Set up OSSEC HIDS web UI in OpenBSD Apache jail

Yesterday, I spent a bit of time searching the OSSEC mailing lists, manual, and wiki to find something--anything--OpenBSD-specific. I didn't find a whole lot. So, after some trial and error, I came up with a solution for hosting the OSSEC HIDS Web UI (v0.2) inside the default OpenBSD Apache jail (chroot'ed environment).

My OpenBSD server is running the 4.2 kernel (snapshot taken 2007-08-21) with the base install taken from snapshots (2007-08-23).

These instructions assume you have the $PKG_PATH environmental variable already set to your favorite/nearest OpenBSD package mirror.

# pkg_add php5-core

Follow the install instructions to enable PHP.

# pkg_add wget
# cd /tmp
# wget http://www.ossec.net/files/ossec-hids-1.3.tar.gz
# wget http://www.ossec.net/files/ui/ossec-wui-0.2.tar.gz

For those of you who enjoy checking the MD5/SHA1/GNUPG signatures of packages (HIGHLY recommended), take a look at the OSSEC HIDS Install Instructions.

# tar zxvf /tmp/ossec-hids-1.3.tar.gz
# cd /tmp/ossec-hids-1.3
# sh install.sh

Go through the install (see the link above for instructions) and configure OSSEC to install to /var/www/ossec

Start OSSEC HIDS

# /var/www/ossec/bin/ossec-control start

And install the web UI

# cd /var/www/ossec
# tar zxvf /tmp/ossec-wui-0.2.tar.gz
# cd ossec-wui-0.2
# sh setup.sh

The setup.sh script is pretty basic, it asks you for a user name and password to use with the web UI. Now, I'm not a big fan of having files in chroot environments (well, anywhere) with the x bit set unnecessarily, so ...

# chmod -x CONTRIB
# chmod -x index.php
# chmod -x setup.sh

And, for extra protection:

# mv setup.sh sh.setup

... or whatever you want to call it (don't presume that that is the name I chose :) ).

# vi ossec_conf.php

Change $ossec_dir to point to /ossec

/* Ossec directory */
$ossec_dir="/ossec";

The reason OSSEC HIDS and the web UI are installed in /var/www is because we're working in a chroot'ed environment; nothing on the inside can access the outside. The "inside" for Apache's jail is /var/www.

Finally, create a symbolic link in /var/www/htdocs to point to the ossec-wui-0.2/ directory.

# cd /var/www/htdocs
# ln -s ../ossec/ossec-wui-0.2 ossec-wui

Be sure to use the relative path. Remember, Apache, once started, won't be able to access anything outside /var/www (which becomes / as far as Apache is concerned). Test the install by browsing to http://yourdomain.com/ossec-wui. You should get the OSSEC Web UI with the OSSEC-generated alerts, et cetera. If you get an error telling you it can't access the OSSEC files (I forget exactly what it says), check the value of $ossec_dir in the /var/www/ossec/ossec-wui-0.2/ossec_conf.php file.

Cleanup.

If you don't want to hold onto the archives in /tmp, delete them or let the system clean them out on the next boot.

A Brief Vim Tutorial

The following commands are based on the command set in Vim version 6.4 and later. For a more in-depth tutorial, use vimtutor at a Linux command prompt or use the gVim Tutorial for Windows. Additional Vim help can be found by using the :h command within Vim or by visiting the vim.org documentation.

Normal v. Edit Mode
There are two modes in Vim, the Normal (or Command) mode and the Edit mode. When Vim is first started it is in the Normal mode. This allows you to navigate through the file or perform advanced editing. If you are ever unsure about something you typed, press to place you in Normal mode. Then retype the command you wanted.

NOTE: All commands in Vim are case sensitive. If the Vim command is not working the way it should, check your Caps Lock status, it is probably on.

Navigation
There are several methods for navigating a file with Vim.
The h, j, k, l keys (the "legacy" keys)
h moves the cursor up one line
k moves the cursor left one character
j moves the cursor down one line
l moves the cursor right one character
The Left, Up, Down, Right arrow keys
Each arrow key moves the cursor one line/character accordingly
To move more than one line/character in any direction, enter a number then the direction key. For example, to move down 33 lines, enter 33j. To move forward three words, enter 3w.

0 (zero) moves the cursor to the beginning of the current line.
$ moves the cursor to the end of the current line.
w moves the cursor to the beginning (first letter) of the next word.
e moves the cursor to the end (last letter) of the next word.
gg moves the cursor to the beginning of the file.
#g moves the cursor down # lines.
G moves the cursor to the end of the file.
#G moves the cursor to line number # (eg. 485G will move the cursor to line 485 [try this in the Vim tutor]).
CTRL-G This command shows your location in the file and the file status.

Insert/Append
There are several methods for entering Vim's Edit mode. The most common are the Insert command and the Append command.
i Move the cursor to the desired location and then press i to enter the Edit mode. Vim will display "-- INSERT --" at the bottom of the window to indicate you are in Edit/Insert mode. Anything you type after issuing the Insert command (i) will be inserted into the file you are editing. To return to the Normal mode, press . Use the arrow keys to navigate while in Edit mode or press to return to Normal mode and use the hjkl keys to navigate.
a The append command will advance the cursor one character to the right and place you in Edit mode. As with the insert command, use to return to Normal mode.
A Begin appending at the end of the current line.
o (lower case 'o') This command creates a new line under the cursor, moves the cursor to the beginning of the new line and places you into Edit mode.
O (upper case 'O') This command creates a new line above the cursor, moves the cursor to the beginning of the new line and places you into Edit mode.

Changing Letters, Words, and Lines
r The replace command replaces one character. To change mall to mail, move the cursor over the first 'l' in mall and type ri to replace the 'l' with an 'i'.
R Replace more than one character. This command will place you in Replace mode which is similar to Edit mode except that every typed character will delete/replace an existing character. As with Edit mode, use to return to Normal mode.
cw This allows you to change a word. Move the cursor to the beginning of a word or segment of a word then type cw. The word (or remainder of the word) will be removed and you will be placed in Edit mode. Use to return to Normal mode.
ce This command removes the entire current word and places you in Edit mode.
c$ This command will remove everything on the current line from the cursor onward and will place you in Edit mode.

Deleting Letters, Words, and Lines
To delete more than one character/word/line, enter a number then the appropriate delete command. For example, to delete 100 lines, enter 100dd.

x This command deletes the character under the cursor
#x This command deletes # characters from the cursor to #.
dw This command deletes the word or partial word under the cursor.
d$ This command deletes a line from the cursor position to the end of the line.
C This command is similar to d$ except that it also puts you into Edit Mode.
d0 (d+zero) This command deletes a line from the cursor position to the beginning of the line.
dd This command deletes the current line in its entirety
#dd This command deletes # lines.
D This command deletes a line from the cursor position to the end of the line.

Pasting Letters, Words, and Lines
p This command puts the last deleted character/word/line at the cursor position
P This command puts the last deleted character/word/line before the cursor.
NOTE: For more advanced cut and paste techniques, refer to the Vim documentation, use :h y within Vim, or go to Lesson 6.4 in the Vim tutor.

Undo
u This command undoes the last command. Multiple u commands will undo multiple events.
U This command undoes changes to a whole line.
:u This is the same as u
CTRL-R Redo (undo an undo).

Search, Search and Replace
NOTE: Searches are case sensitive and use regular expression syntax. Case sensitivity can be overridden.

Searching
/ Searches for a phrase from the cursor position forward through the file (eg. /Hello will search for "Hello").
? Searches for a phrase backwards through the file (eg. ?Hello will do a reverse search for "Hello").
n Repeat the last search / or ? search again.
N Repeat the last search in the opposite direction.
CTRL-O Return to where you began your search, repeat to go back further.
CTRL-I The opposite of CTRL-O.

Search and Replace
:s/find/replace/ Search and replace on the current line only.
:%s/find/replace/ Search and replace globally.
:#,#s/find/replace/ Search and replace between line numbers #,#

Search Flags
These flags work for both :s// and :%s//
:s/find/replace/i will ignore case.
:s/find/replace/g will make the changes globally on the line or file.
:s/find/replace/c will prompt before making a change.
:s/find/replace/e will ignore errors.
NOTE: The search flags can be used together (:%s/find/replace/igc).

Use :h and go to |usr_12.txt| Clever tricks for more advanced search and replace options.

Quitting and Saving
:q This command will quit Vim
:q! This command will quit Vim WITHOUT saving changes
:qa! This is the same as :q! but will quit Vim if you are editing multiple files
:wq This command will write the changes to the file and quit Vim
:wq! This command will write the changes to the file and quit Vim (useful for "read-only" files)
:ZZ This is the same as :wq
:x This is the same as :wq
:x! This is the same as :wq!
:w filename This command will write the contents of the file to "filename"

Opening Files Within Vim
:e filename This command will open "filename" in the current Vim window/frame
You can also open files with Vim from the command line. (eg. vim file1 file2 file3). Vim will open file1 first, then file2, then file3. Use :n to move to the next file.