Featured image of post AlienVault OSSIM allows you to effectively manage Linux logs

AlienVault OSSIM allows you to effectively manage Linux logs


Introduction

OSSIM is a robust, open-source security information and event management (SIEM) operating system. It’s the open-source counterpart to AlienVault, a product offered by AT&T.

I’ve used OSSIM professionally and currently utilize it for vulnerability scanning, asset management, and security alerts. Setting up and installing OSSIM can be quite complex, and troubleshooting resources are limited. I’ve picked up some useful tips through trial and error over the years.

Interestingly, OSSIM leans towards a Windows-centric approach, despite being built on Debian. Consequently, deploying the host intrusion detection system (HIDS) on Linux endpoints can be a bit challenging.

This post will guide you through installing the OSSEC HIDS necessary for an OSSIM deployment and configuring Linux syslog forwarding to OSSIM. If your Linux distribution isn’t supported on the OSSEC site, I’ll also explain how to compile the HIDS agent and configure it via the command-line interface.


Adding an Agent to OSSIM

This guide assumes you have a working OSSIM installation (either virtualized or on bare metal) and can access the web interface. If you’re not at this stage yet, I suggest referring to AT&T’s official documentation. I previously wrote a post on installing OSSIM as a VM on Unraid if you prefer that platform.

Start by navigating to your OSSIM web interface. Go to ENIORONMENT > DETECTION > AGENTS and click ADD AGENT. Locate your Linux endpoint under the “All Assets” section (this requires you to have previously added assets to OSSIM, either manually or through a scan). Upon selecting your endpoint, the IP/CIDR field should auto-populate with its IP address. Click SAVE. See the screenshot below:

Note: If your endpoint doesn’t have a static IP address, I highly recommend assigning one if feasible. While HIDS might function with a dynamic IP (by checking the “This is a dynamic IP address (DHCP)” checkbox), static IPs tend to be more reliable and have caused fewer issues in my experience.

After saving, you should see your endpoint listed as shown in the image below. The status in my image is already “Active,” which is how yours will appear once we complete this tutorial.

Take note of this location, as you’ll need the Base64 encoded key (accessible by clicking the key icon next to your endpoint) later on for your Linux OS.


Installing OSSEC HIDS

The installation process has been simplified and is now fairly straightforward for most Linux distributions. Looking at the OSSEC.net downloads, we can see that all supported Linux distributions can utilize the same wget command to add the source. The necessary wget command, followed by the appropriate package manager commands for agent installation, is provided below. Note that the commands for Ubuntu and Debian are identical, as are those for Centos/RedHat, Fedora, and Amazon Linux. The configuration process will also be the same across all distributions.

Ubuntu & Debian

For Ubuntu and Debian, execute the following to install the agent:

1
2
3
wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash

sudo apt update && sudo apt install ossec-hids-agent

Centos/RedHat, Fedora, & Amazon Linux

For Centos/RedHat, Fedora, & Amazon Linux, run the following to install the agent:

1
2
3
wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash

sudo yum install ossec-hids-agent

From Source

Compiling from source is another installation method. I’ve personally only tested this on Ubuntu and two Raspberry Pis. Your results may differ, and you’ll need to install the following:

1
2
# Install build tools with APT - works on Distros with APT
sudo apt install build-essential libevent-dev libpcre2-dev libz-dev libssl-dev

The next set of steps covers the actual installation:

1
2
3
4
wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz /tmp/3.6.0.tar.gz
sudo tar xzf /tmp/3.6.0.tar.gz
cd /tmp/ossec-hids-3.6.0/
sudo ./install.sh

Upon running the final script, you’ll be prompted to answer a few straightforward questions. I’ve listed my responses, corresponding to the numbered steps in the script, below:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
# (en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]:
en OR leave blank
# 1- What kind of installation do you want (server, agent, local, hybrid or help)?
a OR agent
# 2- Setting up the installation environment. - Choose where to install the OSSEC HIDS [/var/ossec]:
leave blank
# 3- Configuring the OSSEC HIDS. 3.1 - What's the IP Address or hostname of the OSSEC HIDS server?:
YOUR OSSIM SERVER IP (e.g., 172.16.7.100)
# 3.2- Do you want to run the integrity check daemon? (y/n) [y]:
y OR blank
# 3.3- Do you want to run the rootkit detection engine? (y/n) [y]:
y OR blank
# 3.4 - Do you want to enable active response? (y/n) [y]: y
y OR blank

Once the script finishes execution, assuming no errors are encountered, the HIDS agent should be installed on your endpoint. While troubleshooting this process is beyond the scope of this post, I’ve generally had success with it.


Configuring OSSEC HIDS

As previously mentioned, the configuration process for OSSEC HIDS should be consistent across different Linux distributions. All screenshots provided here are from SSH connections to Ubuntu endpoints using RoyalTS.

Editing OSSEC.conf

First, we’ll need to modify the ossec.conf file, which is an XML configuration file generated during installation. Open /var/ossec/etc/ossec.conf with your preferred text editor on your Linux endpoint. (Replace nano in the command below with your editor of choice)

1
sudo nano /var/ossec/etc/ossec.conf

Within the file, locate the client section, typically at the beginning. Replace the placeholder with your OSSIM server’s IP address.

1
2
3
4
#example
  <client>
    <server-ip>172.16.7.100</server-ip>
  </client>

Still in the same file, insert a new localfile node under the ossec_config node. You’ll notice several existing localfile nodes; I suggest adding the new one near the bottom for easy identification later on if needed. Use the following code:

1
2
3
4
 <localfile>
   <log_format>syslog</log_format>
   <location>/var/log/vault.log</location>
 </localfile>

Save your changes and close the file (CTRL+X if using nano).

Connect Endpoint to OSSIM Server

Once the agent is configured, we can connect it to the OSSIM server. Go back to the OSSIM web interface and return to where you initially added the endpoint. Click the Extract Key icon next to your endpoint and copy the key, ensuring you capture all characters, including any trailing “=”, and avoid copying extra spaces.

On the endpoint, execute the following command:

1
sudo /var/ossec/bin/manage_agents

Follow the prompts to import the key. Press “I” to initiate the import, then paste the key you copied from the server. Confirm with “y”, then press “Enter” and “Q” to quit. This sequence should resemble the following:

To finalize the configuration, run:

1
sudo /var/ossec/bin/ossec-control restart

Your endpoint is now successfully configured.


Wrapping Up

Congratulations on reaching this point! Give it a few minutes, and your endpoint will establish a connection with your server. This connection will be reflected in the web interface, with the endpoint’s status changing to “Active,” as shown in the screenshot earlier. You’ll also start seeing events populated on the dashboard and in the event logs.

OSSIM is a powerful yet potentially complex tool. If you’re new to OSSIM, I recommend conducting thorough research on SIEM tools in general and specifically on OSSIM configuration best practices. While it might be overkill for a home lab, it’s a valuable tool for any security professional to be familiar with.

Licensed under CC BY-NC-SA 4.0