This article assumes you already have OSSEC deployed. If you need a refresher, refer to the Part I of OSSEC for website security , written March 2013.
OSSEC is popular open-source Host Intrusion Detection System (HIDS) . It was founded by Daniel Cid, and currently maintained by a very large community of security professionals. Please note that I don’t my installations off the official repo, instead I run directly off Daniel’s repo (instructions in the last post).
In the following series I’m going to share the foundational elements of my OSSEC deployments. We’ll start by placing emphasis on the importance of deploying a distributed architecture in this article, making use of the Agent / Manager options. In future articles you can expect insights into the best way to configure for CMS applications like WordPress, tuning the engine to make use of the alerts, and notifications.
If you have questions, don’t hesitate to ask.
Agent / Manager ArchitectureProactively monitoring, aggregating and storing server activity (i.e., logs) is important for security professionals. It’s the less sexy aspect of security, but having a source of truth for this activity is imperative to understanding what is happening on your servers especially post-compromise.
In fact, if you operate an online store you actually have an obligation to store and manage this activity:
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder dataLogging mechanisms and the ability to track user activities are critical in preventing, detecting and minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs. ( Source: Requirements and Security Assessment Procedures, version 3.2.1 )
To help with this process I deploy OSSEC in a distributed manner, leveraging its agent and manager architecture . While I have a degree of confidence in my web server deployments, I realize that there is always the threat that I might have missed something. For that reason, I always push my activity to a remote service who has the sole responsibility of managing, aggregating and reporting on all activity across my entire architecture.
This provides me the following assurances:
Reduces the risk that an attacker might try to delete or otherwise modify activity; Consolidates activity from the entire environment into one record of truth, especially important when managing multiple servers; Facilitates the creation ofsynchronized orchestration for the entire stack (i.e., it all works and reports the same);In basic terms, this illustrations highlights my deployment:
Deploying an Agent / Manager Architecture
If you are running a local implementation of OSSEC you will need to rerun the OSSEC installer. There are ways to hack your way around the configuration, but it’s not worth it unless you have a free weekend (it’s never just one thing…).
On your web server:
Select your language, the installer will begin. You will set Agent at this point: OSSEC HIDS r2016-04 Installation Script - http://www.ossec.netYou are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).
- System: linux
- User: root
- Host: [webserver name]
-- Press ENTER to continue or Ctrl-C to abort. --
1- What kind of installation do you want (server, agent, local or help)? agent The next step is to provide the IP of your manager, if you don’t know it at the time of installation that’s ok. You can always update the IP in your ossec.conf file. OSSEC HIDS r2016-04 Installation Script - http://www.ossec.net
You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).
- System: Linux
- User: root
- Host: [webserver name]
-- Press ENTER to continue or Ctrl-C to abort. --
1- What kind of installation do you want (server, agent, local or help)? agent
- Agent(client) installation chosen.
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]:
- Installation will be made at /var/ossec .
3- Configuring the OSSEC HIDS.
3.1- What's the IP Address of the OSSEC HIDS server?: [Manager IP]
- Adding Server IP [Manager IP] Follow the instructions, setting your configuration options. Once done, the final step will be pressing Enter on your keyboard to complete the installation.
This will get your local agent configured, but now you have to navigate to your OSSEC manager to make sure it’s ready to accept the communication from the agent. You do this by creating a key pair that both the agent and manager will use to authenticate with each other.
On your OSSEC manager navigate to the Manage Agents application:
# /var/ossec/bin/manage_agents****************************************
* OSSEC HIDS v2016-04 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q:
You want to add a new Agent, so enter A into the input field. It will then ask you a series of questions, this is where you want to give some thought to your naming convention. For instance, see below:
***************************************** OSSEC HIDS v2016-04 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: a
- Adding a new agent (use '\q' to return to the main menu).
Please provide the following:
* A name for the new agent: pb.webserver1
* The IP Address of the new agent: any
* An ID for the new agent[001]: 01001
Agent information:
ID:01001
Name:pb.webserver1
IP Address:any
Confirm adding it?(y/n): y
What you see is I use the PB (perezbox) to identify servers I’m responsible for (assume maybe you have managing servers aren’t yours) and I apply a naming convention for each web server (e.g., webserver1). I could choose to make it more descriptive (maybe, use the name of the domain on that server).
Note: I select ANY for the “IP Address of the new agent” this is intentional. I have found this to be more effective than explicitly defining the IP of the agent server.
If everything looks good, select Y.
If all is successful, it’ll look something like this asking you what you want to do next:
