Setup OSSEC with mySQL and AnaLogi in CentOS 6

Setup OSSEC with mySQL and AnaLogi in CentOS 6

OSSEC is an open source host-based intrusion detection system that performs log analysis, file integrity checking, policy monitoring, rootkit detection.

Running on different systems (Windows, Linux, MAC, …), collected data can be stored in a mySQL database and some reports can be displayed using the web gui AnaLogi.

 

Prerequisites

Starting from the CentOS 6.4 minimal installation, this procedure relies on three main packages:

    1. mySQL v5.x database
    2. OSSEC v2.7 log analyzer
    3. AnaLogi v1.3 ossec-wui

 

Install mySQL

Update the system and install mySQL packages and compilers.

# yum update
# yum install mysql-devel mysql-server gcc make

Setup OSSEC with mySQL and AnaLogi in CentOS 6

To work properly, SELINUX must be disabled.

# vi /etc/selinux/config

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Enable mySQL to start during system boot and start the service.

# chkconfig mysqld on
# service mysqld start

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Secure mySQL running the following command.

# /usr/bin/mysql_secure_installation

Setup OSSEC with mySQL and AnaLogi in CentOS 6

 

Install Ossec and create mySQL db

Using the command wget, download the OSSEC package and decompress the file.

# wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz
# tar -vxzf ossec-hids-2.7.tar.gz

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Because by default is disabled, enable mySQL in OSSEC.

# cd ossec-hids-2.7/src
# make setdb

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Create a new mySQL database to save OSSEC alerts.

# mysql -u root -p

mysql> create database ossec;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec@localhost;
mysql> set password for ossec@localhost=PASSWORD(‘password’);
mysql> flush privileges;
mysql> quit

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Import the schema for the new database from the OSSEC installation directory ossec-hids-2.7/src/os_dbd/.

# cd ossec-hids-2.7/src/os_dbd
# mysql -u root -p ossec < mysql.schema

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Now proceed with OSSEC installation executing the file install.sh.

# ./install.sh

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Hit the ENTER button to start the configuration process.

Setup OSSEC with mySQL and AnaLogi in CentOS 6

After pressing ENTER, system compiles and install OSSEC in the computer.

Setup OSSEC with mySQL and AnaLogi in CentOS 6

If everything goes smoothly, the installation finishes without any warning or error.

Setup OSSEC with mySQL and AnaLogi in CentOS 6

If OSSEC works behind a firewall, the communication with the agent occurs through port UDP 1454.

It’s now time to set the mySQL parameters in the OSSEC configuration. Edit the file ossec.conf.

# vi /var/ossec/etc/ossec.conf

Add the following lines:

<database_output>
   <hostname>127.0.0.1</hostname>
   <username>ossec</username>
   <password>password</password>
   <database>ossec</database>
   <type>mysql</type>
</database_output>

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Last step, enable mySQL and restart the service.

# /var/ossec/bin/ossec-control enable database
# /var/ossec/bin/ossec-control restart

Setup OSSEC with mySQL and AnaLogi in CentOS 6

 

Install AnaLogi web interface

Because AnaLogi is a web interface for OSSEC that replaced the outdated ossec-wui, we need to install Apache and PHP in our system.

# yum install httpd php php-mysql mod_ssl

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Enable Apache to start during system boot and start the service.

# chkconfig httpd on
# service httpd restart

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Because AnaLogi is stored using git repository, we need to install the git package to retrieve the files from the website.

# yum install git-core

Once installed git, download the AnaLogi package using git clone command.

# cd /var/www/html
# git clone https://github.com/ECSC/analogi.git

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Assign ownership of AnaLogi directory to user apache.

# chown apache:apache analogi -R

Rename the configuration file.

# cd /var/www/html/analogi
# mv db_ossec.php.new db_ossec.php

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Edit the db_ossec.php file and amend the SQL parameters to reflect your installation.

# vi db_ossec.php

Setup OSSEC with mySQL and AnaLogi in CentOS 6

If you want creating a virtual host, edit the Apache configuration file and add the following lines:

# vi /etc/httpd/conf/httpd.conf

<VirtualHost *:80>
   ServerAdmin admin@nolabnoparty.local
   DocumentRoot /var/www/html/analogi
   ServerName lx6-ossec01.nolabnoparty.local
   ErrorLog logs/ossec-err-error_log
   CustomLog logs/ossec-access-access_log common

   <Directory /var/www/html/analogi>
      Allow from all
      Options -MultiViews
   </Directory>
</VirtualHost>

Setup OSSEC with mySQL and AnaLogi in CentOS 6

Restart Apache.

# service httpd restart

Open your browser and type the URL address:

http://ip_address

https://ip_address/analogi

If you can see a similar screen, OSSEC server is working properly.

Setup OSSEC with mySQL and AnaLogi in CentOS 6

 

The OSSEC server is now fully functional, last step to perform is the creation of agents for your clients.

Setup OSSEC with mySQL and AnaLogi in CentOS 6

About Paolo Valsecchi

Sistemista Informatico, mi occupo principalmente dell’implementazione e della gestione di servizi informatici basati su piattaforma virtuale VMware vSphere con sistemi Microsoft Windows/Active Directory e Linux (Red Hat, CentOS).

Twitter | Facebook | Linkedin | Google+