In my last two posts I discussed Logwatch and OSSEC, as well as how they can be leverage to augment your security posture. In this installment I’ll discuss how to install both of these tools.
Installing Logwatch
Logwatch is pretty easy to install. In fact, it is installed by default on many Linux distributions so you may already have a copy on your system. To check, logon as root and try running Logwatch with the “-v” switch. If you see:
[root@fubar logwatch]# logwatch -v
Logwatch 7.3.6 (released 05/19/07)
Logwatch is installed and you have a copy of the latest version. If you do not have the latest version, you can grab it from the Logwatch download page.
There are three flavors of Logwatch which can be downloaded; Binaries in RPM format, source in RPM format, or source in a Tar ball. If your system supports RPM package management, the binary RPM is your best choice. It is simple to install and RPM will automatically update the software when new versions are available.
Installing Logwatch From RPM
To install the binary version of the RPM, simply logon as root and navigate to the directory where you downloaded the RPM file. Now execute the command:
rpm -U logwatch-7.3.6-1.noarch.rpm
Don’t forget you can use the tab key to auto-complete the file name rather than having to type in the whole thing.
Installing Logwatch From Source
Installing from source is a bit more time consuming. Remember that in order to install source code you must already have a compiler (like gcc) installed on your system. Logon as root and navigate to the directory where you downloaded the Tar ball. To extract the archive, execute the command:
tar xvzf logwatch-7.3.6.tar.gz
You will see a directory structure below your current location get created and lots of files being copied in. We now need to move into the top most directory that was created:
cd logwatch-7.3.6
In order for Logwatch to run, there are a bunch of directories that need to be created on your system. These are documented in the README in the current directory. Luckily, Logwatch includes an install script that can do all the work for you. Unfortunately, the script has the wrong permissions set so it will not run by default. This is pretty easy to fix however with the chmod command:
chmod 500 install_logwatch.sh
Now we can run the script to setup our system:
./install_logwatch.sh
Don’t forget the period at the beginning of the line.
Testing Logwatch
To test your Logwatch setup, execute the command:
logwatch | less
You will see your terminal screen go blank, but that is normal. You will eventually see a Logwatch report get printed to the screen that you can navigate through using the “Page Up” and “Page Down” keys. How log it takes for the report to show up on the screen will depend on how much log information needs to get parsed. It could take a few seconds or a couple of minutes. Either way, it will give you a chance to familiarize yourself with the report format.
Installing OSSEC
As I mentioned in my last post, you have two installation options with OSSEC, local or client/server. In this post I’m going to focus on the client/server setup, as it is a bit more complex. If you are performing a local install, simply select the “local” option during the install process and skip the section on setting up a secure channel between the agent and the server.
Start With The Server
OSSEC uses Blowfish encryption to secure communication between the client and the server. Blowfish is symmetrical key based, so both sides must know what key value to use in order to communicate. The server is responsible for generating the symmetrical key, so we have to install the server software first. During the client install we will be prompted for a key value so obviously we will need to have that handy ahead of time.
Here’s a time saving tip. The key value is long and nearly impossible to remember. The easiest way to move the key value from the server system to the agent system is to use SSH. Create a secure connection to the OSSEC server, and extract the appropriate key (directions provided below). In a second terminal window, create an SSH session to the system where you will be installing the agent. When the client install prompts you for the key value, you can simply copy/paste between the two terminals.
Installing The OSSEC Server
The server software is available as a Tar ball, so you can grab a copy of the latest version from the OSSEC download page. You will then need to extract the contents of the Tar ball:
tar xvzf ossec-hids-2.3.tar.gz
Next, move into the directory structure you just created:
cd ossec-hids-2.3
OSSEC provides an install script to walk you through the process of installing the server. To start the script, type:
./install.sh
Don’t forget the period at the beginning of the command. You will now be prompted through a number of install options:
- Language – The default is English. Change as needed.
- Confirmation of installation – Press Enter once you have read the screen.
- Install type – Type in “server” without the quotes and press Enter.
- Install location – Accept the default.
- E-mail notification – Default is yes, select if you want e-mail alerts. If you select yes, you will be prompted for a valid e-mail address and mail server.
- Integrity check – Default is yes. Select if you want the local system periodically checked for intrusions.
- Root kit detection – Default is yes. Good option since we need to maintain a high level of integrity on this system.
- Active response – Default is yes. Select this option if you wish to be able to respond to events.
- Firewall drop – Permits the OSSEC server to defend it self if a direct attack is detected.
- White list – This will permit you to add IP addresses from which possible attacks will be ignored. Be careful with this option. If you will not have console access to the OSSEC server, it might be wise to identify one IP address that can always get in. Just ensure the source IP is a trustworthy system.
- Enable Syslog – Default is yes. Select this option if you wish to collect logs from system that cannot run an OSSEC agent (like firewalls, switches, routers, access points, etc.).
- Log files to be monitored – This screen identifies all of the local log files OSSEC will monitor. It is purely information, so all you can do is press Enter to move past it. If you notice one or more log files missing from the list, you can add them later to the ossec.conf file.
At this point OSSEC will access the local complier and install all needed files onto the system. Once complete, you can start the OSSEC server by executing the command:
/var/ossec/bin/ossec-control start
Defining OSSEC Agents
We are not done with the OSSEC server just yet. Next, we need to pre-define any systems that will be running the OSSEC agent (client) software. This is performed using the manage_agents command. First however, we need to do a bit of homework. Make a list of all of the systems that will be running the OSSEC agent software. For each system, you will need a descriptive name as well as that system’s IP address.
Now, execute the following from the command line:
/var/ossec/bin/manage_agents
This will produce the Agent Manager main menu. Press “A” followed by the Enter key to define your first system. Enter a descriptive name for the first system, followed by the system’s IP address. Don’t worry about the agent ID number. Simply accept the default and OSSEC will auto-assign the next available ID number. Once you confirm the information you entered, you will be returned to the Agent Manager main menu. Repeat the above process for each system that will be running an OSSEC agent.
Generating Keys
Once you have added in all of your systems, it is time to generate encryption keys. This step is also performed with the manage_agents utility. If you closed the tool after the last step, relaunch it now.
Press the “E” key followed by Enter to select the “Extract key for an agent” menu option. You will then be prompted for the ID number of the key you wish to extract. The descriptive names and IP addresses are listed with each ID number, so it should be trivial to identify which one you want. Start with the system you plan to install the agent software onto first.
OSSEC Agent Install On Linux
When installing the agent software on a Linux or UNIX client, you use the exact same Tar ball we used to install the server software. Run the same install script, but this time when you are prompted for the type of install you wish to perform, type in “agent” followed by the Enter key.
The client install has many of the same prompts as the server install. Use the info above to guide you through the process. The prompt that will vary however is that you will be asked to provide the IP address of the OSSEC server. Once complete, OSSEC will access the local complier and install all required files onto the system.
Next we need to import the Blowfish key from the OSSEC server. While still on the agent system, run the command:
/var/ossec/bin/manage_agents
When the Agent Manager menu appears, select “I” to import the Blowfish key.
When the next prompt appears, you need to manually enter the appropriate Blowfish key. Again, if you are running SSH to both systems at the same time, you can simply copy/paste between the two terminals. Make sure the key looks correct, press the Enter key, and then select “y” to confirm that the key looks correct. You will be returned to the Agent Manager menu. Select “q” in order to return to the command line.
Now we simply need to start the OSSEC agent. You can do so by executing the following command:
/var/ossec/bin/ossec-control start
You should see all of the OSSEC agent components start up, followed by a “Completed” message.
OSSEC Agent Install On Windows
OSSEC has a self-extracting executable that will permit you to install the agent software on a Windows system. Simply double click the executable to start the install process. You will be prompted to agree to the license as well as which components you wish to install. Simply follow the prompts till the OSSEC Agent Manager window appears.
The OSSEC Agent Manager window will prompt you for the IP address of the OSSEC server. It will also prompt you for the Blowfish key value to use, so extract the appropriate key on the server and enter the value in this field. Make sure you delete the prompt within this field before you paste in the Blowfish key. Otherwise communication with the server may fail.
Next, select “Manage” from the OSSEC Agent Manager menu, followed by “Start OSSEC”. You should now see the “Status:” indicator change to “Running…”.
Testing OSSEC
Once you have the server and agent software installed, started and the appropriate keys configured, it is now time to check our setup. Execute the following command on the OSSEC server:
cd /var/ossec/logs
And check out the ossec.log file:
less ossec.log
Check the log file for any errors. A common error is that OSSEC reports it cannot send e-mail. Make sure the mail server is running and that it is accepting connections. Once you are happy with the server setup, it is now time to check out the agents. Move down to the “alerts” directory:
cd alerts
And check out the alerts.log file:
less alerts.log
Specifically, you are looking for entries similar to the following:
2010 Feb 17 16:09:16 (desktop) 192.168.1.10->ossec
Rule: 501 (level 3) -> ‘New ossec agent connected.’
Src IP: (none)
User: (none)
ossec: Agent started: ‘test_system->192.168.1.10′.
You should see an entry for every system on which you installed the agent software.
More To Come
Whew! That’s more than enough for one post! In my next post I’ll get into leveraging Logwatch to parse all of the alert information being generated by OSSEC.
Related posts:
