By Rory Bray, Daniel Cid and Andrew Hay
Service provider takeaway: Open source security (OSSEC) is a commonly used host-based intrusion detection software that detects unauthorized activity on any particular computer. This section of the chapter excerpt from the book OSSEC Host-Based Intrusion Detection Guide
Download the .pdf of the chapter here.
The OSSEC HIDS is an easily accessible HIDS solution, offering a simple, menu-driven installation. It can be downloaded from the OSSEC Web site as uncompiled source code, allowing you to build and compile the application for any operating system, or as a binary executable file specifically for Windows agent deployments.
To build and compile the OSSEC source code you must first ensure that the necessary development tools are installed. The two modes of installation, local and server-agent, provide the flexibility to plan complex deployments. While the server-agent installation requires minor extra effort, getting the agents connected to the servers is a simple task.
The OSSEC HIDS server must receive communication from agents on port 1514 and possibly 514. You must ensure that the firewall or packet filter on the OSSEC server allows this traffic. Each operating system and software distribution provides a way to do this, so please consult your operating system documentation.
Installing the OSSEC HIDS on multiple hosts can be automated using a combination of the SSH protocol and some Unix commands. This allows you to deploy OSSEC HIDS agents to multiple hosts without having to physically sit at every computer you must configure. At this point, you have seen that performing an OSSEC HIDS installation takes minimal time and effort. Local installations are effortless and a great way to get functioning with the OSSEC HIDS quickly. With this introduction to the accessibility of the OSSEC HIDS, you are now ready to examine more information about this remarkable security solution.
Frequently asked questions
Q: Where can I download the OSSEC HIDS files I need?
A: All files needed for your OSSEC HIDS installation can be found at the OSSEC Web site at www.ossec.net.
Q: What files do I need to install the OSSEC HIDS?
A: If you plan to install the OSSEC HIDS on a Unix, Linux, or BSD operating system, you need the source code tar.gz archive. If you plan to install the OSSEC HIDS on a Microsoft Windows system, you can download the precompiled Windows agent installation executable. Regardless of the fi le you download, it is strongly reccomended that you also download the checksum text fi le to validate the integrity of your downloads prior to installation.
Q: I don't have development tools installed on my Unix, Linux, or BSD machine. Is there a precompiled OSSEC HIDS executable for Unix, Linux, or BSD operating systems?
A: At the time of this writing, there were no officially supported OSSEC HIDS packages available for download. The OSSEC HIDS team, however, is investigating packages for Debian/Ubuntu, Mac OS X, and Red Hat based operating systems as a future roadmap item.
Q: What languages does the OSSEC HIDS installer support?
A: The OSSEC HIDS installer allows you to choose your installation language of choice from one of 12 supported languages, including English, Brazilian Portuguese, Chinese, German, Spanish, French, Italian, Japanese, Polish, Russian, Serbian, and Turkish.
Q: I don't see my native language listed. How can I get support for my language into the
A: The OSSEC HIDS team is always looking for translators for documentation and the user interface. If you, or someone you know, is capable of translating from one of the currently supported languages, please contact the OSSEC HIDS development team.
Q: The installer wants me to install the OSSEC HIDS in the /var/ossec directory, but
I want to put it somewhere else. Does it matter what directory I install to?
A: You can install the OSSEC HIDS to any directory on your system as long as the root user has write access to that directory.
Q: If I did not enable one of the features during installation, can I enable that feature later?
A: Yes, you can run the installer script as many times as you like to make changes to the current configuration or edit the existing configuration. The configuration of the
OSSEC HIDS is covered in greater depth later in this book.
Q: Active response sounds potentially dangerous. Should I still enable it?
A: Even though active response could be potentially dangerous, we still recommend that you enable it. It is a very powerful feature of the OSSEC HIDS and its configuration is discussed in greater detail later in this book.
Q: When the installation completed there was a message indicating that a startup script could not be created. What do I do now?
A: The OSSEC HIDS installer is able to create a startup script on most operating systems, but if one is not created, you can create your own initialization script to launch the
OSSEC HIDS on system boot.
Q: How do I manually start the OSSEC HIDS processes?
A: If you want to start the OSSEC HIDS manually, you can run ossec-control start from the bin directory where your OSSEC HIDS installation is located. Please note that the
OSSEC HIDS might need to be started as the root user, so you might have to log in as a user with root permissions or leverage sudo to run the command.
Q: When should I install my OSSEC HIDS server -- before or after my agents?
A: When installing your OSSEC HIDS agents, you are asked to supply the IP address for your OSSEC HIDS server. It is always recommended that your OSSEC HIDS server be installed prior to deploying your agents.
Q: How do I manage my agents?
A: On Unix, Linux, and BSD operating systems you can run the manage_agents utility to add new agents, extract keys for agents, list agents, and remove existing agents. On a
Windows agent, you can click on the Manage Agents icon where your ossec start menu group is located.
Q: The agent is not able to connect to the server, what's wrong?
A: There are two common issues. If there are no messages in the server log regarding the agent, chances are there is a firewall blocking port 1514 between the server and agent.
If you see a message similar to:
2007/05/23 09:27:35 ossec-remoted(1403): Incorrectly formated message from
'xxx.xxx.xxx.xxx'. there is an issue with the key on the agent. Either the key is used by another agent or the IP address configured in the key is incorrect.
Q: When copying the OSSEC HIDS files from one system to another, are there any files
I shouldn't copy?
A: Because each OSSEC HIDS agent requires its own generated client.keys file, and the
OSSEC HIDS server copy of client.keys contains all agent keys, it is recommended that you exclude this file from your copy.
Q: How can I get the OSSEC HIDS files to the remote systems?
A: Depending on your environment, you might be able to use SSH to securely transfer the files from one system to the other. If you have a networked file system, you can copy the files from one file system to the other. Alternately, if no connection is available, you can simply copy the files to a floppy, CD-ROM, or DVD, and then copy the files to the system.
Q: Which command can I use to securely copy the key from the OSSEC HIDS server to the remote agent?
A: You can use the grep command to extract the OSSEC HIDS agent key from the OSSEC
HIDS server client.keys file, and use SCP to copy it to the other system.
OSSEC Host-Based Intrusion Detection Guide
Downloading OSSEC HIDS
Performing local installation
Performing server agent installations
Installing the Windows agent
Streamlining the installations
Summary and FAQs
About the book
OSSEC Host-Based Intrusion Detection Guide is specifically devoted to Open Source Security (OSSEC) and is a comprehensive and exhaustive guide to the often complicated procedures of installing and implementing such an intrustion detection software. Purchase the book from Syngress Publishing.
Printed with permission from Syngress, a division of Elsevier. Copyright 2008. "OSSEC Host-Based Intrusion Detection Guide" by Rory Bray, Daniel Cid and Andrew Hay. For more information about this title and other similar books, please visit www.elsevierdirect.com.
This was first published in August 2008