OSSEC ===== OSSEC is an open-source intrusion detection system. http://ossec.github.io ## Features ## - Supports Windows, Linux, FreeBSD, OpenBSD, and several other platforms. - Cisco, Juniper, and various other gear supported via syslog and agentless monitoring - Realtime alerts (email) - File integrity checking - Log monitoring - Rootkit detection - Automated active response ## Architecture ## - One OSSEC manager/server - Agents installed on monitored systems - Optional agentless monitoring (e.g. via ssh) ## Installation ## - http://ossec.github.io/downloads.html - Can be installed from source - Binary package available for several platforms - Debian: # apt-key adv --fetch-keys http://ossec.wazuh.com/repos/apt/conf/ossec-key.gpg.key # echo 'deb http://ossec.wazuh.com/repos/apt/debian jessie main' >> /etc/apt/sources.list # apt-get update # apt-get install ossec-hids # apt-get install ossec-hids-agent ## Configuration ## - The agents must be configured with the IP address of the manager/server; a host name will NOT work. - Open incoming TCP ports 139 and 445 on the agents (from the manager) - Open incoming UDP port 1514 on the manager/server - After installing the agent software on a box, add the agent to the manager, and extract its new key: # /var/ossec/bin/manage_agents - On the agent, add the key from the manager: # /var/ossec/bin/manage_agents - After installing the key on the agent, restart ossec on the manager and start it on the agent box. The primary config file is /var/ossec/etc/ossec.conf. It has sane defaults. The docs show a number of useful additional configs. http://ossec.github.io/docs/ (Note: I suspect OSSEC wants IP addresses because it's chroot'd. I suspect that we could use hostnames if we added them to /var/ossec/etc/hosts (or hard link /etc/hosts to that), but I haven't tested this.) ## Custom Rules ## Add custom rules to /var/ossec/rules/local_rules.xml. Other files may be overwritten during OSSEC upgrades. Test the config with: # /var/ossec/bin/ossec-logtest -t We can also test how OSSEC evaluates a particular log line, like: # /var/ossec/bin/ossec-logtest 2016/06/15 15:46:32 ossec-testrule: INFO: Reading local decoder file. 2016/06/15 15:46:32 ossec-testrule: INFO: Started (pid: 4043). ossec-testrule: Type one log per line. ## How do I stop syscheck alerts during system updates? ## There is no easy way to do this, but there are work-arounds. Stop the OSSEC processes on the manager, and run /var/ossec/bin/syscheck_control -u AGENT_ID. This will clear the syscheck database for the agent, and the next time syscheck runs it will create a new baseline. Next, start the OSSEC processes on the manager. Once the system update is complete, run a syscheck scan on that agent. The database will be populated with new values, and should not trigger “file modified” alarms. http://ossec.github.io/docs/faq/syscheck.html#how-do-i-stop-syscheck-alerts-during-system-updates