Thursday, October 31, 2013

OSSEC Agent Installation on RedHat Enterprise and/or CentOS

I consider a HIDS to be one of the very most important security systems in a network. It's very important to know if someone is attempting to brute force his way into one of your servers, but if the attacker breaks in, it's even more important to know what changed. While log monitors and tools like Splunk can detect the former, they're not designed to note changes in binaries. That's where a HIDS (Host-based Intrusion Detection System) comes into play. One of the most popular is OSSEC. It's open sourced and free to deploy. It notes troublesome issues in the logs (like login failures) and can even take proactive measures, such as blocking an attacking host by manipulating the firewall.

OSSEC works on Windows, various flavors of unix and linux, as well as network devices such as switches, routers, and firewalls. It can run stand alone or report to a master server.

Agent installation on RHEL/CentOS

1. Install the Atomic Yum repo:


sudo "wget -q -O - http://www.atomicorp.com/installers/atomic | sh"

2. Install the EPEL repo (We're using 64bit Linux here)

 If RHEL 5/CentOS 5, 

sudo rpm -ivh http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm

If RHEL 6/CentOS 6,

sudo rpm -ivh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

CentOS 6
 3. Install the RPMs from yum (should be about 4 RPMs or so):
 
sudo yum -y install ossec-hids-client

3a. (optional) Disable the Yum repos for Atomic and EPEL:

sed -i /etc/yum.repos.d/atomic.repo -e 's/enabled = 1/enabled = 0/g'
sed -i /etc/yum.repos.d/epel.repo -e 's/enabled = 1/enabled = 0/g'

4. You'll need to set your server (if you even have a central OSSEC server) in the config file like so:

5. (optional) make an exception for the central server (again, if you even have one):

sudo iptables -A INPUT -p udp --dport 1514 -j ACCEPT

 That's basically it. It's most definitely worth reading up on the documentation and you should definitely test OSSEC out before using the active rules.