Ossec installation on Mac OS X 10.7.5 (local) w/ config and Growl integration
1,125 views
Skip to first unread message
Oliver Borchers
Jul 13, 2013, 9:47:12 AM7/13/13
to ossec...@googlegroups.com
OSSEC HIDS Tutorial
Installation on Mac OS X 10.7.5 (local) with configuration and integration into Growl via Growlnotify
The following guide leads you to install OSSEC HIDS on a Mac OS X 10.7.5 and gives you the solution for various errors that you may encounter during the installation.
These information have been gathered from several websites and groups and are partly modified according to the own needs.
I thought I might post it here for other people who have encountered these errors as well. And I there is no website i could post it on.
Feel free to leave any feedback or suggestions.
Make sure this was written for a LOCAL MAC OSX 10.7.5 installation and to work with Growl.
Requirements:
-Apple Xcode (Current release 4.6.1)
-Apple Command Line Tools (via Xcode)
-MacPorts
-GCC Compiler
-Growl + GrowlNotify
-OSSEC HIDS (Current release 2.7)
Step 1: Xcode installation
Download and install Xcode via the Apple Developer Website. https://developer.apple.com/resources/
There are some issues regarding the installation at the App Store, causing the installation to stop at about 98-99%. If that happens, force quit the App Store and install manually.
After the installation open the terminal and execute:
xcodebuild -license
Scroll down and accept the license agreement.
Step 2: Command Line Tools
Download and install Apple Command Line Tools via the Apple Developer website. There is also the possibility to install it via:
XCODE --> Preferences --> Downloads --> Command Line Tools.
I prefer the manual method, because I had the same installation problem here (Stop at 99% for 3 hours).
Step 3: Troubleshooting install.sh
Usually now you'd try to execute the ./install.sh file in the ossec download folder. But:
If you try to execute the ./install.sh from OSSEC at this moment you'll run into an "5x0 Building error. Unable to finish the installation.". This indicates that the perquisites for the installation are not completely functional. The install.sh file will be compiled using Apples llvm-gcc-4.2, which differs form other compilers. That leads us to step 4.
Step 4: Mac Ports and GCC47
Install Mac Ports. Go to http://www.macports.org/install.php and get the appropriate *.pkg for Lion.
Once installed check for updates via:
sudo port selfupdate
The next step is to download a compiler to execute the install.sh with.
sudo port install gcc47
Wait until the installation is completed.
If the installation is successfully completed you're able to check which packets have been installed:
port select --list gcc
Your output should look like this:
Available versions for gcc:
gcc42
llvm-gcc42
mp-gcc47
none (active)
Were going to set the mp-gcc4.7 as a new standard compiler. Use:
sudo port select --set gcc mp-gcc47
If you're sceptic that it worked: use port select --list gcc again.
Step 5: Modify the install.sh compiler
Now go to you ossec-hids-2.7 download folder, open the install.sh (duplicate it before you continue) and find the "checkDependencies" section within the file. Modify the following line:
CC="gcc"
to
CC="/opt/local/bin/gcc"
Finally you are able to run the install.sh script.
sudo ./install.sh
Follow the installation instructions to configure your agent based on your needs. Make sure this was written for a LOCAL installation and to work with Growl, so it is therefore unnecessary to apply an eMail notification.
Later we're going to integrate OSSEC into the Growl notification agent.
Ossec will now print an error after the installation while starting the service. Continue to step 6.
Step 6: Generate Users - Invalid User
Start the OSSEC Agent with:
/var/ossec/bin/ossec-control start
OSSEC will print the following error message:
2013/03/08 15:32:37 ossec-execd(1203): ERROR: Invalid user '' or group
'ossec' given.
At that point you'll need to handle the "osx105-addusers.sh" script from the download folder in the following way:
cd /[Download Folder]/ossec-hids-2.7/src/init
cp osx105-addusers.sh /Users/YourUserName
chmod 755 /Users/YourUserName/osx105-addusers.sh
/Users/YourUserName/osx105-addusers.sh
Start Ossec again
/var/ossec/bin/ossec-control start
The previous error should now be solved.
Step 7: Autostart OSSEC at system boot.
Navigate to:
/Library/StartupItems/OSSEC
Make copies of "OSSEC" and "StartupParameters.plist"
Now modify "OSSEC" to:
#!/bin/sh
ConsoleMessage "Starting Ossec"
cd /var/ossec; ./bin/ossec-control start
And "StartupParameters.plist" to:
{
Description = "OSSEC HIDS";
Provides = ("Host Intrusion Detection");
}
Change the rigths of the files:
chmod 755 /Library/StartupItems/OSSEC
chmod 644 /Library/StartupItems/OSSEC/StartupParameters.plist
chmod 755 /Library/StartupItems/OSSEC/OSSEC
Step 8: Configure OSSEC:
Follow the Instructions from
https://sites.google.com/a/depaoli.info/dpm/home/blog/ossec25sumacossnowleopard
or apply your own rules.
Short version:
- ACTIVE FIREWALL RESPONSE MODIFICATION
Change "/var/ossec/etc/ossec.conf"
From: <executable>firewall-drop.sh</executable>
To: <executable>ipfw_mac.sh</executable>
- ADDITIONAL LOG FILES ANALYSIS
Add to your "/var/ossec/etc/ossec.conf"
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/access_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/error_log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/ipfw.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/appfirewall.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/samba/log.smbd</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/samba/log.nmbd</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/ftp.log</location>
</localfile>
- DETECTION OF TRIPLE-DOT FILES
Add to: /var/ossec/etc/shared/rootkit_files.txt
# Triple-dot directory (by dpm)
*/... ! Triple-dot file found
*/.../ ! Triple-dot directory found
- FILE INTEGRITY CHECK EXCLUSION FOR THE DNS RESOLVER FILE (for Laptops)
Modify: /var/ossec/etc/ossec.conf
Section: <syscheck>
<ignore>/etc/resolv.conf</ignore>
(Add line if not existing)
- INTEGRATION WITH THE GROWL NOTIFICATION SYSTEM:
Install Growl and Growl Notify. Eventually this is the point to restart the computer.
You can test the functionality of growlnotify by opening the command line and execute:
growlnotify
Hello World
ctrl+D
--> Prints Growl Notification "Hello World" on Screen.
If it's not working you may not have started your Growl Service once. Navigate to Applications and start the Growl App, following the instructions.
Next: create "growl-notify.sh" in "/var/ossec/active-response/bin/"
growl-notify.sh should include the following content:
#!/bin/bash
LOG_ENTRY=`/bin/cat /var/ossec/logs/alerts/alerts.log | /usr/bin/grep -A 5 $4`
growlnotify "OSSEC HIDS" --image "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertCautionIcon.icns" -s -m "$LOG_ENTRY"
#Note: growlnotify -s forces you to click on the notification to make it disappear. It's up to you to decide if you want that.
#Note 2: Within the original growl-notify.sh file (from https://sites.google.com/a/depaoli.info/dpm/home/blog/ossec25sumacossnowleopard) the growlnotify service was accessed via "/usr/local/bin/growlnotify". This is not necessary in the newer version.
#EOF
Open "/var/ossec/etc/ossec.conf" again and add the following sections:
<command>
<name>growl-notify</name>
<executable>growl-notify.sh</executable>
<expect></expect>
</command>
<active-response>
<!-- Show a Growl Notification
-->
<command>growl-notify</command>
<location>local</location>
<level>6</level>
</active-response>
Step 9: Final:
- restart your computer
- check if ossec is running:
/var/ossec/bin/ossec-control status
- if it's not running something must have gone wrong. Execute
/var/ossec/bin/ossec-control start
and test if it's working
- If it's running: Check it's functionality by executing:
logger "Segmentation Fault"
The reaction might depend on the alarm level you've set within the active response block for growl notification. Try to decrease the value to get a proper notification. Based on your needs you can configure the Growl output by modifying growl-notify.sh
EOF
Installation on Mac OS X 10.7.5 (local) with configuration and integration into Growl via Growlnotify
The following guide leads you to install OSSEC HIDS on a Mac OS X 10.7.5 and gives you the solution for various errors that you may encounter during the installation.
These information have been gathered from several websites and groups and are partly modified according to the own needs.
I thought I might post it here for other people who have encountered these errors as well. And I there is no website i could post it on.
Feel free to leave any feedback or suggestions.
Make sure this was written for a LOCAL MAC OSX 10.7.5 installation and to work with Growl.
Requirements:
-Apple Xcode (Current release 4.6.1)
-Apple Command Line Tools (via Xcode)
-MacPorts
-GCC Compiler
-Growl + GrowlNotify
-OSSEC HIDS (Current release 2.7)
Step 1: Xcode installation
Download and install Xcode via the Apple Developer Website. https://developer.apple.com/resources/
There are some issues regarding the installation at the App Store, causing the installation to stop at about 98-99%. If that happens, force quit the App Store and install manually.
After the installation open the terminal and execute:
xcodebuild -license
Scroll down and accept the license agreement.
Step 2: Command Line Tools
Download and install Apple Command Line Tools via the Apple Developer website. There is also the possibility to install it via:
XCODE --> Preferences --> Downloads --> Command Line Tools.
I prefer the manual method, because I had the same installation problem here (Stop at 99% for 3 hours).
Step 3: Troubleshooting install.sh
Usually now you'd try to execute the ./install.sh file in the ossec download folder. But:
If you try to execute the ./install.sh from OSSEC at this moment you'll run into an "5x0 Building error. Unable to finish the installation.". This indicates that the perquisites for the installation are not completely functional. The install.sh file will be compiled using Apples llvm-gcc-4.2, which differs form other compilers. That leads us to step 4.
Step 4: Mac Ports and GCC47
Install Mac Ports. Go to http://www.macports.org/install.php and get the appropriate *.pkg for Lion.
Once installed check for updates via:
sudo port selfupdate
The next step is to download a compiler to execute the install.sh with.
sudo port install gcc47
Wait until the installation is completed.
If the installation is successfully completed you're able to check which packets have been installed:
port select --list gcc
Your output should look like this:
Available versions for gcc:
gcc42
llvm-gcc42
mp-gcc47
none (active)
Were going to set the mp-gcc4.7 as a new standard compiler. Use:
sudo port select --set gcc mp-gcc47
If you're sceptic that it worked: use port select --list gcc again.
Step 5: Modify the install.sh compiler
Now go to you ossec-hids-2.7 download folder, open the install.sh (duplicate it before you continue) and find the "checkDependencies" section within the file. Modify the following line:
CC="gcc"
to
CC="/opt/local/bin/gcc"
Finally you are able to run the install.sh script.
sudo ./install.sh
Follow the installation instructions to configure your agent based on your needs. Make sure this was written for a LOCAL installation and to work with Growl, so it is therefore unnecessary to apply an eMail notification.
Later we're going to integrate OSSEC into the Growl notification agent.
Ossec will now print an error after the installation while starting the service. Continue to step 6.
Step 6: Generate Users - Invalid User
Start the OSSEC Agent with:
/var/ossec/bin/ossec-control start
OSSEC will print the following error message:
2013/03/08 15:32:37 ossec-execd(1203): ERROR: Invalid user '' or group
'ossec' given.
At that point you'll need to handle the "osx105-addusers.sh" script from the download folder in the following way:
cd /[Download Folder]/ossec-hids-2.7/src/init
cp osx105-addusers.sh /Users/YourUserName
chmod 755 /Users/YourUserName/osx105-addusers.sh
/Users/YourUserName/osx105-addusers.sh
Start Ossec again
/var/ossec/bin/ossec-control start
The previous error should now be solved.
Step 7: Autostart OSSEC at system boot.
Navigate to:
/Library/StartupItems/OSSEC
Make copies of "OSSEC" and "StartupParameters.plist"
Now modify "OSSEC" to:
#!/bin/sh
ConsoleMessage "Starting Ossec"
cd /var/ossec; ./bin/ossec-control start
And "StartupParameters.plist" to:
{
Description = "OSSEC HIDS";
Provides = ("Host Intrusion Detection");
}
Change the rigths of the files:
chmod 755 /Library/StartupItems/OSSEC
chmod 644 /Library/StartupItems/OSSEC/StartupParameters.plist
chmod 755 /Library/StartupItems/OSSEC/OSSEC
Step 8: Configure OSSEC:
Follow the Instructions from
https://sites.google.com/a/depaoli.info/dpm/home/blog/ossec25sumacossnowleopard
or apply your own rules.
Short version:
- ACTIVE FIREWALL RESPONSE MODIFICATION
Change "/var/ossec/etc/ossec.conf"
From: <executable>firewall-drop.sh</executable>
To: <executable>ipfw_mac.sh</executable>
- ADDITIONAL LOG FILES ANALYSIS
Add to your "/var/ossec/etc/ossec.conf"
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/access_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/error_log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/ipfw.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/appfirewall.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/samba/log.smbd</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/samba/log.nmbd</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/ftp.log</location>
</localfile>
- DETECTION OF TRIPLE-DOT FILES
Add to: /var/ossec/etc/shared/rootkit_files.txt
# Triple-dot directory (by dpm)
*/... ! Triple-dot file found
*/.../ ! Triple-dot directory found
- FILE INTEGRITY CHECK EXCLUSION FOR THE DNS RESOLVER FILE (for Laptops)
Modify: /var/ossec/etc/ossec.conf
Section: <syscheck>
<ignore>/etc/resolv.conf</ignore>
(Add line if not existing)
- INTEGRATION WITH THE GROWL NOTIFICATION SYSTEM:
Install Growl and Growl Notify. Eventually this is the point to restart the computer.
You can test the functionality of growlnotify by opening the command line and execute:
growlnotify
Hello World
ctrl+D
--> Prints Growl Notification "Hello World" on Screen.
If it's not working you may not have started your Growl Service once. Navigate to Applications and start the Growl App, following the instructions.
Next: create "growl-notify.sh" in "/var/ossec/active-response/bin/"
growl-notify.sh should include the following content:
#!/bin/bash
LOG_ENTRY=`/bin/cat /var/ossec/logs/alerts/alerts.log | /usr/bin/grep -A 5 $4`
growlnotify "OSSEC HIDS" --image "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertCautionIcon.icns" -s -m "$LOG_ENTRY"
#Note: growlnotify -s forces you to click on the notification to make it disappear. It's up to you to decide if you want that.
#Note 2: Within the original growl-notify.sh file (from https://sites.google.com/a/depaoli.info/dpm/home/blog/ossec25sumacossnowleopard) the growlnotify service was accessed via "/usr/local/bin/growlnotify". This is not necessary in the newer version.
#EOF
Open "/var/ossec/etc/ossec.conf" again and add the following sections:
<command>
<name>growl-notify</name>
<executable>growl-notify.sh</executable>
<expect></expect>
</command>
<active-response>
<!-- Show a Growl Notification
-->
<command>growl-notify</command>
<location>local</location>
<level>6</level>
</active-response>
Step 9: Final:
- restart your computer
- check if ossec is running:
/var/ossec/bin/ossec-control status
- if it's not running something must have gone wrong. Execute
/var/ossec/bin/ossec-control start
and test if it's working
- If it's running: Check it's functionality by executing:
logger "Segmentation Fault"
The reaction might depend on the alarm level you've set within the active response block for growl notification. Try to decrease the value to get a proper notification. Based on your needs you can configure the Growl output by modifying growl-notify.sh
EOF
Oliver Borchers
Jul 31, 2013, 12:04:08 PM7/31/13
to ossec...@googlegroups.com
#!/bin/bash
LOG_ENTRY=`/bin/cat /var/ossec/logs/alerts/alerts.log | /usr/bin/grep -n 2 | tail -2`
When you're finally done, set the alarm level to 3 and restart ossec. Your notification should look like this:
EOF
Reply all
Reply to author
Forward
0 new messages