Skip to content

OSSEC

An open source host Instrusion detection system.

Simple Install

 $ wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash 
 $ sudo mv /etc/apt/trusted.gpg /etc/apt/trusted.gpg.d/ossec.gpg
 $ sudo apt-get update 
 # Agent Install
 $ sudo apt-get install ossec-hids-agent
 # And/OR - Server Install
 $ sudo apt-get install ossec-hids-server

Install from Github

 # Install dependencies : ( View any errors and install additonal dependices if needed. )
 $ sudo apt install git libpcre2-dev openssl libssl-dev libsystemd-dev zlib1g-dev
 $ git clone https://github.com/ossec/ossec-hids.git
 $ cd ossec-hids
 $ sudo su -c "./install.sh"
 # choose: local, agent, server, or hybrid. See help for descriptions. 
 $ sudo /var/ossec/bin/ossec-control start
 $ sudo /var/ossec/bin/ossec-control status
 # Create an ossec service , so it starts at reboot.
 $ sudo vim /etc/systemd/system/ossec.service

 [Unit]
 Description=OSSEC Host-Based Intrusion Detection System
 After=network.target

 [Service]
 Type=forking
 ExecStart=/var/ossec/bin/ossec-control start
 ExecStop=/var/ossec/bin/ossec-control stop
 Restart=always
 User=root

 [Install]
 WantedBy=multi-user.target

 $ sudo systemctl daemon-reload
 $ sudo systemctl enable ossec.service
 $ sudo systemctl start ossec.service
 $ sudo systemctl status ossec.service

Example 1: Show Successful Logins

 $ sudo su 
 # Or run cron as root
 # cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f group authentication_success

Example 2: Show Alerts Level 10 and Greater

 # cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f level 10

Example 3: Show the src-ip for all users

 # cat /var/ossec/logs/alerts/alerts.log | var/ossec/bin/ossec-reportd -f group authentication -r user srcip

Example 4: Show Changed files as reported by Syscheck

 # cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f group
 # cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd 2>&1 | more

Optional: Local install Desktop Notifications:

 # Limitations, only alerts you when you have an active desktop session. 
 # Dependencies Required
 $ sudo apt install libnotify-bin
 $ sudo vim /etc/systemd/system/ossec-alerts.service
 #Replace $user with your desktop user.

 [Unit]
 Description=OSSEC Alert Check Service
 After=network.target

 [Service]
 Type=simple
 User=$USER
 Environment="DISPLAY=:0"
 # Please run this command to find right data - printenv DBUS_SESSION_BUS_ADDRESS
 Environment="DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus"
 ExecStart=/bin/bash -c 'while true; do logs=$(timeout 60 /usr/bin/tail -n0 -F /var/ossec/logs/alerts/alerts.log); if [ -n "$logs" ]; then /usr/bin/notify-send "OSSEC Alerts" "$logs"; fi; sleep 1; done'

 [Install]
 WantedBy=multi-user.target

 # Replace $user with your desktop user. 
 $ sudo usermod -a -G ossec $USER
 $ sudo chown -R $USER:root /usr/bin/tail

 # Enable the service
 $ sudo systemctl daemon-reload
 $ sudo systemctl enable ossec-alerts.service
 $ sudo systemctl start ossec-alerts.service

 # Test the ossec alert notification - wait up to one minute. ( Integrity Check must be enabled . )
 $ sudo apt install htop -y && sudo apt purge htop -y && sudo apt install htop -y

References

 https://www.ossec.net/download-ossec/