Open Source Security Information and Event Management system

Security Management

Configuration from the Console

Accessing OSSIM from the console is easy by logging in with the root login and password you specified during the install. If you prefer, you can use the ncurses interface; but, in this example, I will exit. I favor this approach for updates because it brings me back to the comfy familiarity of Debian. Figure  4 shows a number of operations you can perform directly from the console by entering:

alienvault-setup

When you are done, simply issue

alienvault-reconfig
Figure 4: AlienVault setup.

to write your changes to memory. As always, you can issue the help command to get an idea of what is available. When you are done, simply type exit. Note that this article is based on the newest version of OSSIM 4.4.1. If you are using a previous version, the interface may be a bit different. (Oh, and BTW – upgrade!)

Post-Install Setup

In a real-world install, you would have most of your work ahead of you, after having installed and configured the base all-in-one OSSIM virtual machine.

From there, you would want to make decisions on your architecture using the many capabilities this powerful open source SIEM provides. I will look at only a subset of the many operations you might deploy for a full-blown installation. To begin, I will set up asset discovery and configuration.

Asset Discovery and Configuration

In this step, I populate my networks and associated assets in OSSIM. To begin, I log in to the web interface and go to Environments  | Groups & Networks  | Networks  | Add Network (Figure  5). Simply name your network and add the IP space with CIDR notation. Also select under the Scan options Availability Monitoring , which adds these machines to Nagios for monitoring, then click Save to exit.

Figure 5: Adding a network.

The next step is asset discovery via Environment  | Assets  | Asset Discovery (Figure  6). This screen has several options to configure asset scanning. In my case, I expand Networks on the right, add in my previously added subnet, and select a Full Scan scan type from the drop-down under Advanced Options. From here, Nmap does its magic and finds all hosts, related services, and OS details. Once completed, you will see output similar to Figure  7.

Figure 6: Setting up asset discovery.
Figure 7: Asset scan output.

Simply click Update database values at the bottom to continue. From here, you can add any additional details to any of the assets discovered in this step. If you explore a bit, you will see that OSSIM has now added in the networks and assets. If you poke around the Environment pull-down, you see that the machines are now being monitored and you have insight into those nodes. For example, take a peek at Environment  | Availability .

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus