On Sun, Aug 30, 2015 at 2:14 AM, Sean.Haynes - SCH.570 <[email protected]> wrote: > Morning everyone one.... > > > Firstly please understand I am a complete novice when it comes to Linux - it > would be fair to say that installing OSSEC has been my first real venture > over to the 'dark side'!! so if you can please include the path statements > to any configs I need to check that would be massively appreciated. > > > Anyway thanks to this tutorial I have managed, mostly to get the basic > install, clients, email notifications and the WebUI running. > > > https://raymii.org/s/tutorials/OSSEC_2.8.0_Server_Client_and_Analogi_Dashboard_on_Ubuntu.html > > > The key reason I need to install a HIDS is that I have had recently a series > of files on a server 2012 r2 vm changed - specifically the NTFS permission. > I can't find the source and need to track it down. > > > On the server that has had the permissions changed I added the path > statement ( userdirs ) in the client config I want OSSEC to monitor - which > it does, but also all the files in the tree which as it's the user home > areas amount to thousands... Is there a way to configuring OSSEC to monitor > changes just at the root level parent directory in the config file? > > > When I use the WebUI to do a dump for that server I get a php error: .202 is > the machine I use to access the webUI - I'm guessing that because OSSEC is > monitoring such a large number of files for the server it's causing this > error? > > > Level: 5 - Web server 500 error code (Internal Error). > Rule Id: 31122 > Location: OSSEC->/var/log/apache2/access.log > Src IP: 10.5.107.202 > > 10.5.107.202 - - [30/Aug/2015:05:44:08 +0100] "POST /ossec/index.php?f=i > HTTP/1.1" 500 3533 "http://10.5.107.221/ossec/index.php?f=i"; "Mozilla/4.0 > > (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR > 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; > > .NET4.0C; .NET CLR 1.1.4322; .NET4.0E; InfoPath.3)" > > 2015 Aug 30 05:44:11 Level: 2 - Unknown problem somewhere in the system. > Rule Id: 1002 > Location: OSSEC->/var/log/apache2/error.log > > [Sun Aug 30 05:44:10.411270 2015] [:error] [pid 5679] [client > 10.5.107.202:65185] PHP Fatal error: Allowed memory size of 134217728 bytes > exhausted > > (tried to allocate 4097 bytes) in > /var/www/html/ossec/lib/os_lib_syscheck.php on line 39, referer: > http://10.5.107.221/ossec/index.php?f=i > > 2015 Aug 30 05:44:04 Level: 2 - Unknown problem somewhere in the system. > Rule Id: 1002 > Location: OSSEC->/var/log/apache2/error.log > > [Sun Aug 30 05:44:02.826980 2015] [:error] [pid 5728] [client > 10.5.107.202:65182] PHP Warning: Invalid argument supplied for foreach() in > > /var/www/html/ossec/lib/os_lib_syscheck.php on line 98, referer: > http://10.5.107.221/ossec/index.php?f=i > > 2015 Aug 30 05:44:04 Level: 2 - Unknown problem somewhere in the system. > Rule Id: 1002 > Location: OSSEC->/var/log/apache2/error.log > > [Sun Aug 30 05:44:02.826943 2015] [:error] [pid 5728] [client > 10.5.107.202:65182] PHP Warning: arsort() expects parameter 1 to be array, > null given > > in /var/www/html/ossec/lib/os_lib_syscheck.php on line 97, referer: > http://10.5.107.221/ossec/index.php?f=I > > > The WebUI > > The WebUI is the basic setup and mostly works - the bit that doesn't is when > I select the search function - though it says there are a few erros it > returns wit the message 'Nothing Returned'. I did a bit of research on the > net and that this is caused by the www-data user not having read / write > access to the tmp folder - during the install the tutorial instructed to do > this: >
Is www-data the user that the webserver is running as (`ps ef | grep WEB_SERVER_PROCESS_NAME`)? > > wget http://www.ossec.net/files/ossec-wui-0.8.tar.gz > tar -xf ossec-wui-0.8.tar.gz > mkdir -p /var/www/html/ossec/tmp/ > mv ossec-wui-0.8/* /var/www/html/ossec/ > chown www-data:www-data /var/www/html/ossec/tmp/ > chmod 666 /var/www/html/ossec/tmp > > > It completed without error - the only thing is that you have to create the > tmp file - how does OSSEC know how to use that files - is there a place > where I need to create a 'pointer'? > It's been a long time since I used that pile, but I think it still has a setup script. Did you run it? > > Lastly...for the minute anyway - what is the best way of securing access to > the WebUI as in I don't want 'anyone' to be able to access the web page and > should I use https - if so how do I go about doing that. > https is always good. Specifics depend on your web server of choice. You can setup a username and password for the directory containing the wui. > > I only want the server to be accessible in one vlan - so is it best done > though tcpwrappers, ufw, iptables? > Setting up the firewall is probably the first step. > > Thank you in advance > > > > > > > > > > ________________________________ > Please consider the environment before printing this email > This email is confidential and intended solely for the use of the individual > to whom it is addressed. Any views or opinions made are solely those of the > author. If you are not the intended recipient, be advised that you have > received this email in error and that any use, dissemination, forwarding, > printing or copying of this email is strictly prohibited. Please delete it > and advise the sender directly. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
