Open in app

Sign in

Write

Sign in

FIM and SIEM with OSSEC

Girish V P
Tensult Blogs
Published in
5 min readApr 24, 2018

This Blog has moved from Medium to blogs.tensult.com. All the latest content will be available there. Subscribe to our newsletter to stay updated.

Why IDS, FIM and SIEMs? Well, Not only to protect sensitive data but also for proof of compliance requirements.

Intrusion detection is an additional layer in an IT security system framework that can prevent the threats posed by hackers and crackers inside or outside the organization. IDs reduce the attack surface on the servers by detecting the threats that could compromise security, integrity, privacy, or availability of mission-critical processes. IDs do a lot of security-related operations that cannot be done using a normal firewall. The Intrusion Detection is a broad term which can detect,

· Malicious contents normally termed as signatures.

· State changes in the systems.

· Changes to the authentication database.

· Modification of certain regions of memory.

· denial-of-service(DoS) attacks on the servers.

· Modified network packets.

File Integrity Monitoring (FIM)

File Integrity Monitoring (FIM) is a software that performs validation of the files comparing the signature of the current file with the one that is stored in the FIM’s database. Normally, the first process after the installation of an FIM is to take the snapshot of signatures of all the required files and directories and store in its database. At regular intervals, the report is generated by comparing the current signatures of the files with the one present in the database. The change in the size of a binary file shows that it is hacked by someone. All of the usual file attributes can be checked for inconsistencies. All the FIMs maintain a policy file that decides the behavior of file scanning. This file allows administrators to include the filenames and directory names which are to be scanned. Also, this policy file decides the file attributes to be compared to. It is possible that the administrator doesn’t need to scan a temporary directory for all the known file attributes.

Security Information & Event Management (SIEM)

Security information and event management is a software category which does the real-time collection and historical analysis on various data pulled form system logs, security logs, anti-virus applications, firewalls etc. which could provide the organizations with helpful insights into potential security threats across critical application by data aggregation and data normalization. Proactive nature SIEM helps the IT team to get notified about threats. The SIEM does the following.

  • Possible self-healing of the system by identifying the threat.
  • Notify the appropriate security analysts based on the severity.
  • Issue notification based on escalation matrix.
  • Centralize your view of potential threats.
  • Report security context against known bugs and fixes.
  • Compliance failures with key industry regulations.

FIM/SIEM with OSSEC

OSSEC is an open-source, host-based intrusion detection software to monitor and control your systems. It enhances the security monitoring platform by combining its HIDS monitoring features with Security Incident Management (SIM)/Security Information and Event Management (SIEM) capabilities. OSSEC helps customers meet specific compliance requirements such as PCI and HIPAA. OSSEC support a wide variety of operating system like Linux, Windows, Mac for monitoring. It can support the agentless monitoring for the devices where software cannot be installed, like routers or network switches.

OSSEC Architecture

OSSEC is composed of multiple pieces. It has a central manager for monitoring and receiving information from agents, Syslog, databases, and agentless devices.

Manager (or Server)

The OSSEC manager is installed on the Linux system which stores the file integrity checking databases, logs, events, and system auditing entries. All the rules, decoders, and major configuration options required for the analysis are stored centrally in the manager node. Agents communicate to the server on port 1514/UDP. Manager cannot be installed on a Windows server at the point of writing.

Agents (or Clients)

The agent is a program installed on the systems to be monitored. The agent nodes to be monitored. The agent will collect information and forward it to the manager for analysis. Some information is collected in real-time, others periodically. Agents are available in most of the available operating systems.

OSSEC Setup

Platform: AWS

AMI: amzn-ami-hvm-2017.09.1.20180307-x86_64-gp2 (ami-7c87d913)

OS: Amazon Linux AMI release 2017.09

RPMS:

ossec-hids-2.9.3–3861.amzn1.art.x86_64

ossec-hids-server-2.9.3–3861.amzn1.art.x86_64

ossec-hids-agent-2.9.3–3861.amzn1.art.x86_64

ZIP: ossec-wui-0.9.zip

Reference: http://www.ossec.net/

OSSEC Installation involves four steps

  1. Manager (Server) Installation
  2. Agent (Client) Installation
  3. Adding the Agents
  4. Configuration of Web-UI

RPM Availability

OSSEC’s RPMs are available in AtomiCorp repository. The RPMs can be installed by adding the AtomiCorp yum client repository files.

Manager (Server) Installation:

Login to the server as root and execute the command to set up a repository client file.

# wget -q -O — https://updates.atomicorp.com/installers/atomic |sh

Use the yum command to install the specific packages.

# yum install ossec-hids ossec-hids-server

Edit /var/ossec/etc/ossec.conf and make email_notification to “no” if you don’t have a mail server configured. I have selected “no” here.

<email_notification>no</email_notification>

Start the manager service by executing commands below

# /etc/init.d/ossec-hids restart

Agent (Client) Installation

Log in to an agent as root and execute the command to set up a repository client file.

# wget -q -O — https://updates.atomicorp.com/installers/atomic |sh

Use yum to install the specific packages.

# yum install ossec-hids ossec-hids-agent

Start the ossec service by executing commands below

# /etc/init.d/ossec-hids restart

Adding the Agents

Log in to the manager as root. Execute command below

/var/ossec/bin/manage_agents

Add agent by pressing “A”. You have to supply a name, IP address for the agent. A unique ID for the agent will be automatically generated. Press enter. Type “y” (default) when asking for additional confirmation. Press the “E” extract key for an agent. You have to enter the ID of the agent when it is prompted for. Restart the ossec service

/etc/init.d/ossec-hids restart

Log in to the agent as root. Edit <ossec_config> section of /var/ossec/etc/ossec.conf.

Edit (replace ) default IP address with your manager IP address like below. Assume that my manager IP address is 172.31.17.63

<client><server-ip>172.31.17.63</server-ip></client>

After saving the file import the key corresponding to the agent. Execute the command below in the agent,

/var/ossec/bin/manage_agent

Press “I” to Import key. Paste the key of the agent, which you have extracted from the previous section(from manager).

/etc/init.d/ossec-hids restart
/var/ossec/bin/ossec-agentd

Configure Web-UI

OSSEC has an optional web interface. Access https://github.com/ossec/ossec-wui/releases and download the package. Execute the commands to deploy the package. I have used ossec-WUI-0.9.zip.

# tar xvf ossec-wui-0.9.zip# mv ossec-wui-0.9 ossec# mv ossec /var/www/html# cd /var/www/html# chown apache.apache ossec -R# cd /var/www/html/ossec# ./setup.sh

Provide a user name and a password. Enter your web server user name as apache

Start web service

# service httpd restart

Access your server by accessing the URL web browser

http://your-server-ip/ossec
Ossec
File Integrity
Siem
Security

--

--

Girish V P
Tensult Blogs

Written by Girish V P

258 Followers
Writer for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams