Ossec Server Install on an Ubuntu. So easy.

Here is a small Step by Step OSSEC setup on my Ubuntu machine.

The Documentation available looks really sufficient on the official web site.

Setup done on Ubuntu Lucid 10.04 (Mini) x64 and Ubuntu Maverick 10.10 x64

Here are my quick setup scripts and tips ;-)

1. Setup script for Server, including WEB UI


# HIDS Linux
# Web UI

# Requirements
sudo apt-get install build-essential libmysqlclient-dev libmysqld-dev
useradd ossec
usermod -a -G ossec www-data

# Optional
apt-get install apache2 libapache2-mod-php5 arpwatch nikto nmap expect

# Get it
mkdir ~/src_ossec
cd ~/src_ossec
wget http://www.ossec.net/files/ossec-hids-$OSSEC_HIDS_VER.tar.gz
wget http://www.ossec.net/files/ossec-hids-$OSSEC_HIDS_VER_checksum.txt
cat ossec-hids-$OSSEC_HIDS_VER_checksum.txt
md5sum ossec-hids-$OSSEC_HIDS_VER.tar.gz
sha1sum ossec-hids-$OSSEC_HIDS_VER.tar.gz

# Setup Ossec

tar -zxvf ossec-hids-*.tar.gz
cd ossec-hids-*

# Installing the OSSEC WEB User Interface
cd /var/www/
# Get it
wget http://www.ossec.net/files/ui/ossec-wui-$OSSEC_WUI_VER.tar.gz
wget http://www.ossec.net/files/ui/ossec-wui-$OSSEC_WUI_VER-checksum.txt
cat ossec-wui-$OSSEC_WUI_VER-checksum.txt
md5sum ossec-wui-$OSSEC_WUI_VER.tar.gz
sha1sum ossec-wui-$OSSEC_WUI_VER.tar.gz

tar -zxvf ossec-wui-*.tar.gz
mv ossec-wui-* ossec
chown -R root:www-data ossec/
apache2ctl restart
cd ossec

/etc/init.d/ossec start
# if needed
vi /var/ossec/etc/ossec.conf

2. MySQL and Syslog

I also going deeper and installed the mysql integration and the syslog support.
Follow those great tutorials

If you need the database

apt-get install  mysql-server

Configure your database and import the default schema

set password for ossecuser=PASSWORD('ossecpass');
grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossecuser@localhost;
grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossecuser@;
flush privileges;
wget http://www.ossec.net/files/other/mysql.schema
mysql -u root -p ossec < mysql.schema

3. Firewall

Just useful , the communication between agents and server is on

  • Port 1514, Protocol UDP

4. Latest release files

If you encounter troubles, you can also try the daily version of OSSEC. For me it solved some false positives rules.

Note: you have to install ‘inotify-tools’ to compile the last release.

apt-get install inotify-tools liblinux-inotify2-perl


And on Ubuntu 10.04 you have to apply a patch : http://www.mail-archive.com/ossec-list@googlegroups.com/msg07615.html ( with 2.4.1 , should be solved with the last Ossec release)

