For those that have no idea what OSSEC is:
"OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows. A list with all supported platforms is available here."
They've also made it trivial to install, to the point where I just wrapped the process into a shell script that I can deploy automatically on my own systems or those of customers. This one is for CentOS Linux, but it could be easily modified to do a source build for other distros...
#!/bin/bash
log=/tmp/setup.log
wget -q -O atomicossec_installer.sh https://www.atomicorp.com/installers/atomic
chmod +x atomicossec_installer.sh
./atomicossec_installer.sh
yum -y install ossec-hids ossec-hids-server >> $log 2>&1
cp -f ossec.conf.default /var/ossec/etc/ossec.conf
/var/ossec/bin/ossec-control enable client-syslog
/etc/init.d/ossec-hids start >> $log 2>&1
chkconfig ossec-hids on
Notes:
1. ossec.conf.default is your own modified ossec.conf file, a template you want to reuse on multiple similar hosts. If you don't have one, ignore that line.
2. "/var/ossec/bin/ossec-control enable client-syslog" is necessary to allow the ossec server to collect raw syslog from other hosts. You will also need a section in your ossec.conf like the following in order to grant hosts/networks the permission to send them:
<remote>
<connection>syslog</connection>
<allowed-ips>192.168.148.103</allowed-ips>
<allowed-ips>192.168.1.0/24</allowed-ips>
<port>514</port>
</remote>
3. For email alerts to work you'll need to modify the ossec.conf file to set the email_alerts value to "yes", and set a valid email address for it to send alerts to.
