Install and Use OSSEC

OSSEC is a multiplatform, open source, and free Host Intrusion Detection System (HIDS). The OSSEC HIDS project is the current open source standard-bearer for host-based intrusion detection on Linux.

To install and use OSSEC HIDS with EFA, perform the following steps.

Before you begin

Installation of OSSEC requires a few packages to be installed on EFA to achieve a functioning OSSEC HIDS instance. Run the following to install the prerequisite packages:

# apt-get install
        libpcre2-dev libssl-dev zlib1g-dev libevent-dev build-essentials

Procedure

  1. Download the latest release of OSSEC HIDS from GitHub. Then extract, install, and start it, using the following commands:
    # wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz
    # tar xvfz 3.6.0.tar.gz
    # cd ossec-hids-3.6.0
    # ./install.sh
    # systemctl start ossec
    

    At this point, OSSEC HIDS is running on EFA, and various real-time monitoring tasks are run. Log and alert information is produced in the /var/ossec/logs directory. Some example alerts are illustrated in the scenarios below.

  2. In the first scenario, a process starts listening on a previously closed TCP port on port 12345. You can easily achieve this with a call to netcat nc -l -p 12345.

    Here is what OSSEC HIDS reports in the /var/ossec/logs/alerts/alerts.log file. The service is bolded:

    ** Alert 1592072520.408: mail  - ossec,
    2020 Jun 13 18:22:00 tpvm->netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| \\1)' | sort
    Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port opened or closed).'
    ossec: output: 'netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| \\1)' | sort':
    tcp        0      0 0.0.0.0:12345           0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:30085           0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:31672           0.0.0.0:*               LISTEN
    tcp6       0      0 :::10250                :::*                    LISTEN
    tcp6       0      0 :::12865                :::*                    LISTEN
    tcp6       0      0 :::22                   :::*                    LISTEN
    tcp6       0      0 :::514                  :::*                    LISTEN
    tcp6       0      0 :::6443                 :::*
    Previous output:
    ossec: output: 'netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| \\1)' | sort':
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:30085           0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:30335           0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:31672           0.0.0.0:*               LISTEN
    tcp6       0      0 :::10250                :::*                    LISTEN
    tcp6       0      0 :::12865                :::*                    LISTEN
    tcp6       0      0 :::22                   :::*                    LISTEN
    tcp6       0      0 :::514                  :::*                    LISTEN
    tcp6       0      0 :::6443                 :::*                    LISTEN
    
    Note

    Note

    In general, any changes to the set of listening services is important to understand from a security perspective because new services can potentially represent a system compromise.
  3. In the second scenario, a package update is made to the underlying Ubuntu OS. Perform this by running apt-get upgrade.

    Here is what OSSEC HIDS reports again in the /var/ossec/logs/alerts/alerts.log file.

    ** Alert 1592073596.29116: mail  - syslog,dpkg,config_changed,
    2020 Jun 13 18:39:56 tpvm->/var/log/dpkg.log
    Rule: 2902 (level 7) -> 'New dpkg (Debian Package) installed.'
    2020-06-13 18:39:56 status installed initramfs-tools:all 0.130ubuntu3.9
    
    ** Alert 1592073596.29360: mail  - syslog,dpkg,config_changed,
    2020 Jun 13 18:39:56 tpvm->/var/log/dpkg.log
    Rule: 2902 (level 7) -> 'New dpkg (Debian Package) installed.'
    2020-06-13 18:39:56 status installed libc-bin:amd64 2.27-3ubuntu1
    
    ** Alert 1592073599.29598: mail  - syslog,dpkg,config_changed,
    2020 Jun 13 18:39:59 tpvm->/var/log/dpkg.log
    Rule: 2902 (level 7) -> 'New dpkg (Debian Package) installed.'
    2020-06-13 18:39:57 status installed systemd:amd64 237-3ubuntu10.41
    
    Note

    Note

    Although upgrading OS packages is a routine maintenance activity, it is an important verification step for OSSEC HIDS to alert on all package upgrades. Similarly, new packages are also detected by OSSEC HIDS, and in both cases, having an understanding of what packages are changing on the system provides useful security auditing data.