OSSEC

Introduction
OSSEC / Wazuh is a host based intrusion detection system.

it performs check on logs, integrity tests, rootkit detection and realtime alerting.

Installation
rpm --import http://install.example.com/suse/GPG-KEY-WAZUH-5 rpm --import http://install.example.com/suse/GPG-KEY-WAZUH zypper install wazuh-manager sed -i -e 's+email_notification>no+email_notification>yes+g' \ -e 's+smtp_server>smtp.example.wazuh.com+smtp_server>smtp.example.com+g' \ -e 's+email_from>ossecm@example.wazuh.com+email_from>ossecm@example.com+g' \ -e 's+email_to>recipient@example.wazuh.com+email_to>admin@example.com+g' \ /var/ossec/etc/ossec.conf chkconfig wazuh-manager on /etc/init.d/wazuh-manager start

The main files are: * /var/ossec/etc/ossec.conf * /var/ossec/etc/rules/local_rules.xml

In ossec.conf you can find the general configuration, while in local_rules.xml you can create custom rules or disable default rules.

Web User Interface
cd /srv/www/htdocs/ tar xvfz $HOME/Downloads/ossec/ossec-wui-0.9.tar.gz ln -s ossec-wui-0.9 ossec-wui usermod -a -G ossec wwwrun

zypper install -y apache2-mod_php5 php5 php5-mbstring a2enmod php5 systemctl restart apache2.service

Useful commands
/var/ossec/bin/manage_agents options: manage_agents -[Vhlj] [-a  -n ] [-F sec] [-e id] [-r id] [-i id] [-f file] -V         Version and license message. -h         This help message. -j         Use JSON output. -l         List available agents. -L         Disable agents limit. -a     Add new agent. -n  Name for new agent. -e     Extracts key for an agent (Manager only). -r     Remove an agent (Manager only). -i   Import authentication key (Agent only). -F   Remove agents with duplicated IP if disconnected since seconds. -f  Bulk generate client keys from file (Manager only). contains lines in IP,NAME format.

/var/ossec/bin/agent_control options: Wazuh agent_control: Control remote agents. -h               This help message. -l               List available (active or not) agents. -lc              List active agents only. -ln              List disconnected agents only. -i           Extracts information from an agent. -R -a            Restart all agents. -R -u        Restart the specified agent. -r -a            Runs the integrity/rootkit checking on all agents now. -r -u        Runs the integrity/rootkit checking on one agent now. -s               Changes the output to CSV (comma delimited). -j               Changes the output to JSON. -m               Show the limit of agents that can be added.

Available options for active response: -b           Blocks the specified ip address. -f  -a       Used with -b, specifies which response to run. Apply AR on all agents. -f  -u   Used with -b, specifies which response to run. Apply AR on specified agent. -L               List available active responses.

OSSEC Client / Wazuh Agent
Installation: rpm --import http://install.example.com/suse/GPG-KEY-WAZUH-5 rpm --import http://install.example.com/suse/GPG-KEY-WAZUH zypper install wazuh-agent

At the end of the installation it is necessary to register the client on the console and import the key on the client.

On the server: /var/ossec/bin/manage_agents
 * press a and enter the required data.
 * press e, select the created client id and copy the key.

/etc/init.d/wazuh-manager restart

On the client: /var/ossec/bin/manage_agents
 * press i and enter the key previously generated on the server.

/etc/init.d/wazuh-agent restart

Links

 * OSSEC official site
 * Wazuh official site
 * Wazuh documentation
 * Wazuh packages