a new tag just under the < frequency > tag. When completed, the section should now contain:

<syscheck>
   <!-- Frequency that syscheck is executed - default to every 22 hours -->
   <frequency>79200</frequency>

   <alert_new_files>yes</alert_new_files>

One last setting that's good to change is in the list to directories that OSSEC should check. You'll find them right after the previous setting. Be default, the directories are shown as:

<!-- Directories to check  (perform all possible verifications) -->
   <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
   <directories check_all="yes">/bin,/sbin</directories>

Modify both lines to make OSSEC report changes in real-time. When finished, they should read:

<directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories>

Save and close the file.

The next file that we'll need to modify is local_rules.xml in the /var/ossec/rules directory. So cd into that directory:

cd /var/ossec/rules

That directory holds OSSEC's rule files, none of which should be modified, except the local_rules.xml file. In that file, we add custom rules. The rule we need to add is the one that fires when a new file is added. That rule, numbered 554, does not trigger an alert by default. That's because OSSEC does not send out alerts when a rule with level set to zero is triggered.

Here's what rule 554 looks like by default.

 <rule id="554" level="0">
    <category>ossec</category>
    <decoded_as>syscheck_new_entry</decoded_as>
    <description>File added to the system.</description>
    <group>syscheck,</group>
 </rule>

We need to add a modified version of that rule in the local_rules.xml file. That modified version is given in the block of code below. Copy and add it to the bottom of the file just before the closing tag.

 <rule id="554" level="7" overwrite="yes">
    <category>ossec</category>
    <decoded_as>syscheck_new_entry</decoded_as>
    <description>File added to the system.</description>
    <group>syscheck,</group>
 </rule>

Save and close the file, then restart OSSEC.

/var/ossec/bin/ossec-control restart

More Information

OSSEC is a very powerful piece of software, and this article just touched on the basics. You will find more customization settings in the official documentation.

Want to contribute ?

You could earn up to $300 by adding new articles