Difference between revisions of "OSSEC"
| Onnowpurbo (talk | contribs) | Onnowpurbo (talk | contribs)  | ||
| (17 intermediate revisions by the same user not shown) | |||
| Line 7: | Line 7: | ||
| OSSEC adalah salah satu tool yang dapat anda instal di server anda untuk melacak aktivitas tersebut. | OSSEC adalah salah satu tool yang dapat anda instal di server anda untuk melacak aktivitas tersebut. | ||
| − | OSSEC adalah sistem deteksi intrusi berbasis open-source (host-based intrusion detection system / HIDS) yang melakukan analisis log, pengecekan integritas, pemantauan registri Windows, deteksi rootkit, peringatan berbasis waktu, dan respons aktif. Ini bisa digunakan untuk memantau satu server atau ribuan server dalam mode server / agent. | + | OSSEC adalah sistem deteksi intrusi berbasis open-source (host-based intrusion detection system / HIDS) yang melakukan analisis log, pengecekan integritas, pemantauan registri Windows, deteksi rootkit, peringatan berbasis waktu, dan respons aktif. Ini bisa digunakan untuk memantau satu server atau ribuan server dalam mode server / agent. OSSEC run di kebanyakan sistem operasi, termasuk Linux, OpenBSD, FreeBSD, MacOS, Solaris dan Windows. | 
| Jika dikonfigurasi dengan benar, OSSEC dapat memberi anda tampilan real-time ke dalam apa yang terjadi di server anda. | Jika dikonfigurasi dengan benar, OSSEC dapat memberi anda tampilan real-time ke dalam apa yang terjadi di server anda. | ||
| Line 57: | Line 57: | ||
|   wget -U ossec https://github.com/ossec/ossec-hids/archive/2.9.0.tar.gz |   wget -U ossec https://github.com/ossec/ossec-hids/archive/2.9.0.tar.gz | ||
| + | Entah kenapa, versi 2.9.0 tidak ketemu file checksum-nya. | ||
| Kalau harus cek checksum, contoh versi 2.8.1 | Kalau harus cek checksum, contoh versi 2.8.1 | ||
| Line 89: | Line 90: | ||
| ==Step 2 — Install OSSEC== | ==Step 2 — Install OSSEC== | ||
| − | |||
| OSSEC bisa dipasang di server, agent, local atau hybrid mode. Instalasi ini untuk memantau server yang diinstal OSSEC. Itu berarti instalasi lokal. Lakukan | OSSEC bisa dipasang di server, agent, local atau hybrid mode. Instalasi ini untuk memantau server yang diinstal OSSEC. Itu berarti instalasi lokal. Lakukan | ||
| − |   tar  | + |  cd /usr/local/src | 
| − | + |   tar zxvf 2.9.0.tar.gz   | |
| − | + |   cd ossec-hids-2.9.0/ | |
| − | |||
| − |   cd ossec-hids-2. | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
|   ./install.sh |   ./install.sh | ||
| − | + | Jawaban pertanyaan saat instalasi | |
| − | + |  (en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: '''<ENTER>''' | |
| − | + |  OSSEC HIDS v2.9.0 Installation Script - http://www.ossec.net | |
| + | |||
| + |  You are about to start the installation process of the OSSEC HIDS. | ||
| + |  You must have a C compiler pre-installed in your system. | ||
| + |   - System: Linux refserver 4.4.0-21-generic | ||
| + |   - User: root | ||
| + |   - Host: refserver | ||
| + |   -- Press ENTER to continue or Ctrl-C to abort. -- | ||
| + |  '''<ENTER>''' | ||
| − | + |  1- What kind of installation do you want (server, agent, local, hybrid or help)? '''local''' | |
| − | + |  2- Setting up the installation environment. | |
| + |    - Choose where to install the OSSEC HIDS [/var/ossec]: '''<ENTER>''' | ||
| − | + |  3- Configuring the OSSEC HIDS. | |
| − | + |    3.1- Do you want e-mail notification? (y/n) [y]: '''<ENTER>''' | |
| − | + |     - What's your e-mail address? '''onno@indo.net.id''' | |
| + |     - Do you want to use it? (y/n) [y]: '''<ENTER>''' | ||
| + |    3.2- Do you want to run the integrity check daemon? (y/n) [y]: '''<ENTER>''' | ||
| + |    3.3- Do you want to run the rootkit detection engine? (y/n) [y]: '''<ENTER>''' | ||
| + |     - Do you want to enable active response? (y/n) [y]: '''<ENTER>''' | ||
| + |     - Do you want to enable the firewall-drop response? (y/n) [y]: '''<ENTER>''' | ||
| + |     - Do you want to add more IPs to the white list? (y/n)? [n]: '''<ENTER>''' | ||
| + |    3.6- Setting the configuration to analyze the following logs: | ||
| + |      -- /var/log/auth.log | ||
| + |      -- /var/log/syslog | ||
| + |      -- /var/log/dpkg.log | ||
| − | + |    - If you want to monitor any other file, just change  | |
| − | + |     the ossec.conf and add a new localfile entry. | |
| − | + |     Any questions about the configuration can be answered | |
| − | + |     by visiting us online at http://www.ossec.net . | |
| − | + |     --- Press ENTER to continue --- | |
| − | + |     '''<ENTER>''' | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | Tunggu beberapa saat karena sedang di compile. Hasil terakhir, | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
|   - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf |   - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf | ||
| − | |||
|      ---  Press ENTER to finish (maybe more information below). --- |      ---  Press ENTER to finish (maybe more information below). --- | ||
| + |  '''<ENTER>''' | ||
| − | + | ==Step 3 — Start OSSEC== | |
| − | Step 3 — Start OSSEC | ||
| − | + | Secara default OSSEC dikonfigurasi untuk memulai saat boot, tapi untuk pertama kalinya, Anda harus memulainya secara manual. | |
| − | + | Cek status, | |
|   /var/ossec/bin/ossec-control status |   /var/ossec/bin/ossec-control status | ||
| − | + | Output: | |
|   ossec-monitord not running... |   ossec-monitord not running... | ||
| Line 280: | Line 161: | ||
|   ossec-execd not running... |   ossec-execd not running... | ||
| − | + | Start OSSEC, | |
| − | |||
| − | |||
|   /var/ossec/bin/ossec-control start |   /var/ossec/bin/ossec-control start | ||
| − | + | Output: | |
| − |   Starting OSSEC HIDS v2. | + |   Starting OSSEC HIDS v2.9.0 (by Trend Micro Inc.)... | 
|   Started ossec-maild... |   Started ossec-maild... | ||
|   Started ossec-execd... |   Started ossec-execd... | ||
| Line 297: | Line 176: | ||
|   Completed. |   Completed. | ||
| − | + | Cek status lagi, | |
|   /var/ossec/bin/ossec-control status |   /var/ossec/bin/ossec-control status | ||
| Line 310: | Line 189: | ||
|   ossec-execd is running... |   ossec-execd is running... | ||
| − | + | Harusnya akan dapat email kira-kira | |
|   OSSEC HIDS Notification. |   OSSEC HIDS Notification. | ||
| Line 321: | Line 200: | ||
|   ossec: Ossec started. |   ossec: Ossec started. | ||
| − | + | ==Step 4 — Konfigurasi OSSEC untuk Real-time Alerts saat ada modifikasi File== | |
| − | |||
| − | |||
| − | |||
| − | ==Step 4 —  | ||
| − | + | Lakukan | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
|   cd /var/ossec |   cd /var/ossec | ||
| − | + | File / folder penting | |
| − | + |   /var/ossec/logs | |
| + |  /var/ossec/logs/ossec.log | ||
| + |  /var/ossec/etc/ossec.conf | ||
| − | + | Edit file konfigurasi | |
| − | + |   cp /var/ossec/etc/ossec.conf /var/ossec/etc/ossec.conf.asli | |
| − | + |   vi /var/ossec/etc/ossec.conf | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | ===Setting Email=== | |
| − | |||
| − | |||
| − | |||
| − | + | Default-nya kira-kira | |
| − | + |   <global> | |
| + |     <email_notification>yes</email_notification> | ||
| + |     <email_to>onno@indo.net.id</email_to> | ||
| + |     <smtp_server>mx-2.indo.net.id.</smtp_server> | ||
| + |     <email_from>ossecm@refserver</email_from> | ||
| + |   </global> | ||
| − | + | Supaya bisa tembus, ada baiknya di ubah SMTP Server, email from yang valid, dan email max / jam, jadi | |
| − | + |   <global> | |
| + |     <email_notification>yes</email_notification> | ||
| + |     <email_to>onno@indo.net.id</email_to> | ||
| + |     '''<smtp_server>smtp.telkom.net.</smtp_server>''' | ||
| + |     '''<email_from>onno@indo.net.id</email_from>''' | ||
| + |     '''<email_maxperhour>12</email_maxperhour>''' | ||
| + |   </global> | ||
| − | + | Jika emailnya ke localhost saja, bisa menggunakan, | |
| − | + |   <global> | |
| + |     <email_notification>yes</email_notification> | ||
| + |     <email_to>onno@indo.net.id</email_to> | ||
| + |     '''<smtp_server>localhost</smtp_server>''' | ||
| + |     '''<email_from>onno@indo.net.id</email_from>''' | ||
| + |     '''<email_maxperhour>12</email_maxperhour>''' | ||
| + |   </global> | ||
| − | + | Cek /var/ossec/logs/ossec.log, pastikan tidak ada error seperti, | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + |  cat  /var/ossec/logs/ossec.log | grep ERROR | |
| − | + |  2017/06/15 05:13:16 ossec-maild(1223): ERROR: Error Sending email to mx-2.indo.net.id. (smtp server) | |
| − | + | ===Frekuensi Scan=== | |
| − | + | Edit /var/ossec/etc/ossec.conf | |
| − | + |  vi /var/ossec/etc/ossec.conf | |
| − | + | Lihat bagian | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
|   <syscheck> |   <syscheck> | ||
| Line 464: | Line 266: | ||
|       <frequency>79200</frequency> |       <frequency>79200</frequency> | ||
| − | + | Tambahkan alert new file, | |
| + | |||
|   <syscheck> |   <syscheck> | ||
| Line 472: | Line 275: | ||
|       <alert_new_files>yes</alert_new_files> |       <alert_new_files>yes</alert_new_files> | ||
| − | + | Untuk testing bisa di ubah frekuensi ke 60, untuk operasional 79200 cukup. | |
| + | |||
| + | ===Setting Directory & Perubahan File=== | ||
| − | + | Edit /var/ossec/etc/ossec.conf | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | + |  vi /var/ossec/etc/ossec.conf | |
| − | + | Edit | |
|   <!-- Directories to check  (perform all possible verifications) --> |   <!-- Directories to check  (perform all possible verifications) --> | ||
| Line 488: | Line 289: | ||
|   <directories check_all="yes">/bin,/sbin</directories> |   <directories check_all="yes">/bin,/sbin</directories> | ||
| − | + | Ubah menjadi, | |
|   <!-- Directories to check  (perform all possible verifications) --> |   <!-- Directories to check  (perform all possible verifications) --> | ||
| − |   <directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories> | + |   <directories '''report_changes="yes" realtime="yes"''' check_all="yes">/etc,/usr/bin,/usr/sbin</directories> | 
| − |   <directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories> | + |   <directories '''report_changes="yes" realtime="yes"''' check_all="yes">/bin,/sbin</directories> | 
| − | + | Bisa juga menambahkan directory yang harus di monitor misalnya, | |
| − | |||
| − | |||
|   <!-- Directories to check  (perform all possible verifications) --> |   <!-- Directories to check  (perform all possible verifications) --> | ||
| Line 502: | Line 301: | ||
|   <directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories> |   <directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories> | ||
| − |   <directories report_changes="yes" realtime="yes" restrict=".php|.js|.py|.sh|.html" check_all="yes">/home/ | + |   '''<directories report_changes="yes" realtime="yes" restrict=".php|.js|.py|.sh|.html" check_all="yes">/home/onno,/var/www</directories>''' | 
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | ===Local.rules=== | |
| − | + | Rules & Local rules ada di | |
| − | + |  /var/ossec/rules/ | |
| + |  /var/ossec/rules/local_rules.xml | ||
| + |  /var/ossec/rules/ossec_rules.xml | ||
| − | + | Kita tertarik pada local_rules.xml & ossec_rules.xml, contoh mengubah rules 554 di ossec_rules.xml. isinya, | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + |   <rule id="554" level="0"> | |
| + |     <category>ossec</category> | ||
| + |     <decoded_as>syscheck_new_entry</decoded_as> | ||
| + |     <description>File added to the system.</description> | ||
| + |     <group>syscheck,</group> | ||
| + |   </rule> | ||
| − | + | Yang perlu di lakukan, | |
| − | + |   cp /var/ossec/rules/local_rules.xml /var/ossec/rules/local_rules.xml.asli | |
| − | + |   vi /var/ossec/rules/local_rules.xml | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | Tambahkan | |
| − | + |   <group name="syscheck,"> | |
| + |     <rule id="554" level="7" overwrite="yes"> | ||
| + |       <category>ossec</category> | ||
| + |       <decoded_as>syscheck_new_entry</decoded_as> | ||
| + |       <description>File added to the system.</description> | ||
| + |     </rule> | ||
| + |   </group> | ||
| − | + | Save file | |
| − | + | ===Restart OSSEC=== | |
| − | + | Sesudah semua modifikasi di lakukan restart OSSEC | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
|   /var/ossec/bin/ossec-control restart |   /var/ossec/bin/ossec-control restart | ||
| − | + | ==Step 5 — Coba alert perubahan file== | |
| − | |||
| − | ==Step 5 —  | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| + | Coba buat file, isi, dan delete file, | ||
| + |  touch /home/onno/coba.sh | ||
| + |  touch /home/onno/index.html | ||
| + |  sleep 70 | ||
| + |  echo "percobaan" > /home/onno/index.html | ||
| + |  echo "coba" > /home/onno/coba.sh | ||
| + |  sleep 70 | ||
| + |  rm /home/onno/index.html | ||
| + |  rm /home/onno/coba.sh | ||
| + | Cek apakah ada email, kira-kira, | ||
| + | ==Referensi== | ||
| + | * https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-ossec-security-notifications-on-ubuntu-14-04 | ||
| + | ==Pranala Menarik== | ||
| − | + | * [[IDS]] | |
| − | + | * [[OSSEC]] | |
| − | + | * [[OSSEC: Ubuntu 18.04]] | |
| − | + | * [[OSSEC: Ubuntu 20.04]] | |
| − | + | * [[OSSEC: whitelisting]] | |
| − | |||
| − | |||
| − | *  | ||
Latest revision as of 06:13, 11 January 2021
Intro
Bagaimana anda melacak aktivitas yang sah dan tidak sah di server anda? OSSEC adalah salah satu tool yang dapat anda instal di server anda untuk melacak aktivitas tersebut.
OSSEC adalah sistem deteksi intrusi berbasis open-source (host-based intrusion detection system / HIDS) yang melakukan analisis log, pengecekan integritas, pemantauan registri Windows, deteksi rootkit, peringatan berbasis waktu, dan respons aktif. Ini bisa digunakan untuk memantau satu server atau ribuan server dalam mode server / agent. OSSEC run di kebanyakan sistem operasi, termasuk Linux, OpenBSD, FreeBSD, MacOS, Solaris dan Windows.
Jika dikonfigurasi dengan benar, OSSEC dapat memberi anda tampilan real-time ke dalam apa yang terjadi di server anda.
Apa keuntungan OSSEC?
Di bawah ini contoh email notifikasi dari OSSEC, memperlihatkan ada yang mengubah file /var/ossec/etc/ossec.conf.
OSSEC HIDS Notification. 2014 Nov 29 09:45:15 Received From: kuruji->syscheck Rule: 552 fired (level 7) -> "Integrity checksum changed again (3rd time)." Portion of the log(s): Integrity checksum changed for: '/var/ossec/etc/ossec.conf' Size changed from '7521' to '7752'
Jika anda menerima peringatan semacam itu, dan anda tidak mengharapkan file itu berubah, berarti anda tahu ada sesuatu yang tidak sah yang terjadi di server anda.
Berikut contoh email peringatan lainnya dari OSSEC, yang menunjukkan bahwa file /etc/ossec/testossec.txt telah dihapus.
OSSEC HIDS Notification. 2014 Nov 29 10:56:14 Received From: kuruji->syscheck Rule: 553 fired (level 7) -> "File deleted. Unable to retrieve checksum." Portion of the log(s): File /etc/ossec/testossec.txt was deleted. Unable to retrieve checksum.
Sekali lagi, jika anda tidak menghapus file tersebut, anda harus mencari tahu apa yang terjadi pada server anda.
Prasyarat
- Ubuntu server
- ssh
- sudo su
Instalasi aplikasi pendukung
apt update apt install postfix make gcc build-essential inotify-tools
Step 1 — Download & Verifikasi OSSEC
cd /usr/local/src wget -U ossec https://github.com/ossec/ossec-hids/archive/2.9.0.tar.gz
Entah kenapa, versi 2.9.0 tidak ketemu file checksum-nya. Kalau harus cek checksum, contoh versi 2.8.1
cd /usr/local/src wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.1.tar.gz wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.1-checksum.txt
Cek nilai Seharusnya checksum
cat ossec-hids-2.8.1-checksum.txt
Output
MD5(ossec-hids-2.8.1.tar.gz)= c2ffd25180f760e366ab16eeb82ae382 SHA1(ossec-hids-2.8.1.tar.gz)= 0ecf1df09558dc8bb4b6f65e1fb2ca7a7df9817c
Check
md5sum ossec-hids-2.8.1.tar.gz
Output harusnya
c2ffd25180f760e366ab16eeb82ae382 ossec-hids-2.8.1.tar.gz
Check
sha1sum ossec-hids-2.8.1.tar.gz
Output harusnya
0ecf1df09558dc8bb4b6f65e1fb2ca7a7df9817c ossec-hids-2.8.1.tar.gz
Step 2 — Install OSSEC
OSSEC bisa dipasang di server, agent, local atau hybrid mode. Instalasi ini untuk memantau server yang diinstal OSSEC. Itu berarti instalasi lokal. Lakukan
cd /usr/local/src tar zxvf 2.9.0.tar.gz cd ossec-hids-2.9.0/ ./install.sh
Jawaban pertanyaan saat instalasi
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]: <ENTER>
OSSEC HIDS v2.9.0 Installation Script - http://www.ossec.net You are about to start the installation process of the OSSEC HIDS. You must have a C compiler pre-installed in your system. - System: Linux refserver 4.4.0-21-generic - User: root - Host: refserver -- Press ENTER to continue or Ctrl-C to abort. -- <ENTER>
1- What kind of installation do you want (server, agent, local, hybrid or help)? local
2- Setting up the installation environment. - Choose where to install the OSSEC HIDS [/var/ossec]: <ENTER>
3- Configuring the OSSEC HIDS.
  3.1- Do you want e-mail notification? (y/n) [y]: <ENTER>
   - What's your e-mail address? onno@indo.net.id
   - Do you want to use it? (y/n) [y]: <ENTER>
  3.2- Do you want to run the integrity check daemon? (y/n) [y]: <ENTER>
  3.3- Do you want to run the rootkit detection engine? (y/n) [y]: <ENTER>
   - Do you want to enable active response? (y/n) [y]: <ENTER>
   - Do you want to enable the firewall-drop response? (y/n) [y]: <ENTER>
   - Do you want to add more IPs to the white list? (y/n)? [n]: <ENTER>
  3.6- Setting the configuration to analyze the following logs:
    -- /var/log/auth.log
    -- /var/log/syslog
    -- /var/log/dpkg.log
 - If you want to monitor any other file, just change 
   the ossec.conf and add a new localfile entry.
   Any questions about the configuration can be answered
   by visiting us online at http://www.ossec.net .
   --- Press ENTER to continue ---
   <ENTER>
Tunggu beberapa saat karena sedang di compile. Hasil terakhir,
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf --- Press ENTER to finish (maybe more information below). --- <ENTER>
Step 3 — Start OSSEC
Secara default OSSEC dikonfigurasi untuk memulai saat boot, tapi untuk pertama kalinya, Anda harus memulainya secara manual.
Cek status,
/var/ossec/bin/ossec-control status
Output:
ossec-monitord not running... ossec-logcollector not running... ossec-syscheckd not running... ossec-analysisd not running... ossec-maild not running... ossec-execd not running...
Start OSSEC,
/var/ossec/bin/ossec-control start
Output:
Starting OSSEC HIDS v2.9.0 (by Trend Micro Inc.)... Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-syscheckd... Started ossec-monitord... Completed.
Cek status lagi,
/var/ossec/bin/ossec-control status
This output shows that OSSEC is running:
ossec-monitord is running... ossec-logcollector is running... ossec-syscheckd is running... ossec-analysisd is running... ossec-maild is running... ossec-execd is running...
Harusnya akan dapat email kira-kira
OSSEC HIDS Notification. 2014 Nov 30 11:15:38 Received From: ossec2->ossec-monitord Rule: 502 fired (level 3) -> "Ossec server started." Portion of the log(s): ossec: Ossec started.
Step 4 — Konfigurasi OSSEC untuk Real-time Alerts saat ada modifikasi File
Lakukan
cd /var/ossec
File / folder penting
/var/ossec/logs /var/ossec/logs/ossec.log /var/ossec/etc/ossec.conf
Edit file konfigurasi
cp /var/ossec/etc/ossec.conf /var/ossec/etc/ossec.conf.asli vi /var/ossec/etc/ossec.conf
Setting Email
Default-nya kira-kira
<global> <email_notification>yes</email_notification> <email_to>onno@indo.net.id</email_to> <smtp_server>mx-2.indo.net.id.</smtp_server> <email_from>ossecm@refserver</email_from> </global>
Supaya bisa tembus, ada baiknya di ubah SMTP Server, email from yang valid, dan email max / jam, jadi
<global> <email_notification>yes</email_notification> <email_to>onno@indo.net.id</email_to> <smtp_server>smtp.telkom.net.</smtp_server> <email_from>onno@indo.net.id</email_from> <email_maxperhour>12</email_maxperhour> </global>
Jika emailnya ke localhost saja, bisa menggunakan,
<global> <email_notification>yes</email_notification> <email_to>onno@indo.net.id</email_to> <smtp_server>localhost</smtp_server> <email_from>onno@indo.net.id</email_from> <email_maxperhour>12</email_maxperhour> </global>
Cek /var/ossec/logs/ossec.log, pastikan tidak ada error seperti,
cat /var/ossec/logs/ossec.log | grep ERROR
2017/06/15 05:13:16 ossec-maild(1223): ERROR: Error Sending email to mx-2.indo.net.id. (smtp server)
Frekuensi Scan
Edit /var/ossec/etc/ossec.conf
vi /var/ossec/etc/ossec.conf
Lihat bagian
<syscheck>
    <frequency>79200</frequency>
Tambahkan alert new file,
<syscheck>
    <frequency>79200</frequency>
    <alert_new_files>yes</alert_new_files>
Untuk testing bisa di ubah frekuensi ke 60, untuk operasional 79200 cukup.
Setting Directory & Perubahan File
Edit /var/ossec/etc/ossec.conf
vi /var/ossec/etc/ossec.conf
Edit
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories>
Ubah menjadi,
<directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories>
Bisa juga menambahkan directory yang harus di monitor misalnya,
<directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories> <directories report_changes="yes" realtime="yes" restrict=".php|.js|.py|.sh|.html" check_all="yes">/home/onno,/var/www</directories>
Local.rules
Rules & Local rules ada di
/var/ossec/rules/ /var/ossec/rules/local_rules.xml /var/ossec/rules/ossec_rules.xml
Kita tertarik pada local_rules.xml & ossec_rules.xml, contoh mengubah rules 554 di ossec_rules.xml. isinya,
<rule id="554" level="0"> <category>ossec</category> <decoded_as>syscheck_new_entry</decoded_as> <description>File added to the system.</description> <group>syscheck,</group> </rule>
Yang perlu di lakukan,
cp /var/ossec/rules/local_rules.xml /var/ossec/rules/local_rules.xml.asli vi /var/ossec/rules/local_rules.xml
Tambahkan
 <group name="syscheck,">
   <rule id="554" level="7" overwrite="yes">
     <category>ossec</category>
     <decoded_as>syscheck_new_entry</decoded_as>
     <description>File added to the system.</description>
   </rule>
 </group>
Save file
Restart OSSEC
Sesudah semua modifikasi di lakukan restart OSSEC
/var/ossec/bin/ossec-control restart
Step 5 — Coba alert perubahan file
Coba buat file, isi, dan delete file,
touch /home/onno/coba.sh touch /home/onno/index.html sleep 70 echo "percobaan" > /home/onno/index.html echo "coba" > /home/onno/coba.sh sleep 70 rm /home/onno/index.html rm /home/onno/coba.sh
Cek apakah ada email, kira-kira,