First time setup - few niggles that I need help with please.

[Sean.Haynes - SCH.570]

Morning everyone one....

Firstly please understand I am a complete novice when it comes to Linux - it would be fair to say that installing OSSEC has been my first real venture over to the 'dark side'!! so if you can please include the path statements to any configs I need to check that would be massively appreciated.

Anyway thanks to this tutorial I have managed, mostly to get the basic install, clients, email notifications and the WebUI running.

https://raymii.org/s/tutorials/OSSEC_2.8.0_Server_Client_and_Analogi_Dashboard_on_Ubuntu.html

The key reason I need to install a HIDS is that I have had recently a series of files on a server 2012 r2 vm changed - specifically the NTFS permission. I can't find the source and need to  track it down.

On the server that has had the permissions changed I added the path statement ( userdirs ) in the client config I want OSSEC to monitor - which it does, but also all the files in the tree which as it's the user home areas amount to thousands... Is there a way to configuring OSSEC to monitor changes just at the root level parent directory in the config file?

When I use the WebUI to do a dump for that server I get a php error: .202 is the machine I use to access the webUI - I'm guessing that because OSSEC is monitoring such a large number of files for the server it's causing this error?

Level: 5 - Web server 500 error code (Internal Error).
Rule Id: 31122
Location: OSSEC->/var/log/apache2/access.log
Src IP: 10.5.107.202

10.5.107.202 - - [30/Aug/2015:05:44:08 +0100] "POST /ossec/index.php?f=i HTTP/1.1" 500 3533 "http://10.5.107.221/ossec/index.php?f=i" "Mozilla/4.0

(compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0;

.NET4.0C; .NET CLR 1.1.4322; .NET4.0E; InfoPath.3)"

2015 Aug 30 05:44:11 Level: 2 - Unknown problem somewhere in the system.
Rule Id: 1002
Location: OSSEC->/var/log/apache2/error.log

[Sun Aug 30 05:44:10.411270 2015] [:error] [pid 5679] [client 10.5.107.202:65185] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted

(tried to allocate 4097 bytes) in /var/www/html/ossec/lib/os_lib_syscheck.php on line 39, referer: http://10.5.107.221/ossec/index.php?f=i

2015 Aug 30 05:44:04 Level: 2 - Unknown problem somewhere in the system.
Rule Id: 1002
Location: OSSEC->/var/log/apache2/error.log

[Sun Aug 30 05:44:02.826980 2015] [:error] [pid 5728] [client 10.5.107.202:65182] PHP Warning: Invalid argument supplied for foreach() in

/var/www/html/ossec/lib/os_lib_syscheck.php on line 98, referer: http://10.5.107.221/ossec/index.php?f=i

2015 Aug 30 05:44:04 Level: 2 - Unknown problem somewhere in the system.
Rule Id: 1002
Location: OSSEC->/var/log/apache2/error.log

[Sun Aug 30 05:44:02.826943 2015] [:error] [pid 5728] [client 10.5.107.202:65182] PHP Warning: arsort() expects parameter 1 to be array, null given

in /var/www/html/ossec/lib/os_lib_syscheck.php on line 97, referer: http://10.5.107.221/ossec/index.php?f=I

The WebUI

The WebUI is the basic setup and mostly works - the bit that doesn't is when I select the search function - though it says there are a few erros it returns wit the message 'Nothing Returned'. I did a bit of research on the net and that this is caused by the www-data user not having read / write access to the tmp folder  - during the install the tutorial instructed to do this:

wget http://www.ossec.net/files/ossec-wui-0.8.tar.gz
tar -xf ossec-wui-0.8.tar.gz
mkdir -p /var/www/html/ossec/tmp/
mv ossec-wui-0.8/* /var/www/html/ossec/
chown www-data:www-data /var/www/html/ossec/tmp/
chmod 666 /var/www/html/ossec/tmp

It completed without error - the only thing is that you have to create the tmp file - how does OSSEC know how to use that files - is there a place where I need to create a 'pointer'?

Lastly...for the minute anyway - what is the best way of securing access to the WebUI as in I don't want 'anyone' to be able to access the web page and should I use https - if so how do I go about doing that.

I only want the server to be accessible in one vlan - so is it best done though tcpwrappers, ufw, iptables?

Thank you in advance

---

Please consider the environment before printing this email
This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions made are solely those of the author. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this email is strictly prohibited. Please delete it and advise the sender directly.

[dan (ddp)]

Is www-data the user that the webserver is running as (`ps ef | grep
WEB_SERVER_PROCESS_NAME`)?

>
> wget http://www.ossec.net/files/ossec-wui-0.8.tar.gz
> tar -xf ossec-wui-0.8.tar.gz
> mkdir -p /var/www/html/ossec/tmp/
> mv ossec-wui-0.8/* /var/www/html/ossec/
> chown www-data:www-data /var/www/html/ossec/tmp/
> chmod 666 /var/www/html/ossec/tmp
>
>
> It completed without error - the only thing is that you have to create the
> tmp file - how does OSSEC know how to use that files - is there a place
> where I need to create a 'pointer'?
>

It's been a long time since I used that pile, but I think it still has
a setup script. Did you run it?

>
> Lastly...for the minute anyway - what is the best way of securing access to
> the WebUI as in I don't want 'anyone' to be able to access the web page and
> should I use https - if so how do I go about doing that.
>

https is always good. Specifics depend on your web server of choice.
You can setup a username and password for the directory containing the wui.

>
> I only want the server to be accessible in one vlan - so is it best done
> though tcpwrappers, ufw, iptables?
>

Setting up the firewall is probably the first step.

>
> Thank you in advance
>
>
>
>
>
>
>
>
>
> ________________________________
> Please consider the environment before printing this email
> This email is confidential and intended solely for the use of the individual
> to whom it is addressed. Any views or opinions made are solely those of the
> author. If you are not the intended recipient, be advised that you have
> received this email in error and that any use, dissemination, forwarding,
> printing or copying of this email is strictly prohibited. Please delete it
> and advise the sender directly.
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.