Open Source Security Information and Event Management system
Security Management
Configuration from the Console
Accessing OSSIM from the console is easy by logging in with the root login and password you specified during the install. If you prefer, you can use the ncurses interface; but, in this example, I will exit. I favor this approach for updates because it brings me back to the comfy familiarity of Debian. Figure 4 shows a number of operations you can perform directly from the console by entering:
alienvault-setup
When you are done, simply issue
alienvault-reconfig
to write your changes to memory. As always, you can issue the help
command to get an idea of what is available. When you are done, simply type exit
. Note that this article is based on the newest version of OSSIM 4.4.1. If you are using a previous version, the interface may be a bit different. (Oh, and BTW – upgrade!)
Post-Install Setup
In a real-world install, you would have most of your work ahead of you, after having installed and configured the base all-in-one OSSIM virtual machine.
From there, you would want to make decisions on your architecture using the many capabilities this powerful open source SIEM provides. I will look at only a subset of the many operations you might deploy for a full-blown installation. To begin, I will set up asset discovery and configuration.
Asset Discovery and Configuration
In this step, I populate my networks and associated assets in OSSIM. To begin, I log in to the web interface and go to Environments | Groups & Networks | Networks | Add Network (Figure 5). Simply name your network and add the IP space with CIDR notation. Also select under the Scan options Availability Monitoring , which adds these machines to Nagios for monitoring, then click Save to exit.
The next step is asset discovery via Environment | Assets | Asset Discovery (Figure 6). This screen has several options to configure asset scanning. In my case, I expand Networks on the right, add in my previously added subnet, and select a Full Scan scan type from the drop-down under Advanced Options. From here, Nmap does its magic and finds all hosts, related services, and OS details. Once completed, you will see output similar to Figure 7.
Simply click Update database values at the bottom to continue. From here, you can add any additional details to any of the assets discovered in this step. If you explore a bit, you will see that OSSIM has now added in the networks and assets. If you poke around the Environment pull-down, you see that the machines are now being monitored and you have insight into those nodes. For example, take a peek at Environment | Availability .
Buy this article as PDF
(incl. VAT)