Skip to content

Latest commit

 

History

History
273 lines (200 loc) · 6.55 KB

ossec-centos8.md

File metadata and controls

273 lines (200 loc) · 6.55 KB
Raw

OSSEC and Wazuh (Centos 8)

Wazuh

# Fork / Weiterentwicklung
https://wazuh.com/

OSSEC -> Installation

## Install on 2 servers 
## server 1 (main): ossec-hids-server
## server 2 (secondary): ossec-hids-agent 

# https://www.ossec.net/downloads/#apt-automated-installation-on-ubuntu-and-debian
# Installs repo-config but not correctly ! 
wget -q -O atomic-file https://updates.atomicorp.com/installers/atomic
sh atomic-file 


# installation on main 
dnf -y install ossec-hids ossec-hids-server 

# adjust /var/ossec/etc/ossec.conf 
<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <email_to>root@localhost</email_to>
    <smtp_server>127.0.0.1</smtp_server>
    <email_from>ossec@localhost</email_from>
  </global>
  

# Start 
/var/ossec/bin/ossec-control start

Testing on server 1

ssh root@localhost 
# enter wrong password 3 times 

# alert is logged to 
cd /var/ossec/logs/alerts/
tail alerts.log
2020 Nov 11 13:48:59 server2->/var/log/auth.log
Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user'
Src IP: 127.0.0.1
Nov 11 13:48:59 server2 sshd[56463]: Failed password for invalid user root from 127.0.0.1 port 44032 ssh2

** Alert 1605098949.1127: - syslog,sshd,invalid_login,authentication_failed,
2020 Nov 11 13:49:09 server2->/var/log/auth.log
Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user'
Nov 11 13:49:07 server2 sshd[56463]: message repeated 2 times: [ Failed password for invalid user root from 127.0.0.1 port 44032 ssh2]

Installation server 2 (agent)

dnf install -y ossec-hids-agent 

# vi /var/ossec/etc/ossec.conf 
# change to ip of server 2 
<!-- OSSEC example config -->

<ossec_config>
  <client>
    <server-ip>192.168.33.10</server-ip>
  </client>

Manage Agent (server 2) on server1 (ossec-server)

 /var/ossec/bin/manage_agents


****************************************
* OSSEC HIDS v3.6.0 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: A

- Adding a new agent (use '\q' to return to the main menu).
  Please provide the following:
   * A name for the new agent: server1
   * The IP Address of the new agent: 10.10.11.141
   * An ID for the new agent[001]:
Agent information:
   ID:001
   Name:server2
   IP Address:10.10.11.141

Confirm adding it?(y/n): y
Agent added with ID 001.


****************************************
* OSSEC HIDS v3.6.0 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: e

Available agents:
   ID: 001, Name: server2, IP: 10.10.11.141
Provide the ID of the agent to extract the key (or '\q' to quit): 1

Agent key information for '001' is:
MDAxIHNlcnZlcjEgMTAuMTAuMTEuMTQxIDkyMjAyMGQ5NzNjODE4NDM3YmIxZmU5ZDBjMmFmYmMwY2JmMmE2Y2EzNjllMGU5Y2MxNmJkYTc4OTdhYTJmNzc=

** Press ENTER to return to the main menu.



****************************************
* OSSEC HIDS v3.6.0 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: q

** You must restart OSSEC for your changes to take effect.

manage_agents: Exiting.
manage_agents: Exiting.
root@server2:/var/ossec/logs/alerts#

# Server neu starten 
 /var/ossec/bin/ossec-control restart

Import Key on agent - system (server 2)

 /var/ossec/bin/manage_agents


****************************************
* OSSEC HIDS v3.6.0 Agent manager.     *
* The following options are available: *
****************************************
   (I)mport key from the server (I).
   (Q)uit.
Choose your action: I or Q: I

* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.

Paste it here (or '\q' to quit): MDAxIHNlcnZlcjEgMTAuMTAuMTEuMTQxIDkyMjAyMGQ5NzNjODE4NDM3YmIxZmU5ZDBjMmFmYmMwY2JmMmE2Y2EzNjllMGU5Y2MxNmJkYTc4OTdhYTJmNzc=

Agent information:
   ID:001
   Name:server2
   IP Address:10.10.11.141

Confirm adding it?(y/n): y
2020/11/11 14:08:11 manage_agents: ERROR: Cannot unlink /queue/rids/sender: No such file or directory
Added.
** Press ENTER to return to the main menu.



****************************************
* OSSEC HIDS v3.6.0 Agent manager.     *
* The following options are available: *
****************************************
   (I)mport key from the server (I).
   (Q)uit.
Choose your action: I or Q: q

** You must restart OSSEC for your changes to take effect.

manage_agents: Exiting.
manage_agents: Exiting.
root@server1:/var/ossec/etc#

### Restart agent 
/var/ossec/bin/ossec-control restart

produce problem on server 2 (agent)

# enter wrong password 3 times 
ssh root@localhost

validatte on server 1 (server)

you should get an email to root 
please check 
/var/ossec/logs/alert/alert.log 


# if this is not working restart server2 and agent->server1
server1: /var/ossec/bin/ossec-control restart
server2: /var/ossec/bin/ossec-control restart

# Please retry to ssh with wrong pw 3 x !!!

Change scan config on server1 ossec.conf

# like so --> first lines 
 <syscheck>
    <!-- Frequency that syscheck is executed -- default every 20 hours -->
    <frequency>120</frequency>
    <alert_new_files>yes</alert_new_files>


    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes" report_changes="yes" realtime="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes" report_changes="yes" realtime="yes">/bin,/sbin,/boot</directories>

# Adjust local rules 
root@server1:/var/ossec/rules# vi local_rules.xml
  <rule id="554" level="7" overwrite="yes">
     <category>ossec</category>
     <decoded_as>syscheck_new_entry</decoded_as>
     <description>File added to system</description>
     <group>syscheck,</group>
  </rule>


</group> <!-- SYSLOG,LOCAL -->

Restart hids-server (server1)

 /var/ossec/bin/ossec-control restart

Optional scan immediately

#it is possible from the hids-server (server1 aka main.example)
#to do an immediate scan on the agents (server2 aka secondary.example.com) 
# by restarting agent

/var/ossec/bin/agent_control -R 001