Set up OSSEC HIDS web UI in OpenBSD Apache jail

Yesterday, I spent a bit of time searching the OSSEC mailing lists, manual, and wiki to find something--anything--OpenBSD-specific. I didn't find a whole lot. So, after some trial and error, I came up with a solution for hosting the OSSEC HIDS Web UI (v0.2) inside the default OpenBSD Apache jail (chroot'ed environment).

My OpenBSD server is running the 4.2 kernel (snapshot taken 2007-08-21) with the base install taken from snapshots (2007-08-23).

These instructions assume you have the $PKG_PATH environmental variable already set to your favorite/nearest OpenBSD package mirror.

# pkg_add php5-core

Follow the install instructions to enable PHP.

# pkg_add wget
# cd /tmp
# wget http://www.ossec.net/files/ossec-hids-1.3.tar.gz
# wget http://www.ossec.net/files/ui/ossec-wui-0.2.tar.gz

For those of you who enjoy checking the MD5/SHA1/GNUPG signatures of packages (HIGHLY recommended), take a look at the OSSEC HIDS Install Instructions.

# tar zxvf /tmp/ossec-hids-1.3.tar.gz
# cd /tmp/ossec-hids-1.3
# sh install.sh

Go through the install (see the link above for instructions) and configure OSSEC to install to /var/www/ossec

Start OSSEC HIDS

# /var/www/ossec/bin/ossec-control start

And install the web UI

# cd /var/www/ossec
# tar zxvf /tmp/ossec-wui-0.2.tar.gz
# cd ossec-wui-0.2
# sh setup.sh

The setup.sh script is pretty basic, it asks you for a user name and password to use with the web UI. Now, I'm not a big fan of having files in chroot environments (well, anywhere) with the x bit set unnecessarily, so ...

# chmod -x CONTRIB
# chmod -x index.php
# chmod -x setup.sh

And, for extra protection:

# mv setup.sh sh.setup

... or whatever you want to call it (don't presume that that is the name I chose :) ).

# vi ossec_conf.php

Change $ossec_dir to point to /ossec

/* Ossec directory */
$ossec_dir="/ossec";

The reason OSSEC HIDS and the web UI are installed in /var/www is because we're working in a chroot'ed environment; nothing on the inside can access the outside. The "inside" for Apache's jail is /var/www.

Finally, create a symbolic link in /var/www/htdocs to point to the ossec-wui-0.2/ directory.

# cd /var/www/htdocs
# ln -s ../ossec/ossec-wui-0.2 ossec-wui

Be sure to use the relative path. Remember, Apache, once started, won't be able to access anything outside /var/www (which becomes / as far as Apache is concerned). Test the install by browsing to http://yourdomain.com/ossec-wui. You should get the OSSEC Web UI with the OSSEC-generated alerts, et cetera. If you get an error telling you it can't access the OSSEC files (I forget exactly what it says), check the value of $ossec_dir in the /var/www/ossec/ossec-wui-0.2/ossec_conf.php file.

Cleanup.

If you don't want to hold onto the archives in /tmp, delete them or let the system clean them out on the next boot.