Tables of Contents
Introduction
-
OSSEC HIDS (Open Source SECurity Host-based Intrusion Detection System) is a no-cost, open source host-based intrusion detection system that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting, and active response. The program runs on most operating systems, including OS X, but current versions appear to be less than fully compatible with OS X 10.10 "Yosemite" out of the box. Hence, this configuration guide.
If you're interested in using a HIDS on your OS X-based system, here's everything you need to get up and running successfully.
Audience
These instructions are primarily geared toward campus technical staff and other technically proficient end users on campus running OS X Yosemite.
They are written so that even those without extensive command line experience can get OSSEC working properly with a minimum of hassle.
Relevance
These instructions are primarily geared toward campus technical staff and other technically proficient end users on campus running OS X Yosemite.
They are written so that even those without extensive command line experience can get OSSEC working properly with a minimum of hassle.
Requirements
To install OSSEC HIDS using this guide, you'll need:
- A Macintosh computer running OS X 10.10 "Yosemite"
- A (free) copy of OSSEC HIDS 2.8.2 or later
- Access to a local admin account on your computer
- Xcode, or another C compiler such as
gcc - An outbound (SMTP) mail server, for email alerts
Version
These instructions were tested in September 2015 with the latest available stable release, OSSEC HIDS 2.8.2, running on OS X 10.10.5.
Local Installations
OSSEC can be installed on a local machine for monitoring by a single user.
Installation
1. You'll need a C compiler installed to build OSSEC. If you don't have one installed, head to the Mac App Store and install Xcode, which is free Apple-supported software.
2. Download the latest Linux/BSD release of OSSEC HIDS at www.ossec.net.
3. Compare the MD5 checksum of the downloaded package to the checksum available on the OSSEC website to ensure that your download has not been tampered with:
$ md5 ~/Downloads/ossec-hids-2.8.2.tar.gz
MD5 (/Users/User/Downloads/ossec-hids-2.8.2.tar.gz) = 3036d5babc96216135759338466e1f79
4. Open Terminal.app and switch to root. If you don't have root enabled on your system, you may use sudo, but you must be logged in as a local admin account to use sudo:
$ sudo -s
Password: ••••••••••
5. Expand the tarball (ossec-hids-2.8.2.tar.gz) and then run install.sh in Terminal.app:
# ~/Downloads/ossec-hids-2.8.2/install.sh
** Para instalação em português, escolha {{br}}.
** 要使用中文进行安装, 请选择 {{cn}}.
** Fur eine deutsche Installation wohlen Sie {{de}}.
** Για εγκατάσταση στα Ελληνικά, επιλέξτε {{el}}.
** For installation in English, choose {{en}}.
** Para instalar en Español , eliga {{es}}.
** Pour une installation en français, choisissez {{fr}}
** A Magyar nyelvű telepítéshez válassza {{hu}}.
** Per l'installazione in Italiano, scegli {{it}}.
** 日本語でインストールします.選択して下さい.{{jp}}.
** Voor installatie in het Nederlands, kies {{nl}}.
** Aby instalować w języku Polskim, wybierz {{pl}}.
** Для инструкций по установке на русском ,введите {{ru}}.
** Za instalaciju na srpskom, izaberi {{sr}}.
** Türkçe kurulum için seçin {{tr}}.
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) {{en}}:
6. Press Return to proceed in English:
OSSEC HIDS v2.8 Installation Script - http://www.ossec.net
You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).
- System: Darwin Host.local 14.3.0
- User: root
- Host: Host.local
-- Press ENTER to continue or Ctrl-C to abort. --
7. Press Return to continue, then enter local and press Return:
1- What kind of installation do you want (server, agent, local, hybrid or help)?
local
- Local installation chosen.
8. Press Return to install OSSEC HIDS in its default location, /var/ossec:
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS {{/var/ossec}}:
- Installation will be made at /var/ossec .
9. Press Return to enable email notifications, enter your email address, and press Return to use the SMTP server that it finds based on the MX record for utexas.edu. If you're not using an ITS mail service (Office 365, AEMS, UTmail), your settings may be different. In that case, contact your mail server administrator for assistance.
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) {{y}}:
y
- What's your e-mail address?
user@utexas.edu
- We found your SMTP server as: inbound.mail.utexas.edu.
- Do you want to use it? (y/n) {{y}}:
--- Using SMTP server: inbound.mail.utexas.edu.
10. Press Return to enable each desired feature. If you'd rather not enable a certain feature, enter n then press Return:
3.2- Do you want to run the integrity check daemon? (y/n) {{y}}:
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) {{y}}:
- Running rootcheck (rootkit detection).
3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response
- Do you want to enable active response? (y/n) {{y}}:
- Active response enabled.
- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.
- Do you want to enable the firewall-drop response? (y/n) {{y}}:
- firewall-drop enabled (local) for levels >= 6
- Default white list for the active response:
- 192.168.248.2
- Do you want to add more IPs to the white list? (y/n)? {{n}}:
- IPs (space separated):
11. Enter the IP addresses of any other systems from which you routinely remotely access this computer, then press Return to continue:
3.6- Setting the configuration to analyze the following logs:
-- /var/log/system.log
- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .
--- Press ENTER to continue ---
12. Press Return to begin building OSSEC HIDS. When prompted, press Return to view the Xcode license agreements. Press q to stop viewing the license agreement, then type agree if you agree. Press Return:
5- Installing the system
- Running the Makefile
You have not agreed to the Xcode license agreements. You must agree to both license agreements below in order to use Xcode.
Hit the Enter key to view the license agreements at '/Applications/Xcode.app/Contents/Resources/English.lproj/License.rtf'
IMPORTANT: BY USING THIS SOFTWARE, YOU ARE AGREEING TO BE BOUND BY THE FOLLOWING APPLE TERMS:
A. MAC SDK AND XCODE AGREEMENT
B. iOS SDK AGREEMENT
APPLE INC.
MAC SDK AND XCODE AGREEMENT
PLEASE READ THIS MAC SDK AND XCODE AGREEMENT ("LICENSE") CAREFULLY BEFORE USING THE DEVELOPER SOFTWARE (DEFINED BELOW). BY USING THE DEVELOPER SOFTWARE, YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS LICENSE. IF YOU ARE ACCESSING THE DEVELOPER SOFTWARE ELECTRONICALLY, SIGNIFY YOUR AGREEMENT TO BE BOUND BY THE TERMS OF THIS LICENSE BY CLICKING THE "AGREE " BUTTON. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENSE, DO NOT USE THE DEVELOPER SOFTWARE AND CLICK “DISAGREE”.
IMPORTANT NOTE: To the extent that this software may be used to reproduce materials, it is licensed to you only for reproduction of non-copyrighted materials, materials in which you own the copyright, or materials you are authorized or legally permitted to reproduce. If you are uncertain about your right to copy any material, you should contact your legal advisor.
1. General.
By typing 'agree' you are agreeing to the terms of the software license agreements. Type 'print' to print them or anything else to cancel, {{agree, print, cancel}} agree
You can view the license agreements in Xcode's About Box, or at /Applications/Xcode.app/Contents/Resources/English.lproj/License.rtf
*** Making zlib (by Jean-loup Gailly and Mark Adler) ***
...
...
...
- System is Darwin.
- Init script modified to start OSSEC HIDS during boot.
- Configuration finished properly.
- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start
- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
( http://www.ossec.net/main/support/ ).
More information can be found at http://www.ossec.net
--- Press ENTER to finish (maybe more information below). ---
13. Press Return to finish installation. You're not done, but you're a little closer…
Configuration
By default, the OSSEC installation script relies on a deprecated command niload (part of NetInfo, which was removed from OS X in 2007) to create the root-level users that OSSEC needs to function. If you try to launch OSSEC right now, it will fail:
# /var/ossec/bin/ossec-control start
Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...
2015/06/29 13:10:30 ossec-maild(1203): ERROR: Invalid user 'ossecm' or group 'ossec' given.
ossec-maild did not start correctly.
Bummer. Luckily, there's a script that comes with OSSEC that can be run to fix this issue. From an elevated prompt, change the file permissions to make it executable, then run it:
# chmod u=rwx ~/Downloads/ossec-hids-2.8.2/src/init/osx105-addusers.sh
# ~/Downloads/ossec-hids-2.8.2/src/init/osx105-addusers.sh
Now you've got the necessary user accounts created, but the script has made them visible to all users of the system. Since these are root-level users and are only used by OSSEC, they should not be visible. Wave your magic dscl wand to make them disappear:
# dscl . create /Users/ossec IsHidden 1
# dscl . create /Users/ossecm IsHidden 1
# dscl . create /Users/ossecr IsHidden 1
Log out and log back in to verify that the new accounts are hidden at the login screen.
If you try running OSSEC now (remember, from an elevated command prompt), you'll most likely get a bunch of errors:
# /var/ossec/bin/ossec-control start
Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
2015/08/28 11:58:09 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Queue not found'.
2015/08/28 11:58:24 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'No such file or directory'.
2015/08/28 11:58:35 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Queue not found'.
2015/08/28 11:58:51 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'No such file or directory'.
2015/08/28 11:59:07 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Queue not found'.
2015/08/28 11:59:22 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up..
ossec-syscheckd did not start correctly.
It seems counterintuitive to update software when you've just installed its latest version, but that's what will fix this issue. Begin the installation process again:
# ~/Downloads/ossec-hids-2.8.2/install.sh
Press Return twice, then answer y at both prompts:
- You already have OSSEC installed. Do you want to update it? (y/n):
y
- Do you want to update the rules? (y/n):
y
Hooray! It's alive! Until you reboot, anyway…
Automatically launch at system boot
By default, OSSEC HIDS is supposed to launch at system boot. However, the software is still using the /Library/StartupItems folder to trigger launch at boot, and this folder has been deprecated by Apple in Yosemite.
Delete the OSSEC folder inside StartupItems, as it's no longer relevant:
# rm -R /Library/StartupItems/OSSEC/
To get OSSEC to boot automatically at launch, you'll need to add a .plist to /Library/LaunchDaemons:
1. Make sure you've still got an elevated prompt, then use a text editor (such as nano) to create a new file with the following text, substituting the hostname of your machine:
# nano
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>edu.utexas.hostname.ossec-control</string>
<key>ProgramArguments</key>
<array>
<string>/var/ossec/bin/ossec-control</string>
<string>start</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
2. If using nano, press Ctrl-O and save the file as /Library/LaunchDaemons/edu.utexas.hostname.ossec-control.plist, substituting the hostname of your machine. Press Ctrl-X to exit nano.
3. Change the owner of the file to root:
# chown root:wheel /Library/LaunchDaemons/edu.utexas.hostname.ossec-control.plist
4. Set the proper permissions on the file:
# chmod u=rw-,go=r-- /Library/LaunchDaemons/edu.utexas.hostname.ossec-control.plist
5. Reboot the system to test. Upon reboot, open an elevated command prompt and check the status of OSSEC:
$ sudo -s
Password: ••••••••••
# /var/ossec/bin/ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...
6. Pat yourself on the back. You've got OSSEC HIDS working on OS X!
By default, OSSEC includes several rules that will email alerts when specific system changes are detected. OSSEC becomes even more useful when you configure it to parse other logs for additional, noteworthy system events.
Other sources have instructions for configuring useful rules to detect specific system changes; see, for example, Digital Ocean.
ITS's inbound mail server should work fine for routing OSSEC alerts from a UTnet-connected machine. You may experience issues if you're not using Office 365 or UTmail; in such cases, consult with your mail server administrator.
You may also set up postfix as an SMTP server, though be aware that running a local mail server requires a security exception from the Information Security Office and is not recommended.
Rule 1002 is particularly annoying and will trigger a large number of alerts for generally unimportant output in system.log. To disable it, find rule 1002 and comment out the alert_by_email line:
# nano /var/ossec/rules/syslog_rules.xml
{{...}}
<rule id="1002" level="2">
<match>$BAD_WORDS</match>
<!-- <options>alert_by_email</options> -->
<description>Unknown problem somewhere in the system.</description>
</rule>
Depending on your system and how you've configured OSSEC, you could start receiving lots of email.
If you're using Office 365 or UTmail, you'll probably want to set up mail filters or rules to shuffle OSSEC alerts off to a separate folder for easy review (and so they don't clutter your inbox).
Server/client Installations
OSSEC can also be installed in a server/client arrangement for managing multiple systems at once. Such configuration is beyond the scope of this guide but may be added in the future.
Updating OSSEC
You may follow the steps in Update OSSEC HIDS, above, to update OSSEC and its rules at any point after installation.
Support
Questions about using OSSEC HIDS?
- Documentation (ossec.net)
- Support (ossec.net)
Questions about campus security policy?