Installing Wazuh's OSSEC port under Mac OS X ElCapitan

[C. L. Martinez]

Hi all,

For some reasons, I need to install a HIDS on a Mac OS X ElCapitan's laptop (Macbook Air). There are two reasons: I am not trust in commercial antivirus and performance penalties, false possitives, etc.

But I am not a Mac expert. Due to this, I have some questions:

a) Do I need to install Xcode to compile Wazuh's OSSEC port under ElCapitan? Can I compile/generate Mac binaries in a Linux desktop and install them in this laptop (maybe it is a stupid question?

b) Do OSSEC supports local install mode in Mac?

c) Any rules that I need to avoid? What are the most important files or dirs (or both) that I need to monitor?

Many thanks.

--
Greetings,
C. L. Martinez

[Santiago Bassett]

Hi,

here are some answers to your questions:

a) Yes, install Xcode. No, you can't build them on a Linux system, you need to build the binaries on a Darwin system.

b) Yes, it does support every mode in Mac OS X.

c) If you use install.sh, it should configure itself. Basically /var/log/system.log for log collection and /bin /sbin/ and /usr/bin for file integrity monitoring.

In case it helps, this is how I installed OSSEC (Wazuh fork) in  Mac OS X 10.11.6 (El Capitan), with support for OpenSSL.

1.- Download source code:

$ git clone -b stable https://github.com/wazuh/ossec-wazuh.git

2.- To compile with OpenSSL support (necessary for ossec-authd):

$ brew update

$ brew install openssl

$ brew link openssl --force

$ which openssl

/user/local/bin/openssl

3.- Edit ossec-wazuh/src/Makefile Darwin section (add lines for CFLGAS and OSSEC_LDFLAGS):

ifeq (${uname_S},Darwin)

                DEFINES+=-DDarwin

                DEFINES+=-DHIGHFIRST

                CFLAGS+=-I/usr/local/opt/openssl/include

                OSSEC_LDFLAGS+=-L/usr/local/opt/openssl/lib

                LUA_PLAT=macosx

Build binaries and install:

$ ossec-wazuh/install.sh

4.- Start OSSEC:

$ sudo /var/ossec/bin/ossec-control start

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/20160811113101.GC3411%40beagle.bcn.sia.es.
For more options, visit https://groups.google.com/d/optout.

[cjw...@rmhco.com]

Hello,

Couple notes. 

It seems "brew link openssl --force" no longer works (deprecated?) plus I don't like to use brew in production anyways so as a solution I compiled OpenSSL 1.0.2 from source. I've also include some other fixes to help get wazuh-ossec running in OS X.

Install Xcode command-line tools (git + gcc)

xcode-select --install

mkdir /usr/local/opt/

Or just use /usr/local/ as "openssldir" when compiling and match the path in the ossec-wazuh Makefile. OS X doesn't natively include ./opt any longer.

git clone -b OpenSSL_1_0_2-stable https://github.com/openssl/openssl.git

cd ./openssl

./Configure darwin64-x86_64-cc shared enable-ec_nistp_64_gcc_128 no-ssl2 no-ssl3 no-comp --openssldir=/usr/local/opt/openssl

make depend

make install

Before installing ossec-wazuh, run the fix /ossec-wazuh/src/init/osx105-addusers.sh, this will create the three users required to run the agent.

This fixed Error #1210 issues I was having.

(optional) Hide the users:

dscl . create /Users/ossec IsHidden 1

dscl . create /Users/ossecm IsHidden 1

dscl . create /Users/ossecr IsHidden 1

Modify the /ossec-wazuh/src/Makefile per Santiago B. namely, adding: CFLAGS & OSSEC_LDFLAGS.

Run the installer /ossec-wazuh/install.sh

Delete /Library/StartupItems/OSSEC/, that uses an old init method that has been deprecated. Instead you'll need to create a Launchd plist to start the service @boot. Put it in /Library/LaunchDaemons/ with ownership to root:wheel and 644 perms. Use plutil -lint /path/to/plist for validating. Best prac says plist Label key and the plist filename should be the same.

Heres a simple example:

<?xml version="1.0" encoding="UTF-8"?>

 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

 <plist version="1.0">

 <dict>

     <key>Label</key>

     <string>your.org.identification.here.ossec-wazuh</string>

     <key>ProgramArguments</key>

     <array>

         <string>/var/ossec/bin/ossec-control</string>

         <string>start</string>

     </array>

     <key>RunAtLoad</key>

     <true/>

 </dict>

 </plist> 

Enable and load into Launchd:

launchctl enable system/your.org.identification.here.ossec-wazuh

launchctl load -w /Library/LaunchDaemons/your.org.identification.here.ossec-wazuh.plist

Once loaded the agent daemon should start

Tested on Yosemite 10.10.5 & El Capitan 10.11.5 without disabling OSX's built in System Integrity Protection, GL.

Christopher Waian

Robert M Hadley Company Inc

Ventura, CA, USA

[Santiago Bassett]

Thanks Christopher for the feedback. We are also publishing a .pkg installer in our repository soon (we will take this into account).

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/52f947ef-eee2-40d8-aed4-56145566f2e6%40googlegroups.com.

[and...@zenefits.com]

Hi Santiago,

I don't suppose you've had any luck with publishing an OS X pkg thus far? I'm trying to package for my org, it's been a little interesting. 

[Jose Luis Ruiz]

Hi Andrew

With the release, we will publish the packages to install Wazuh-agent in OS X.

Regards

-----------------------

Jose Luis Ruiz
Wazuh Inc.
jo...@wazuh.com

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/be8eda3b-e68d-4a2e-a534-c3fff17835db%40googlegroups.com.