Setup OSSEC with mySQL and AnaLogi in CentOS 6
OSSEC is an open source host-based intrusion detection system that performs log analysis, file integrity checking, policy monitoring, rootkit detection.
Running on different systems (Windows, Linux, MAC, …), collected data can be stored in a mySQL database and some reports can be displayed using the web gui AnaLogi.
# yum update
# yum install mysql-devel mysql-server gcc make
![ossecanalogi02 picture Setup OSSEC with mySQL and AnaLogi in CentOS 6](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t555hkv5pL4h8D5rWtPjzmdU6blBtO12G4f5dR63goDXwHX96ScSLGOqrAogK-pWeiTYjcImfOWqvjYzZRFeqFM97uL6qbe9QQQtxKg8S-RrVjNftl3SDYL5MnHUgS107NTmN9ieqQZg=s0-d)
To work properly, SELINUX must be disabled.
# vi /etc/selinux/config
![ossecanalogi03 picture Setup OSSEC with mySQL and AnaLogi in CentOS 6](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vr6tlw0IqK7_o-ozTMPboqp-kLinPCym0uxlQNNrn_ySCKrVAAFutBbg9isHfwV0guMv0PLFY-ZLw31Az-Uo5I2dm3tJpBi4XsZJNwITrvUvy_NxetmFnT_QiFAT02v8QCdiWQPalZ=s0-d)
Enable mySQL to start during system boot and start the service.
# chkconfig mysqld on
# service mysqld start
![ossecanalogi04 picture Setup OSSEC with mySQL and AnaLogi in CentOS 6](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tf40NlAM2QZKKcfQTkUdJety46lBg4ruHQEhxntaAXAtyZhAcrZKDjYp_s1Lj8Silx32x_jy-FIZAJqq_5Aamt5uqnUHFrXzb5DvHfTy9HRxT5OWWn30qRwPy_WIc6GUJHLXOzKSaqqQ=s0-d)
Secure mySQL running the following command.
# /usr/bin/mysql_secure_installation
![ossecanalogi05 picture Setup OSSEC with mySQL and AnaLogi in CentOS 6](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_txsManl6zLaNvfq5Aw-Bj05YcXf8YvPT2sTPxTRucprQ1N9hiLUxcFr5M2hG2X9sTduzS1tkx6oCsPJ9IloxVLZms8REAqHzSDqwDr7jf8PhZ_KqKHD-AyFEF9YkExorRc6bD-cUwxgg=s0-d)
# wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz
# tar -vxzf ossec-hids-2.7.tar.gz
![ossecanalogi06 picture Setup OSSEC with mySQL and AnaLogi in CentOS 6](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_toh_OBjDhXuhPBHeEUskeb9BON-Yk1r0hL_Eroea8gFaTqq5lX0le1yFPLW4KalGzmTt1Tt1ZD4GEUisLxaFlo7QUWhxfILmswGaHmlI4clmWeHW65DXcLFrywY1Z4z1J_fYlDcyVaFg=s0-d)
Because by default is disabled, enable mySQL in OSSEC.
# cd ossec-hids-2.7/src
# make setdb
![ossecanalogi07 picture Setup OSSEC with mySQL and AnaLogi in CentOS 6](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uIiOV-k2LHLYR4fsQ6g_Bg7NEvuck60A6atfaSkCkYoT3IcDDMaSxbIKO58owxluDBjH5Z6R1KMf0aj8H3CSGl--nxRRrZ23gVDNiIVzOL14nBs-DE_E9ggtu5hkTg2kkrqB7JL9UL=s0-d)
Create a new mySQL database to save OSSEC alerts.
# mysql -u root -p
mysql> create database ossec;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec@localhost;
mysql> set password for ossec@localhost=PASSWORD(‘password’);
mysql> flush privileges;
mysql> quit
![ossecanalogi08 picture Setup OSSEC with mySQL and AnaLogi in CentOS 6](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uN92IGqqNXJe3yMZ4QW8T3g5TJ8kRPfE2QSTTcJEUQIsp5mNzid7MjZuqreyEeiA2SZogyC0M9FlUH4snfYd4cGTqTizIi8OtFfsrCjTR8nQkRNBt2CngRuNOMyHPOyE_xyoK8T4Os=s0-d)
Import the schema for the new database from the OSSEC installation directory ossec-hids-2.7/src/os_dbd/.
# cd ossec-hids-2.7/src/os_dbd
# mysql -u root -p ossec < mysql.schema
![ossecanalogi09 picture Setup OSSEC with mySQL and AnaLogi in CentOS 6](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vLF29p2wcZDlJOek_KTmon18zy1xdrL35VAjZk0XkMAJMXh5xRqOkaOJ31_UDu0x2haiQgt_Zeuxv3PdNZT6OuvbHvcOJ2OMbHFXAyHD72fs0NoD32uob0gPd2R6U_L9qMbL22VfFJ=s0-d)
Now proceed with OSSEC installation executing the file install.sh.
# ./install.sh
![ossecanalogi10 picture Setup OSSEC with mySQL and AnaLogi in CentOS 6](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uGskvViaIllFA3_ZSPmdn-EkvAR2hNDqkdDKg3DlZ6loOOdOq2jF0U89RmVTz9GFu6J0wyiqTu3U6ouhlDLYpqVKnEM8IIgqQ6Z3zo-JjnTcMZmjcVdVJ6bhzqhWlQcEnXWKn4yn-XfA=s0-d)
Hit the ENTER button to start the configuration process.
![ossecanalogi101 picture Setup OSSEC with mySQL and AnaLogi in CentOS 6](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vUYgqUXg2GoRQ97SghdVM1KoWX68tLoiGID2jaWm4o56KRwrXPLIheiFmt_KSIW0DzI28AYvOls_CJOevBPF-K276HKsNzcr9_9zK1gSzh6YSm6LcdPieE5URuK6PYopK6kzgZzX_GScU=s0-d)
After pressing ENTER, system compiles and install OSSEC in the computer.
![ossecanalogi12 picture Setup OSSEC with mySQL and AnaLogi in CentOS 6](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t8TvZA1VkVaWOt7n5kZjTBBMNblszD5xyx4sjG4Bh9eQ1iIyFq4VKQVu4J3ht2hg-h9Wl6e8UY_9RJ_gXKgzYrpf4qsflw5rFHHFvz393fEbuDecctEPldFRdk00nO1Yr1CCTO8Gtt_g=s0-d)
If everything goes smoothly, the installation finishes without any warning or error.
![ossecanalogi13 picture Setup OSSEC with mySQL and AnaLogi in CentOS 6](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vHWoRfz-S1jFMW2nQsFE0yZeqDzHWujojEGX20qlBb3g-L_Dsr4Lp8fJD3cFYgTUkEIwP9X2Osk_ZRgL4KtbVQA_HwDTXYfgbcF48c2b7KQodXkCU_15CzLswJjtpuIfraSrS6Bvjzrw=s0-d)
If OSSEC works behind a firewall, the communication with the agent occurs through port UDP 1454.
It’s now time to set the mySQL parameters in the OSSEC configuration. Edit the file ossec.conf.
# vi /var/ossec/etc/ossec.conf
Add the following lines:
![ossecanalogi14 picture Setup OSSEC with mySQL and AnaLogi in CentOS 6](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vMonVbpcH7oaPDjsUkN-fHQrrRwx6ZyPZ8DU5OsKgqQNlUUWF5Y-lKMieJzq264KRPpyshoc2_H3dfAZSly-hF7a_BIIca7XqRY6IrXmxc6RbAmEN6RoZr0boI3Q5FQv2ed3MWIWU7=s0-d)
Last step, enable mySQL and restart the service.
# /var/ossec/bin/ossec-control enable database
# /var/ossec/bin/ossec-control restart
![ossecanalogi15 picture Setup OSSEC with mySQL and AnaLogi in CentOS 6](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vErWF_PjnR5vMLlCYZEDjjRm_7UkyhdcUQ-OCflHbCA9AaqdMPj4hbbMdZ579ZzC5bSdMZpjEZl72kbnHPQSGDnFZah0PxrP0JMS94ti4Hcam8p-S0hky5CUIrlKnmsIOim4qzze3EPQ=s0-d)
# yum install httpd php php-mysql mod_ssl
![ossecanalogi16 picture Setup OSSEC with mySQL and AnaLogi in CentOS 6](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_ue3JRJDpBCboHF5J-2OjCj6bYCX-35_Xl6cq9rC6UpSSh_1kjWcvzHIywCsSsAf0yN2G2ZurvsaMe0GU-xC4k4-AsBw4HrRivASjFkp5WRjREgDgs9fX1Q6U8TVLMV1aZglwsWCfVOGQ=s0-d)
Enable Apache to start during system boot and start the service.
# chkconfig httpd on
# service httpd restart
![ossecanalogi17 picture Setup OSSEC with mySQL and AnaLogi in CentOS 6](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_u2Emvf4AvVbCjFAjF9CiuaW1U0c04wcIXT4qlGZJVg_e1CNywVPS50YCukXiFoipwcO2_8OK8wUHcGG2YsM9iVOYUi8onw1WcMrcJAZpYzUmMjiR268fVPiK066FnbqQAjqH9ydkdvTQ=s0-d)
Because AnaLogi is stored using git repository, we need to install the git package to retrieve the files from the website.
# yum install git-core
Once installed git, download the AnaLogi package using git clone command.
# cd /var/www/html
# git clone https://github.com/ECSC/analogi.git
![ossecanalogi18 picture Setup OSSEC with mySQL and AnaLogi in CentOS 6](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uRPgH5bnfGipHYFtihSj6St1y3QWVW1Rz_CZtd-0JzoZ4RFjDZIVrgictI0lE_-LIlek-LC-yuVEkw4ZbI0ht7Wt2LV38oxWzS41giW7ulJ3Bybjil904iBe1sVgQA0Z1f9pFwzJPiNg=s0-d)
Assign ownership of AnaLogi directory to user apache.
# chown apache:apache analogi -R
Rename the configuration file.
# cd /var/www/html/analogi
# mv db_ossec.php.new db_ossec.php
![ossecanalogi19 picture Setup OSSEC with mySQL and AnaLogi in CentOS 6](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_v0MIp2DsqqpTLvEdfq2I9YpbtWwRtZSqlfznVUz6jXkSvSPbSBwqKNZoW7whRKwmNnxvIo7j1VYAaJZg5SsBFNLK4zEYqE6iHttqeAmSftyIKqSXYO7xdw3L5NufjCN3JF07Ucu6z7tg=s0-d)
Edit the db_ossec.php file and amend the SQL parameters to reflect your installation.
# vi db_ossec.php
![ossecanalogi20 picture Setup OSSEC with mySQL and AnaLogi in CentOS 6](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tUBgqXtOgTYGN7umQ9Qv4qx_DaG60brQ-oKl-msMv4A4HFBp97RRUqPIV3jZ9bQ7osZTSedQxM5M31aeF24cC8AZLiWN0PB0672-_Uh_iCco8uIYywfEi55DA_Asesw0KllVUSumim5Q=s0-d)
If you want creating a virtual host, edit the Apache configuration file and add the following lines:
# vi /etc/httpd/conf/httpd.conf
![ossecanalogi21 picture Setup OSSEC with mySQL and AnaLogi in CentOS 6](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sRiEs2R13n4P5FqhFLXSpnuhzOhyG9XVCkOB7AEuxVuiqBIYYbd3ZAol7Z_3r_Dbc-eFaPj_JN73V3b7bPYPwM675iqoMTe8kcSWE6EWcqiQqhN55_ajETGTZE7sLIC2bFRAmG4iwN3g=s0-d)
Restart Apache.
# service httpd restart
Open your browser and type the URL address:
![ossecanalogi22 picture Setup OSSEC with mySQL and AnaLogi in CentOS 6](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tG6U9QdQEXntdH7bQi6Glq-yMEvwnC5IHovUgBUB2sngBNW0bNuoL-tJosQIzWoh2xazpXMX52vQe6M5gtnH70W0dBhN7UNKVwfPxpt5RoLEFME0tpooHZzEagZjvU01itHtCWZEd8Bw=s0-d)
The OSSEC server is now fully functional, last step to perform is the creation of agents for your clients.
Running on different systems (Windows, Linux, MAC, …), collected data can be stored in a mySQL database and some reports can be displayed using the web gui AnaLogi.
Prerequisites
Starting from the CentOS 6.4 minimal installation, this procedure relies on three main packages:- mySQL v5.x database
- OSSEC v2.7 log analyzer
- AnaLogi v1.3 ossec-wui
Install mySQL
Update the system and install mySQL packages and compilers.# yum update
# yum install mysql-devel mysql-server gcc make
To work properly, SELINUX must be disabled.
# vi /etc/selinux/config
Enable mySQL to start during system boot and start the service.
# chkconfig mysqld on
# service mysqld start
Secure mySQL running the following command.
# /usr/bin/mysql_secure_installation
Install Ossec and create mySQL db
Using the command wget, download the OSSEC package and decompress the file.# wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz
# tar -vxzf ossec-hids-2.7.tar.gz
Because by default is disabled, enable mySQL in OSSEC.
# cd ossec-hids-2.7/src
# make setdb
Create a new mySQL database to save OSSEC alerts.
# mysql -u root -p
mysql> create database ossec;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec@localhost;
mysql> set password for ossec@localhost=PASSWORD(‘password’);
mysql> flush privileges;
mysql> quit
Import the schema for the new database from the OSSEC installation directory ossec-hids-2.7/src/os_dbd/.
# cd ossec-hids-2.7/src/os_dbd
# mysql -u root -p ossec < mysql.schema
Now proceed with OSSEC installation executing the file install.sh.
# ./install.sh
Hit the ENTER button to start the configuration process.
After pressing ENTER, system compiles and install OSSEC in the computer.
If everything goes smoothly, the installation finishes without any warning or error.
If OSSEC works behind a firewall, the communication with the agent occurs through port UDP 1454.
It’s now time to set the mySQL parameters in the OSSEC configuration. Edit the file ossec.conf.
# vi /var/ossec/etc/ossec.conf
Add the following lines:
1
2
3
4
5
6
7
| <database_output> < hostname >127.0.0.1< /hostname > <username>ossec< /username > <password>password< /password > <database>ossec< /database > < type >mysql< /type > < /database_output > |
Last step, enable mySQL and restart the service.
# /var/ossec/bin/ossec-control enable database
# /var/ossec/bin/ossec-control restart
Install AnaLogi web interface
Because AnaLogi is a web interface for OSSEC that replaced the outdated ossec-wui, we need to install Apache and PHP in our system.# yum install httpd php php-mysql mod_ssl
Enable Apache to start during system boot and start the service.
# chkconfig httpd on
# service httpd restart
Because AnaLogi is stored using git repository, we need to install the git package to retrieve the files from the website.
# yum install git-core
Once installed git, download the AnaLogi package using git clone command.
# cd /var/www/html
# git clone https://github.com/ECSC/analogi.git
Assign ownership of AnaLogi directory to user apache.
# chown apache:apache analogi -R
Rename the configuration file.
# cd /var/www/html/analogi
# mv db_ossec.php.new db_ossec.php
Edit the db_ossec.php file and amend the SQL parameters to reflect your installation.
# vi db_ossec.php
If you want creating a virtual host, edit the Apache configuration file and add the following lines:
# vi /etc/httpd/conf/httpd.conf
1
2
3
4
5
6
7
8
9
10
11
12
| <VirtualHost *:80> ServerAdmin admin@nolabnoparty. local DocumentRoot /var/www/html/analogi ServerName lx6-ossec01.nolabnoparty. local ErrorLog logs /ossec-err-error_log CustomLog logs /ossec-access-access_log common <Directory /var/www/html/analogi > Allow from all Options -MultiViews < /Directory > < /VirtualHost > |
Restart Apache.
# service httpd restart
Open your browser and type the URL address:
http://ip_addressIf you can see a similar screen, OSSEC server is working properly.
https://ip_address/analogi
The OSSEC server is now fully functional, last step to perform is the creation of agents for your clients.
cesherAdae_yo Adam Leon https://wakelet.com/@sesshocnelfneeds606
Trả lờiXóavieducheasign