*OSSEC HIDS Tutorial*
Installation on Mac OS X 10.7.5 (local) with configuration and integration into Growl via Growlnotify The following guide leads you to install OSSEC HIDS on a Mac OS X 10.7.5 and gives you the solution for various errors that you may encounter during the installation. These information have been gathered from several websites and groups and are partly modified according to the own needs. I thought I might post it here for other people who have encountered these errors as well. And I there is no website i could post it on. Feel free to leave any feedback or suggestions. Make sure this was written for a LOCAL MAC OSX 10.7.5 installation and to work with Growl. *Requirements: * -Apple Xcode (Current release 4.6.1) -Apple Command Line Tools (via Xcode) -MacPorts -GCC Compiler -Growl + GrowlNotify -OSSEC HIDS (Current release 2.7) *Step 1: Xcode installation* Download and install Xcode via the Apple Developer Website. https://developer.apple.com/resources/ There are some issues regarding the installation at the App Store, causing the installation to stop at about 98-99%. If that happens, force quit the App Store and install manually. After the installation open the terminal and execute: *xcodebuild -license* Scroll down and accept the license agreement. * Step 2: Command Line Tools* Download and install Apple Command Line Tools via the Apple Developer website. There is also the possibility to install it via: XCODE --> Preferences --> Downloads --> Command Line Tools. I prefer the manual method, because I had the same installation problem here (Stop at 99% for 3 hours). *Step 3: Troubleshooting install.sh * Usually now you'd try to execute the *./install.sh* file in the ossec download folder. But: If you try to execute the *./install.sh* from OSSEC at this moment you'll run into an "5x0 Building error. Unable to finish the installation.". This indicates that the perquisites for the installation are not completely functional. The install.sh file will be compiled using Apples llvm-gcc-4.2, which differs form other compilers. That leads us to step 4. *Step 4: Mac Ports and GCC47* Install Mac Ports. Go to http://www.macports.org/install.php and get the appropriate *.pkg for Lion. Once installed check for updates via: *sudo port selfupdate* The next step is to download a compiler to execute the install.sh with. *sudo port install gcc47* Wait until the installation is completed. If the installation is successfully completed you're able to check which packets have been installed: *port select --list gcc* Your output should look like this: *Available versions for gcc: gcc42 llvm-gcc42 mp-gcc47 none (active)* Were going to set the mp-gcc4.7 as a new standard compiler. Use: *sudo port select --set gcc mp-gcc47* If you're sceptic that it worked: use *port select --list gcc* again. *Step 5: Modify the install.sh compiler* Now go to you ossec-hids-2.7 download folder, open the install.sh (duplicate it before you continue) and find the "*checkDependencies*" section within the file. Modify the following line: *CC="gcc"* to *CC="/opt/local/bin/gcc"* Finally you are able to run the install.sh script. *sudo ./install.sh * Follow the installation instructions to configure your agent based on your needs. Make sure this was written for a LOCAL installation and to work with Growl, so it is therefore unnecessary to apply an eMail notification. Later we're going to integrate OSSEC into the Growl notification agent. Ossec will now print an *error* after the installation while starting the service. Continue to step 6. *Step 6: Generate Users* - Invalid User Start the OSSEC Agent with: */var/ossec/bin/ossec-control start* OSSEC will print the following error message: *2013/03/08 15:32:37 ossec-execd(1203): ERROR: Invalid user '' or group 'ossec' given. * At that point you'll need to handle the "*osx105-addusers.sh*" script from the download folder in the following way: *cd /[Download Folder]/ossec-hids-2.7/src/init cp osx105-addusers.sh /Users/YourUserName chmod 755 /Users/YourUserName/osx105-addusers.sh /Users/YourUserName/osx105-addusers.sh* Start Ossec again */var/ossec/bin/ossec-control start* The previous error should now be solved. *Step 7: Autostart OSSEC at system boot.* Navigate to: */Library/StartupItems/OSSEC* Make copies of "OSSEC" and "StartupParameters.plist" Now modify "*OSSEC*" to: *#!/bin/sh ConsoleMessage "Starting Ossec" cd /var/ossec; ./bin/ossec-control start * And "*StartupParameters.plist*" to: *{ Description = "OSSEC HIDS"; Provides = ("Host Intrusion Detection"); } * Change the rigths of the files: * chmod 755 /Library/StartupItems/OSSEC chmod 644 /Library/StartupItems/OSSEC/StartupParameters.plist chmod 755 /Library/StartupItems/OSSEC/OSSEC* *Step 8: Configure OSSEC: * Follow the Instructions from https://sites.google.com/a/depaoli.info/dpm/home/blog/ossec25sumacossnowleopard or apply your own rules. Short version: *- ACTIVE FIREWALL RESPONSE MODIFICATION* Change "*/var/ossec/etc/ossec.conf*" From: *<executable>firewall-drop.sh</executable>* To: *<executable>ipfw_mac.sh</executable>* * - ADDITIONAL LOG FILES ANALYSIS* Add to your "*/var/ossec/etc/ossec.conf*" * <localfile> <log_format>apache</log_format> <location>/var/log/apache2/access_log</location> </localfile> <localfile> <log_format>apache</log_format> <location>/var/log/apache2/error_log</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/ipfw.log</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/appfirewall.log</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/samba/log.smbd</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/samba/log.nmbd</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/ftp.log</location> </localfile> * *- DETECTION OF TRIPLE-DOT FILES* Add to: */var/ossec/etc/shared/rootkit_files.txt* *# Triple-dot directory (by dpm) */... ! Triple-dot file found */.../ ! Triple-dot directory found* *- FILE INTEGRITY CHECK EXCLUSION FOR THE DNS RESOLVER FILE (for Laptops)* Modify: */var/ossec/etc/ossec.conf* Section: *<syscheck>* *<ignore>/etc/resolv.conf</ignore>* (Add line if not existing) *- INTEGRATION WITH THE GROWL NOTIFICATION SYSTEM: * Install Growl and Growl Notify. Eventually this is the point to restart the computer. You can test the functionality of growlnotify by opening the command line and execute: *growlnotify* Hello World ctrl+D --> Prints Growl Notification "Hello World" on Screen. If it's not working you may not have started your Growl Service once. Navigate to Applications and start the Growl App, following the instructions. Next: create "*growl-notify.sh*" in "*/var/ossec/active-response/bin/*" growl-notify.sh should include the following content: *#!/bin/bash LOG_ENTRY=`/bin/cat /var/ossec/logs/alerts/alerts.log | /usr/bin/grep -A 5 $4` growlnotify "OSSEC HIDS" --image "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertCautionIcon.icns" -s -m "$LOG_ENTRY" #Note: growlnotify -s forces you to click on the notification to make it disappear. It's up to you to decide if you want that. #Note 2: Within the original growl-notify.sh file (from https://sites.google.com/a/depaoli.info/dpm/home/blog/ossec25sumacossnowleopard) the growlnotify service was accessed via "/usr/local/bin/growlnotify". This is not necessary in the newer version. #EOF* Open "*/var/ossec/etc/ossec.conf*" again and add the following sections: *<command> <name>growl-notify</name> <executable>growl-notify.sh</executable> <expect></expect> </command> <active-response> <!-- Show a Growl Notification --> <command>growl-notify</command> <location>local</location> <level>6</level> </active-response>* *Step 9: Final:* - restart your computer - check if ossec is running: */var/ossec/bin/ossec-control status* - if it's not running something must have gone wrong. Execute */var/ossec/bin/ossec-control start* and test if it's working - If it's running: Check it's functionality by executing: *logger "Segmentation Fault"* The reaction might depend on the alarm level you've set within the active response block for growl notification. Try to decrease the value to get a proper notification. Based on your needs you can configure the Growl output by modifying *growl-notify.sh* EOF -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
