OSSEC is an open-source, host-based intrusion detection system (HIDS) that performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. It’s the application to install on your server if you want to keep an eye on what’s happening inside it.
OSSEC can be installed to monitor just the server it is installed on, which is a local installation in OSSEC’s parlance, or be installed as a server to monitor one or more agents. In this tutorial, you’ll learn how to install OSSEC to monitor the Fedora 21 or RHEL server it is installed on: a local OSSEC installation.
To complete this tutorial you’ll need:
This tutorial should be followed as a sudo non-root user.
In this section, you’ll install some required packages.
In particular, install
inotify-tools using the following command.
sudo yum install -y bind-utils gcc make inotify-tools
bind-utils provides Domain Name System (DNS) utilities,
make will be used by the OSSEC installer, and
inotify-tools is needed by OSSEC for real-time notifications.
OSSEC is delivered as a compressed tarball. In this step, you’ll download it and its checksum file, which verifies that the tarball has not been tampered with.
You can check the project’s website for the latest version. At the time of this writing,
OSSEC 2.8.1 is the latest stable release.
First, download the tarball.
wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.1.tar.gz
Then, download the checksum file.
wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.1-checksum.txt
After downloading both files, verify the md5sum of the compressed tarball.
md5sum -c ossec-hids-2.8.1-checksum.txt
The output should be:
ossec-hids-2.8.1.tar.gz: OK md5sum: WARNING: 1 line is improperly formatted
Follow that by verifying the SHA1 checksum.
sha1sum -c ossec-hids-2.8.1-checksum.txt
Its output should be:
ossec-hids-2.8.1.tar.gz: OK sha1sum: WARNING: 1 line is improperly formatted
In each case, ignore the WARNING line. The OK line is what confirms that the file is good.
When setting up email notifications during OSSEC’s installation, OSSEC will ask for your SMTP server. In this step, we will figure out that information.
To determine the correct SMTP server to use for your email service provider, you can use the
dig command to query the provider’s mail exchanger (MX) resource records. Enter the following command, replacing
example.com with your email provider’s domain name:
dig -t mx example.com
The output is made up of several sections, but we’re only interested in the ANSWER section, which contains one or more lines. At the end of each line is the SMTP server to use.
For example, if you run the command using
dig -t mx fastmail.com
The valid SMTP servers for the provider will be at the end of each listing in the ANSWER section, which should read:
;; ANSWER SECTION: fastmail.com. 3600 IN MX 10 in1-smtp.messagingengine.com. fastmail.com. 3600 IN MX 20 in2-smtp.messagingengine.com.
In this example, you can use either
in2-smtp.messagingengine.com. as an SMTP server.
Copy one of the SMTP servers from your email provider and save it to enter in the next step. Be sure to include the . (period) at the end, too.
In this step, we will install OSSEC.
Before initiating installation, untar it using:
tar xf ossec-hids-2.8.1.tar.gz
It will be unpacked into a directory called
ossec-hids-2.8.1. Change into that directory.
Then start the installation.
Throughout the setup process, you’ll be prompted to provide some input. In most of those cases, all you’ll need to do is press ENTER to accept the default value.
You’ll first be prompted to select the installation language. By default, it is English (en), so press ENTER if that’s your preferred language. Otherwise, type in the 2 letters from the list of supported languages. Then press ENTER again to start the installation.
Question 1 will ask what kind of installation you want. Here, enter local.
1- What kind of installation do you want (server, agent, local, hybrid or help)? local
For all of the following questions, press ENTER to accept the default. Question 3.1 will additionally prompt you for your email address and then ask for your SMTP server ip/host. Here, enter your email address and the SMTP server you saved from Step 3.
If installation is successful, at the end, you should see this output:
- Configuration finished properly. ... More information can be found at http://www.ossec.net --- Press ENTER to finish (maybe more information below). ---
Press ENTER to finish the installation.
Here we are going to verify that the email credentials specified in the previous step and the one that OSSEC auto-configured are correct.
The email settings are in OSSEC’s main configuration file,
ossec.conf, which is in the
/var/ossec/etc directory. To access and modify any OSSEC file, you first need to switch to the root user.
Now that you’re root,
cd into the directory where OSSEC’s configuration file is.
First, make a backup copy of that file.
cp ossec.conf ossec.conf.00
Then open the original file. Here, we use the
nano text editor, but you can use any text editor you like.
The email settings are at the top of the file. Here are descriptions of the fields.
Note that <email_to> and <email_from> can be the same, and if you have your own email server on the same host as the OSSEC server you can change the <smtp_server> setting to localhost.
Here’s what that section will look like when you’re finished.
<global> <email_notification>yes</email_notification> <email_to>firstname.lastname@example.org</email_to> <smtp_server>mail.example.com.</smtp_server> <email_from>email@example.com</email_from> </global>
After modifying the email settings, save and close the file. Then start OSSEC.
Check your inbox for an email that says that OSSEC has started. If you receive an email from your OSSEC installation, then you know that future alerts will also reach your inbox. If you don’t, check your spam folder.
By default, OSSEC will issue alerts on file modifications and other activities on the server, but it will not alert on new file additions and also will not alert in real time — only after the scheduled system scan, which is 79200 seconds (or 22 hours) by default. In this section, we will add alerts on file additions in real time.
Then scroll down to the <syscheck> section which begins with this text:
<syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>79200</frequency>
Just under the <frequency> tag, add
<syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>79200</frequency> <alert_new_files>yes</alert_new_files>
While you still have
ossec.conf open, take a look at the list of system directories that OSSEC monitors, which is just under the last line you just modified. It should read:
<!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories>
For each list of directories, add the
realtime="yes" options. After the modifications have been made, the section should read:
<!-- Directories to check (perform all possible verifications) --> <directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories>
Aside from the default list of directories that OSSEC has been configured to monitor, you can also add any that you wish to monitor. For example, you can add monitoring for your home directory,
/home/sammy. To do that, add this new line right under other directory lines, substituting in your username:
<directories report_changes="yes" realtime="yes" check_all="yes">/home/sammy</directories>
Now save and close
The next file to modify is in the
/var/ossec/rules directory, so move to that directory.
/var/ossec/rules directory contains many XML files, including
ossec_rules.xml, which contains OSSEC’s default rule definitions, and
local_rules.xml, which is where you can add custom rules.
local_rules.xml is the only file you should edit in this directory.
ossec_rules.xml, the rule that fires when a file is added to a monitored directory is rule 554. By default, OSSEC does not send out alerts when that rule is triggered, so the task here is to change that behavior. Here’s what rule 554 looks like by default:
<rule id="554" level="0"> <category>ossec</category> <decoded_as>syscheck_new_entry</decoded_as> <description>File added to the system.</description> <group>syscheck,</group> </rule>
OSSEC does not send out an alert if a rule is set to level 0, so we will copy that rule to
local_rules.xml and modify it to trigger an alert. To do that, open
Add the following at the end of the file, before the line with the
<rule id="554" level="7" overwrite="yes"> <category>ossec</category> <decoded_as>syscheck_new_entry</decoded_as> <description>File added to the system.</description> <group>syscheck,</group> </rule>
Save and close the file. Now, restart OSSEC to reload the files we edited.
You should now be receiving alerts from OSSEC on monitored directories and log files.
Now you have a basic local OSSEC installation set up. There is a lot of further customization available, which you can explore in its official documentation.
For an idea on how to install OSSEC in a client-server or server-agent mode (instead of local mode), see How To Monitor OSSEC Agents Using an OSSEC Server on Ubuntu 14.04.
If you’ve enjoyed this tutorial and our broader community, consider checking out our DigitalOcean products which can also help you achieve your development goals.