Ossec for IPFire

Help on building IPFire & Feature Requests
ummeegge
Community Developer
Community Developer
Posts: 4904
Joined: October 9th, 2010, 10:00 am

Re: Ossec for IPFire

Post by ummeegge » December 17th, 2018, 2:48 pm

Hi dnl,
dnl wrote:
December 17th, 2018, 10:36 am
It is possible for me to pull the Wazuh agent component from your installer(s) and run only that on IPFire?
An agent always needs a master so yes it is possible to install an Wazuh agent but you would need also somewhere a master (hybrid installation is also possible).
dnl wrote:
December 17th, 2018, 10:36 am
I like the idea of Wazuh, but running all those components (as well most IPFire features and ntopng) would use a lot of resources/power and open a very large attack surface on a router (even if all the services are isolated from the network, I still have to trust a lot more sources of software on my router).
Wazuh needed in my testings much more resources then OSSEC especially on master side with an ELK stack. ELK is not available from my side for IPFire.
Both components are products which do have the focus on network but also host based security HIDS and are OpenSource so the code is available to read for everyone. I know this might not be the best argument since you might not have the time to read through all the lines of code to check for potential expolits or unwanted data collection but how sure are you with IPSec, SSH, OpenVPN, Squid, ... in that manner ? In the last years i haven´t heard something about serious security problems causing OSSEC (mainly) and Wazuh (which i currently do not use).

Another one might be that some bigger companies which probably have the resources/capabilities to research the code of projects like this one but uses it also --> https://aws.amazon.com/de/blogs/securit ... instances/ --> https://image.slidesharecdn.com/nebulat ... 1463033772 , Netflix, Apple and some others comes to mind --> https://www.atomicorp.com/ossec-people- ... cast-ep-7/ gives me a kind of little better trust of functionality but also better code reviews and further project development but who can be sure for 100% security at the internet in general ?

IPFire do provides everything which is needed to run OSSEC, there is no need to trust "a lot more sources" except OSSECs source itself. Wazuh comes also with 3rd party extensions if wanted which might in my humble opinion interesting for big environments (policy specific obligations) and/or interest/proficiency to handle also the big data thing (ELK Stack). <-- I think this is nice to investigate for the interested ones how much is meanwhile possible also for the small budget but big companies should also be perfectly fine with a good configured OSSEC installation in, again, my humble opinion.

Sorry for the long text :) .

If you are interested in this topic, i would recommend to RTFM :) and testing OSSEC first since it delivers also the core functionality for Wazuh but do needs also less system resources as Wazuh and is less complex.

Best,

UE
Image
Image

dnl
Posts: 374
Joined: June 28th, 2013, 11:03 am

Re: Ossec for IPFire

Post by dnl » December 20th, 2018, 8:26 am

Hello ummeegge,

I'm sorry that I was not clear. You have not understood what I meant.

I'm after an agent package for Wazuh for IPFire as I intend to run a master elsewhere. Is that something you have packaged?

Also running *any* software is a risk. I have no concerns about Wazuh or the components that it is made of, I'm just saying that it's best to run as little software as possible on a security-sensitive system like a router (especially when that software does not have to run on the router).

Thanks again!
IPFire 2.x (Latest Update) on x86_64 Intel Bay Trail CPU, 4GiB RAM, RED + GREEN + BLUE + ORANGE

ummeegge
Community Developer
Community Developer
Posts: 4904
Joined: October 9th, 2010, 10:00 am

Re: Ossec for IPFire

Post by ummeegge » December 21st, 2018, 5:12 am

Hi dnl,
dnl wrote:
December 20th, 2018, 8:26 am
I'm after an agent package for Wazuh for IPFire as I intend to run a master elsewhere. Is that something you have packaged?
yes an agent package is provided.

Did an update to Wazuh 3.7.2 now but it is currently not up. I will build new versions only for 64bit, have dropped 32bit versions. If you want to test it on a 32bit platform i would wait until you´ve donwloaded the old one. If you use 64bit i would update then to the actual version before (OSSEC is already updated to the latest), so if you don´t mind, just inform me.

Best,

UE
Image
Image

dnl
Posts: 374
Joined: June 28th, 2013, 11:03 am

Re: Ossec for IPFire

Post by dnl » December 22nd, 2018, 4:20 am

ummeegge wrote:
December 21st, 2018, 5:12 am
yes an agent package is provided.

Did an update to Wazuh 3.7.2 now but it is currently not up. I will build new versions only for 64bit, have dropped 32bit versions.
Thank you. I don't use 32bit Linux any longer.
IPFire 2.x (Latest Update) on x86_64 Intel Bay Trail CPU, 4GiB RAM, RED + GREEN + BLUE + ORANGE

ummeegge
Community Developer
Community Developer
Posts: 4904
Joined: October 9th, 2010, 10:00 am

Re: Ossec for IPFire

Post by ummeegge » December 22nd, 2018, 7:26 am

Update to OSSEC-3.1.0 and Wazuh-3.7.2 is up. 32bit versions are no longer supported but the OSSEC installation do provides now ARM platforms (testings and feedback in there might be nice).

Best,

UE
Image
Image

barczs
Posts: 33
Joined: February 28th, 2019, 1:10 pm

Re: Ossec for IPFire

Post by barczs » June 3rd, 2019, 10:28 am

Hi ummeegge,
I would try your OSSEC implementation according to your amazing job.
You wrote some times ago, that OSSEC WI could not be used anymore because of missing PHP implementation in IPFire. Nevertheless above mentioned package contains an OSSEC WI installer as well.
In the forum I found this thread. Would this make possible installing the desired web interface? What do you think about it?
A useful hint would be great.
Thanks, Sandor
Best regards,
barczs
Image

ummeegge
Community Developer
Community Developer
Posts: 4904
Joined: October 9th, 2010, 10:00 am

Re: Ossec for IPFire

Post by ummeegge » June 3rd, 2019, 2:34 pm

Hi Sandor,
and thanks for your positive feedback.
barczs wrote:
June 3rd, 2019, 10:28 am
I would try your OSSEC implementation according to your amazing job.
please use Gitlab --> https://gitlab.com/ummeegge since Github is currently only a backup and is not up-to-date whereby the in- uninstaller in here --> viewtopic.php?f=50&t=15597#p93670 uses it already...
barczs wrote:
June 3rd, 2019, 10:28 am
You wrote some times ago, that OSSEC WI could not be used anymore because of missing PHP implementation in IPFire. Nevertheless above mentioned package contains an OSSEC WI installer as well
Yes it is still there also in case someone needs to uninstall it since the script provides both and i thought it makes sense after IPFire dropped PHP.
barczs wrote:
June 3rd, 2019, 10:28 am
In the forum I found this thread. Would this make possible installing the desired web interface? What do you think about it?
This was another point to leave the WI installer in since gocart provides PHP which makes it also possible to use the OSSEC WI again but am currently not in his topic/development so am not sure how you can install only PHP since he delivers there a wraparound package, if you are interested in this it would makes sense if you ask in this topic how you can proceed with this.
barczs wrote:
June 3rd, 2019, 10:28 am
A useful hint would be great.
Hope above is OK for you. Have nevertheless another one ;-), OSSEC 3.3.0 is up --> https://people.ipfire.org/~ummeegge/ossec-wazuh/ossec/ but i haven´t integrated it until now into the installer but if you install the version from the script (3.1.0), download the 3.3.0, copy it to /tmp, unpack it with tar and execute the install.sh you can update the installed version too.

Beneath info the WI is a kind of nice in my opinion but there is no further development since a couple of years now may because Wazuh do provides a implementation for the ELK-Stack which is extensive e.g. --> viewtopic.php?f=4&t=4924&start=45#p110744 .

Best,

UE
Image
Image

barczs
Posts: 33
Joined: February 28th, 2019, 1:10 pm

Re: Ossec for IPFire

Post by barczs » June 4th, 2019, 9:01 am

Hi UM,
thanks for your quick reply. First of all I shall contact gocart concerning PHP. I do not intend installing nextcloud, redis etc., because I have them already running on another self-managed server. In gocart´s file install.txt (should be renamed afterwards) I can recognize only a php installer. Should he give me OK, I'll start with your Gitlab package. I´m not going to utilize Wazuh as it consumes to much resources.
Well, I'll let you know :)
Cheers, Sandor
Best regards,
barczs
Image

ummeegge
Community Developer
Community Developer
Posts: 4904
Joined: October 9th, 2010, 10:00 am

Re: Ossec for IPFire

Post by ummeegge » June 8th, 2019, 3:12 pm

Hi Sandor,
made a fast one with building PHP-7.3.x now which needs some fiddeling around. php_mod should be thread save, php-fpm is also integrated (currently not needed) but it should be a kind of a minimal solution. If you want the building files, let it me know.

Tested it very fast since my garden needs also some (much more) work :D but the OSSEC WI shows currently the epoch time in stats
Image
and am currently not sure why that´s happen, if you have an idea let it me know will change it then. You can nevertheless click to the desired date which is a little strange but for the first may OK ;) ...

You can find the package in here --> https://people.ipfire.org/~ummeegge/php/ . Uninstallation is also possible by simple execute ./uninstall.sh . The WI installer needed to be updated (different PHP path in the vhost) which is already done --> https://gitlab.com/ummeegge/ossec-wazuh ... staller.sh .

Best and a nice Pfingsten,

UE
Image
Image

barczs
Posts: 33
Joined: February 28th, 2019, 1:10 pm

Re: Ossec for IPFire

Post by barczs » June 8th, 2019, 5:46 pm

Hello UM,

thanks a lot for your efforts. I'll try the new packages asap, although we have to visit some relatives tomorrow. It is great with php, because I have not got any reply from gocart. Never mind, I shall install OSSEC especially as it has a nice web interface. I think its not a problem with beginning datum. Anyway I'll check it and I let you know.
I wish you nice Pfingstferien as well. :)

Cheers, Sandor
Best regards,
barczs
Image

ummeegge
Community Developer
Community Developer
Posts: 4904
Joined: October 9th, 2010, 10:00 am

Re: Ossec for IPFire

Post by ummeegge » June 10th, 2019, 10:18 am

OK, could fix stats.php for the first.

Before:
Image

Now:
Image

Diff is:

Code: Select all

--- /srv/web/ossec/site/stats.php.orig	2019-06-10 12:12:07.359975725 +0200
+++ /srv/web/ossec/site/stats.php	2019-06-10 11:50:42.433303294 +0200
@@ -29,7 +29,7 @@
 
 
 /* Current date values */
-$curr_time = time(0);
+$curr_time = time();
 $curr_day = date('d',$curr_time);
 $curr_month = date('m', $curr_time);
 $curr_year = date('Y', $curr_time);
and will be fixed via ossec_wi_installer.sh --> https://gitlab.com/ummeegge/ossec-wazuh ... staller.sh while installation.

Best,

UE

EDIT: Fixed also search.php --> https://gitlab.com/ummeegge/ossec-wazuh ... 3182cf463e which will also be patched via installer...
Image
Image

barczs
Posts: 33
Joined: February 28th, 2019, 1:10 pm

Re: Ossec for IPFire

Post by barczs » June 10th, 2019, 3:24 pm

Hi UE,

I successfully installed php. But I have problems with the package https://gitlab.com/ummeegge/ossec-wazuh/. I'm continuously getting an error. Obviously I am too stupid for it.
I did following:

Code: Select all

wget https://gitlab.com/ummeegge/ossec-wazuh/blob/master/ossec-wazuh-admin.sh
chmod +x ossec-wazuh-admin.sh
./install ossec-wazuh-admin.sh
What is wrong with it? Could you please give me a useful hint?

THX a lot,
cheers Sandor
Best regards,
barczs
Image

barczs
Posts: 33
Joined: February 28th, 2019, 1:10 pm

Re: Ossec for IPFire

Post by barczs » June 10th, 2019, 4:46 pm

UPDATE

I had success, the installation worked fine.
Used following code:

Code: Select all

cd /tmp &&
curl -O https://gitlab.com/ummeegge/ossec-wazuh/raw/master/ossec-wazuh-admin.sh &&
chmod +x ossec-wazuh-admin.sh &&
./ossec-wazuh-admin.sh

curl -O https://gitlab.com/ummeegge/ossec-wazuh/raw/master/ossec/ossec_wi_installer.sh &&
chmod +x ossec_wi_installer.sh &&
./ossec_wi_installer.sh
Still having some small trouble with the ip address and permission, but it seems to be bagatelle.
I'll let you know.
Best regards,
barczs
Image

ummeegge
Community Developer
Community Developer
Posts: 4904
Joined: October 9th, 2010, 10:00 am

Re: Ossec for IPFire

Post by ummeegge » June 10th, 2019, 7:03 pm

Hi barczs,
barczs wrote:
June 10th, 2019, 4:46 pm
Still having some small trouble with the ip address and permission, but it seems to be bagatelle.
I'll let you know.
it is possibly because of the vhost configuration (IP restrictions). You can find under /etc/httpd/conf/vhosts.d/ossec.conf the Ossec WI config which should looks like this:

Code: Select all

Listen 9955
<VirtualHost *:9955>
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT56:!eNULL:!SSLv2:!RC4+RSA:+HIGH:+MEDIUM
    SSLCertificateFile /etc/httpd/server.crt
    SSLCertificateKeyFile /etc/httpd/server.key

        DocumentRoot "/srv/web/ossec"
        Include /etc/httpd/conf/php*.conf
        ErrorLog "/var/log/httpd/ossec-wui-error.log"
        CustomLog "/var/log/httpd/ossec-wui-access.log" combined

<Directory "/srv/web/ossec">
        Options +FollowSymlinks
        Require ip 192.168.2.2
</Directory>


    <Location />

        Require ip 192.168.2.2

    </Location>

</VirtualHost>

whereby '192.168.2.2' is the machine from where you want access to the Ossec WI. You can also define a whole subnet like e.g. '192.168.2.0/24'. If you did that, you can restart Apache with a

Code: Select all

/etc/init.d/apache restart
that the changes takes affect.

Via 'https://{IPFire}:9955' you should get then access.

May this brings you as step further.

Best,

UE
Image
Image

barczs
Posts: 33
Joined: February 28th, 2019, 1:10 pm

Re: Ossec for IPFire

Post by barczs » June 11th, 2019, 9:03 am

Hello UE,

it works like a charm. Thank you very much for your support! :)

Cheers, Sandor (barczs)
Best regards,
barczs
Image

Post Reply