Security Management

Installing OSSEC HID

OSSEC is a robust, cross-platform HID that offers log analysis, system integrity checking, policy monitoring, rootkit detection, and real-time alerting. In this example, I install a HID on an Ubuntu server.

On the example Ubuntu server, enter the following:

apt-get install build-essential

then wget the latest version of OSSEC:

wget http://www.ossec.net/files/ossec-hids-2.7.1.tar.gz
tar -zxvf ossec-hids-2.7.1.tar.gz
./install.sh

Install OSSEC in defaults/var/ossec, specify the IP of your OSSIM server as your OSSEC HID server, and select YES to run an integrity check and rootkit detection daemons.

After you have OSSEC HID installed, you'll want to return to the OSSIM web interface and go to Environment  | Detection  | Add Agent (Figure  11) to enter the Agent Name of your choosing and the IP of the agent. Click Save .

Figure 11: Adding a new agent.

Hereafter, you can simply go to the agent record and select the Extract Key icon shown in Figure  12. The agent key will then be displayed, which you can paste into your Ubuntu OSSEC agent. Now, SSH back into the OSSEC agent server on your Ubuntu server and run:

Figure 12: Getting the agent key.

/var/ossec/bin/manage_agents

Enter I to import the key from your server, and then select Q to quit.

Next, you can restart OSSEC on your server using:

sudo service ossec restart

Finally, restart your OSSIM server. Once you are back in the web interface, you will see the new agent in all its glory (Figure  13).

Figure 13: Agent overview.

Summary

In this article, I gave you an introductory taste of OSSIM. Although I have only shown you the basic setup, you should have some understanding of its overall capabilities. Now, you should be able to deploy your OSSIM in your existing environment. With patience and some documentation in hand, you can explore this stellar SIEM.