OSSEC local install with rpm

  10 Dec 2015


I’m setting up CentOS 6.7 64bit server and I’d like to install local ossec. Also, I have been trying to find RPM’s local installation doc. But, most of tutorials I found from Google is to intall from source with server<->agent setup. So, I write this article for one who wants to install OSSEC locally via RPM.

Let’s start…

First off, add yum atomic repository

wget -q -O – https://www.atomicorp.com/installers/atomic | sh

Then, install both ossec-hids and ossec-hids-server packages:

yum install ossec-hids ossec-hids-server

Before start configuring, let’s just test an email sending to see if it works:

mail -s "OSSEC test" user@email.com < /dev/null

In case sending email works fine, we can start configuring local install with ossec-configure like so:

    $ossec-configure

Here is how I proceed:

    OSSEC Configuration utility v0.1

    1- What kind of installation do you want? (server, agent, local) [Default: server]: local

    2- Setting up the configuration environment.

    3- Configuring the OSSEC HIDS.

      3.1- Do you want e-mail notification? (y/n) [Default: y]:
       - What's your e-mail address? <your_email_address>
       - What's your SMTP server ip/host? localhost

      3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

      3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

      3.4- Active response allows you to execute a specific
           command based on the events received. For example,
           you can block an IP address or disable access for
           a specific user.
           More information at:
           http://www.ossec.net/en/manual.html#active-response


       - Do you want to enable active response? (y/n) [y]: n

      3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]:

        -- /var/log/messages (syslog)
        -- /var/log/secure (syslog)
        -- /var/log/maillog (syslog)
    Configuration complete.

Then, just restart ossec:

ossec-control restart

To make sure the email alert works as expected, you could try to send the bad message to syslog:

logger bad

If your server email transfer agent or your SMTP works correctly, you should get the similar email in your inbox:

    Subject: OSSEC Notification - localhost - Alert level 2

    OSSEC HIDS Notification.
    2015 Dec 14 20:21:43

    Received From: localhost->/var/log/messages
    Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
    Portion of the log(s):

    Dec 14 20:21:42 localhost root: bad 



     --END OF NOTIFICATION

Additionally, in order to notify to multiple email addresses, We can do that by specifing each email address with email_to tag in /var/ossec/etc/ossec.conf configuration file.

    <email_to>user1@email.com</email_to>
    <email_to>user2@email.com</email_to>
    <email_to>user3@email.com</email_to>

Hope this helps!

comments powered by Disqus