OSSEC is an open-source intrusion detection system. http://ossec.github.io
Can be installed from source
Binary package available for several platforms
The agents must be configured with the IP address of the manager/server; a host name will NOT work.
Open incoming TCP ports 139 and 445 on the agents (from the manager)
Open incoming UDP port 1514 on the manager/server
After installing the agent software on a box, add the agent to the manager, and extract its new key:
On the agent, add the key from the manager:
After installing the key on the agent, restart ossec on the manager and start it on the agent box.
The primary config file is /var/ossec/etc/ossec.conf. It has sane defaults.
The docs show a number of useful additional configs. http://ossec.github.io/docs/
(Note: I suspect OSSEC wants IP addresses because it’s chroot’d. I suspect that we could use hostnames if we added them to /var/ossec/etc/hosts (or hard link /etc/hosts to that), but I haven’t tested this.)
Add custom rules to /var/ossec/rules/local_rules.xml. Other files may be overwritten during OSSEC upgrades.
Test the config with:
# /var/ossec/bin/ossec-logtest -t
We can also test how OSSEC evaluates a particular log line, like:
# /var/ossec/bin/ossec-logtest 2016/06/15 15:46:32 ossec-testrule: INFO: Reading local decoder file. 2016/06/15 15:46:32 ossec-testrule: INFO: Started (pid: 4043). ossec-testrule: Type one log per line.
There is no easy way to do this, but there are work-arounds. Stop the OSSEC processes on the manager, and run /var/ossec/bin/syscheck_control -u AGENT_ID. This will clear the syscheck database for the agent, and the next time syscheck runs it will create a new baseline. Next, start the OSSEC processes on the manager. Once the system update is complete, run a syscheck scan on that agent. The database will be populated with new values, and should not trigger “file modified” alarms.