OSSIM Install Guide for Fedora Core 3



Open Source Security Information Management (OSSIM)
Document updated: Wed, 13 Apr 2005 10:00:07 GMT
Authors: David Gil and Juan Manuel Lorenzo



Index:


0. Before installing OSSIM
1. ossim-mysql
2. ossim-server
3. ossim-agent
4. ossim-framework
5. ossim-utils
6. ossim-contrib
7. Post OSSIM installation
8. TODO
A. Plugins



0. Before installing OSSIM


0.1 Installing Fedora Core 3

If you have Fedora Core 3 installed on you system you can ommit this section, but please make sure you use the package version provided in the ossim rpm Fedora Core 3 repositories, some of the utils such as ntop, pads, have been patched in order to work propertly with OSSIM.

If Fedora Core 3 is not installed or you want to reinstall Fedora Core 3 you can download the DVD or the cd set from the Fedora Project download section.

0.2 Apt configuration

To follow the installation guide you will have to install apt in your machinne, this will make installing and updating easier, so just download the rpm package from http://apt.freshrpms.net and install it using the following command:

# rpm -i apt*.rpm

Edit the file /etc/apt/sources.list to set the repository of OSSIM, we do also recommend you to use freshrpms and DAG repository:

[ -- /etc/apt/sources.list -- ]

#OSSIM rpm repository
rpm http://www.ossim.net/ download/fedora fc3
#Freshrpms.net repository
rpm http://ayo.freshrpms.net fedora/linux/3/i386 core updates freshrpms
#DAG reposotory
rpm http://apt.sw.be fedora/3/en/i386 dag

Update the avaliable package list info with:

# apt-get update

Create a /etc/apt/preferences file like this:

[ -- /etc/apt/preferences -- ]
Package: *
Pin: release o=ossim
Pin-Priority: 995

This way apt will assign a higher priority to OSSIM packages and their dependencies. This is very important, because many of the dependencies of OSSIM have been patched in order to work correctly with OSSIM.

1. Install ossim-mysql


Install it:

# apt-get install ossim-mysql

Start Mysql daemon:

# /etc/init.d/mysqld start

Set a root password for your database:

# mysqladmin -u root password your_secret_password

Create the following databases:

# mysql -u root -p

mysql> create database ossim;
mysql> create database ossim_acl;
mysql> create database snort;
mysql> exit;

Then load the tables in the databases:

# cat /usr/share/ossim/db/create_mysql.sql \
    /usr/share/ossim/db/ossim_config.sql \
    /usr/share/ossim/db/ossim_data.sql \
    /usr/share/ossim/db/realsecure.sql | \
    mysql -u root ossim -p


# cat /usr/share/ossim/db/create_snort_tbls_mysql.sql \
    /usr/share/ossim/db/create_acid_tbls_mysql.sql \
    | mysql -u root snort -p
Start Mysql server:
# /etc/init.d/mysqld start

Set mysql to run at startup

# chkconfig mysqld on



2. Install OSSIM Server


Install ossim-server rpm using this command

 # apt-get install ossim-server

Edit /etc/ossim/server/config.xml to set you network properties and the database properties:

[ -- /etc/ossim/server/config.xml -- ]
..
<sensor name="here_goes_your_sensor_name" ip="sensor_ip" interface="eth0"/>
..
<datasource name="ossimDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=yourpassword;DATABASE=ossim;HOST=localhost"/> <datasource name="snortDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=yourpassword;DATABASE=snort;HOST=localhost"/> .. <notify emails="heregoes@youremail.com" alarm_risks="low" />

Start OSSIM server:

# ossim-server -d -c /etc/ossim/server/config.xml



3. Install OSSIM Agent


Install the plugins you want to use with OSSIM (see appendix A)

Install ossim-agent:

# apt-get install ossim-agent

Now it is time to update the sensor configuration. The file /etc/ossim/agent/config.xml must be edited by hand:

[ -- /etc/ossim/agent/config.xml -- ]
<!-- Replace 127.0.0.1 with your sensor Ip --> <!ENTITY sensor "127.0.0.1" > <!-- Default network interface --> <!ENTITY interface "eth0" > <!-- Default OSSIM database connection (db:host:dbname:user:pass) --> <!ENTITY ossim_db "mysql:localhost:ossim:root:yourossimdbpass" > <!-- Replace localhost with your server Ip --> <!ENTITY serverip "localhost" >

Start OSSIM agent:

# ossim-agent -d -c /etc/ossim/agent/config.xml



4. Install OSSIM Framework


Install phpgacl package:

# apt-get install phpgacl

Edit phpgacl/gacl.class.php

[ -- /usr/share/phpgacl/gacl.class.php -- ]
..
var $_db_type = 'mysql';
..
var $_db_user = 'root';
..
var $_db_password = 'yourdbpassword;
..
var $_db_name = 'ossim_acl'; 
..
var $_db_table_prefix = '';

Now edit /usr/share/phpgacl/admin/gacl_admin.inc.php:
[ -- /usr/share/phpgacl/admin/gacl_admin.inc.php -- ]
.. 
'db_type' => 'mysql',
'db_host' => 'localhost',
'db_user' => 'root',
'db_password' => 'yourdbpassword',
'db_name' => 'ossim_acl',

Start httpd:
# /etc/init.d/httpd start
To run httpd server at startup:

# chkconfig httpd on

Go to http://yourhost/phpgacl/setup.php to check if you have a correct configuration.

Create phpgacl/admin/templates_c directory and make it writable by the user the webserver run as:

# mkdir /usr/share/phpgacl/admin/templates_c 
# chown -R apache:apache /usr/share/phpgacl/admin/templates_c

Install ossim-framework and all its dependencies:

# apt-get install ossim-framework

Set the framework configuration editing the file /etc/ossim/framework/ossim.conf:

[ -- /etc/ossim/framework/ossim.conf -- ] 
..
ossim_pass=ossimdbpass
..
phpgacl_pass=phpgaclpass

Edit the file /var/www/acid/acid_conf.php:

[ -- /var/www/acid/acid_conf.php -- ]
..
DBlib_path = "/var/www/adodb/";
..
$DBtype = "mysql";
..
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "root";
$alert_password = "yourpassword";

Edit /etc/php.ini and set the include_path,set also what kind of errors will be displayed:

[ -- /etc/php.ini -- ]
..
include_path = "/usr/share/ossim/include"
..
error_reporting = E_ALL & ~E_NOTICE
..
;error_reporting  =  E_ALL

Start ossim-framework:

# ossim-framework -d

Access the framework [ http://yourhost/ossim/ ] and go to configuration menu Configuration->Main.

It is also recommended to activate the displaying of errors in php.ini, at least until everything it is working fine. This will help to discover where do errors come from. This can be donde editting the file /etc/php.ini
[ -- /etc/php.ini -- ]
..
display_errors = On
..

5. Install OSSIM utils


The ossim-framework package depends on the ossim-utils one, so you if you have installed ossim-framework you must have it installed. If you want to install it on another host:

# apt-get install ossim-utils

6. Install OSSIM contrib (optional)


The package ossim-contrib contains a set of patches, examples and configuration files used by the ossim distribution. This package is only useful for development purposes. If you still want to install it:

# apt-get install ossim-contrib

7. Post OSSIM installation


The package ossim is a meta-package which depends on the the other ones.

# apt-get install ossim

8. TODO


A. Install Plugins


A.1 Snort

Install snort:

# apt-get install snort-mysql

Don't configure snort database via debconf, it's better that you edit the file /etc/snort/snort.conf by hand:

[ -- /etc/snort/snort.conf --]
..
var HOME_NET [192.168.0.0/16]
var EXTERNAL_NET !$HOME_NET
..
# splitted in two lines for readability
output database: alert, mysql, user=root password=yourdbpass dbname=snort 
host=yourdbhost sensor_name=your_sensor_ip logfile=fast.log
..
#  if you want spade support obtain a valid spade.conf file 
#  (for example from ossim source or from ossim-contrib package)
include spade.conf

Comment the line containing ALERTMODE= fast in the file /etc/sysconfig/snort

Check out Bleeding Edgeg of Snort web page for up-to-date, bleeding edge snort rules. The false positive rate is extremely low for little tested signatures and they are being very useful to us:

# cd /etc/snort/rules/
# wget http://www.bleedingsnort.com/bleeding-all.rules
# echo "include \$RULE_PATH/bleeding-all.rules" >> /etc/snort/snort.conf

Update OSSIM database with the rules of your system:

# /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules | \
     mysql -u root ossim -p
Start snort:
# /etc/init.d/snortd start

A.2 Ntop

Install Ntop:

# apt-get install ntop

Define the password for the admin user:

# ntop -u ntop
>> Please enter the password for the admin user:
# ^C
# /etc/init.d/ntop start

Go to http://yourhost:3000/ to see Ntop in action. Activate the rrdPlugin at Admin->plugins. Click on Host at Data Dump and specify your netmask at Hosts Filter.

A.3 Other plugins

As simple as:

# apt-get install p0f arpwatch pads tcptrack

Don't run arpwatch on boot, let ossim-agent do the job:

# chkconfig arpwatch off