OSSEC is a multiplatform, open source, and free Host Intrusion Detection System (HIDS). The OSSEC HIDS project is the current open source standard-bearer for host-based intrusion detection on Linux.
To install and use OSSEC HIDS with EFA, perform the following steps.
Installation of OSSEC requires a few packages to be installed on EFA to achieve a functioning OSSEC HIDS instance. Run the following to install the prerequisite packages:
# apt-get install libpcre2-dev libssl-dev zlib1g-dev libevent-dev build-essentials
# wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz # tar xvfz 3.6.0.tar.gz # cd ossec-hids-3.6.0 # ./install.sh # systemctl start ossec
At this point, OSSEC HIDS is running on EFA, and various real-time monitoring tasks are run. Log and alert
information is produced in the /var/ossec/logs
directory. Some example alerts are illustrated in the scenarios below.
netcat nc
-l -p 12345
.
Here is what OSSEC HIDS reports in the
/var/ossec/logs/alerts/alerts.log
file. The service is
bolded:
** Alert 1592072520.408: mail - ossec, 2020 Jun 13 18:22:00 tpvm->netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| \\1)' | sort Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port opened or closed).' ossec: output: 'netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| \\1)' | sort': tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:30085 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:31672 0.0.0.0:* LISTEN tcp6 0 0 :::10250 :::* LISTEN tcp6 0 0 :::12865 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 :::514 :::* LISTEN tcp6 0 0 :::6443 :::* Previous output: ossec: output: 'netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| \\1)' | sort': tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:30085 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:30335 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:31672 0.0.0.0:* LISTEN tcp6 0 0 :::10250 :::* LISTEN tcp6 0 0 :::12865 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 :::514 :::* LISTEN tcp6 0 0 :::6443 :::* LISTEN
Note
In general, any changes to the set of listening services is important to understand from a security perspective because new services can potentially represent a system compromise.apt-get upgrade
.
Here is what OSSEC HIDS reports again in the
/var/ossec/logs/alerts/alerts.log
file.
** Alert 1592073596.29116: mail - syslog,dpkg,config_changed, 2020 Jun 13 18:39:56 tpvm->/var/log/dpkg.log Rule: 2902 (level 7) -> 'New dpkg (Debian Package) installed.' 2020-06-13 18:39:56 status installed initramfs-tools:all 0.130ubuntu3.9 ** Alert 1592073596.29360: mail - syslog,dpkg,config_changed, 2020 Jun 13 18:39:56 tpvm->/var/log/dpkg.log Rule: 2902 (level 7) -> 'New dpkg (Debian Package) installed.' 2020-06-13 18:39:56 status installed libc-bin:amd64 2.27-3ubuntu1 ** Alert 1592073599.29598: mail - syslog,dpkg,config_changed, 2020 Jun 13 18:39:59 tpvm->/var/log/dpkg.log Rule: 2902 (level 7) -> 'New dpkg (Debian Package) installed.' 2020-06-13 18:39:57 status installed systemd:amd64 237-3ubuntu10.41
Note
Although upgrading OS packages is a routine maintenance activity, it is an important verification step for OSSEC HIDS to alert on all package upgrades. Similarly, new packages are also detected by OSSEC HIDS, and in both cases, having an understanding of what packages are changing on the system provides useful security auditing data.