Powered by GitBook

CentOS 6 Setup Guide

HIDS

A host-based intrusion detection system (HIDS) is an intrusion detection system that monitors and analyzes the internals of a computing system as well as (in some cases) the network packets on its network interfaces (just like a network-based intrusion detection system (NIDS) would do). Source: http://en.wikipedia.org/wiki/Host-based_intrusion_detection_system

Installing OSSEC HIDS

OSSEC is an open source host-based intrusion detection system. It monitors log files, checks the integrity of files, parses firewall messages and checks for rootkits - a real winner.

Issue the following commands to install it on your machine:

cd /usr/local/src
wget http://www.ossec.net/files/ossec-hids-2.7.1.tar.gz
tar -xzvf ossec-hids-2.7.1.tar.gz

and install with ./install.sh

What kind of installation do you want? local
Choose where to install the OSSEC HIDS: /usr/local/ossec
Do you want e-mail notification? y
What's your e-mail address? root@localhost
What's your SMTP server ip/host? localhost
Do you want to run the integrity check daemon?: y
Do you want to run the rootkit detection engine?: y
Do you want to enable active response?: y
Do you want to enable the firewall-drop response?: y
Do you want to add more IPs to the white list?: y
IPs (space separated): 127.0.0.1 ::1

To start the OSSEC daemons on startup, issue:

chkconfig ossec on

OSSEC is really powerful. Make sure you study the documentation carefully. Once you get into writing your own rules and decoders, no limits exist. If you prefer printed books over online docs, I can highly recommend this book: http://www.packtpub.com/ossec-host-based-intrusion-detection-system/book

Adding OSSEC to the PATH

To access the OSSEC binaries without having to define the full path every time, we can add its binary directory to our $PATH variable:

nano ~/.bash_profile

and put:

# include OSSEC binaries in PATH
export PATH=$PATH:/usr/local/ossec/bin

at the very end of it.

Enabling log rotation

When compiled from source, OSSEC doesn't ship a logrotate configuration file. The package from Atomic repository contains one with the content below.

nano /etc/logrotate.d/ossec

/usr/local/ossec/logs/active-responses.log {
    missingok
    notifempty
}

/usr/local/ossec/logs/ossec.log {
    create 0664 ossec ossec
    missingok
    notifempty
}