Installing OSSEC

After hearing some great reviews about OSSEC I have decided to give this a go.  From what I have seen so far it is very flexible and works with databases, syslog servers, splunk, and more.  OSSEC is a HIDS so it offers you file integrity checking, root-kit detection, real-time alerts, active responses, and more.  I did a basic local installation although you can setup OSSEC to follow the client/server model and have all your clients report back to the master server.  Here are the steps for the install:

Download files

wget http://www.ossec.net/files/ossec-hids-latest.tar.gz

wget http://www.ossec.net/files/ossec-hids-latest_sum.txt

Check the MD5 or SAH1 to make sure they are legit (Don't skip!!)

md5sum ossec-hids-latest.tar.gz

cat ossec-hids-latest_sum.txt

Extract the files from the tar

tar zxvf ossec-hids-latest.tar.gz

Cd into the directory and run the installer **

cd ossec-hids-latest/

./install.sh

If you are not running a local install make sure to adjust the firewall

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p udp --dport 1514 -j ACCEPT

Start the service

/var/ossec/bin/ossec-control start

**Before you install this program you will need to make sure that you have a compiler installed, such as gcc.

That's all there is to it!  You should see the service start successfully and the monitoring will begin.  My recommendation from here would be to looking through /var/ossec/logs/ to see what the system is reporting as well as /var/ossec/etc to make any adjustments to the configuration files as you see fit.  I'm sure there are going to be directories and files that you don't want monitored because they change so frequently.  Currently I'm using this on my Apache servers which sit in the DMZ so its good to see the reporting from OSSEC as well as the firewall rules you can tune within the program.