Many of the OSPatrol daemons chroot to the installation directory (/var/ospatrol
is the default, and is the reference directory for this document).
All logs are currently kept in the /var/ospatrol/logs
directory. Some log files are rotated daily, but OSPatrol does not move logs outside of /var/ospatrol/logs
.
Depending on a number of factors these logs can become large, so make sure you have enough space to store the logs you want to keep.
Related to the amount of storage space you give to OSPatrol is the "events per second" (EPS) you expect to receive. Michael Starks has provided a script to determine EPS in a blog post: 3WoO Day 2: Calculating Your EPS. There has not been any formal load testing on OSPatrol, but some informal testing has shown a local installation can handle 11,000 EPS. (email by Christopher Moraes) This test was done under mostly ideal conditions, but we would be interested in hearing performance reports from other users.
The number of rules and agents can also affect the speed of the OSPatrol manager, and the amount of space necessary for to hold the logs. More agents means more logs.
- Download the OSPatrol tarball and pgp/gnupg signature from ospatrol.net.
- Use GnuPG or PGP to verify the download. Use
gpg --import OSPatrol-GPG-Key.asc
to import the OSPatrol gpg key, thengpg --verify ospatrol-hids-2.6.tar.gz.sig ospatrol-hids-2.6.tar.gz
to verify the signature and file.
- Unpack the tarball and change into the new directory with
tar -zxf ospatrol-hids-2.6.tar.gz
. Run the install.sh script to perform the installation./install.sh
:
- If you wish to output alert information to a database (MySQL or PostgreSQL) or to Prelude, run the appropriate
make
command in thesrc
directory. For database output runmake setdb
and for Prelude usemake setprelude
:
- Verify the information and press
ENTER
.System
should detail the operating system and platform,User
should be the current user, andHost
should display the hostname.
- The installation type for this install will be server, and we are using the default install directory. It should be possible to install OSPatrol anywhere in the system but selecting the default will be easiest. Items inside the brackets are the default answers.
- This installation will be configured to send email, integrity check daemon, and the rootkit detection engine.
- We will be disabling active response for now. Active response deserves its own section, and will be covered later.
- We will also disable remote syslog (using OSPatrol's syslog will be covered later). The script prints a log file that will be analyzed in addition to the typical log files. In this case it is a Debian specific log file.
- At this point OSPatrol will be compiled. After compilation has completed, the script provides more information:
- Adding agents is done with the manage_agents application:
- The manage_agents menu is simple, enter
a
to add an agent:
- Enter the agent's information. In the IP address field a CIDR (192.168.1.0/24) or
any
can be used:
- After confirming the addition, manage agents will notify you that the OSPatrol processes must be restarted:
Note
Restarting the OSPatrol processes is only necessary for the initial agent. While subsequent additions will still give the message, the restart is not necessary.
- Restarting the OSPatrol processes: