OSSEC HIDS (Host Intrusion Detection System) was originally developed by Daniel Cid, one of our founders. Many of our internal installations utilize a custom version that has been branched off from the community releases. This guide will provide an overview of OSSEC and dive into configurations to effectively log website activities and manage file integrity.
Introduction to OSSEC
OSSEC is a daemon-based tool that runs on Windows, Linux, and most modern operating systems. It operates entirely via the command line, making it ideal for those who prefer efficiency over graphical interfaces. Once you’re familiar with the basics, you’ll find that using the command line speeds up configurations and management.
Key Installation Paths
Here are some important directories to know after installing OSSEC:
| Path | Description |
|---|---|
/var/ossec/ | Default installation directory |
/var/ossec/bin/ | Contains OSSEC modules and utilities |
/var/ossec/logs/ | Stores logs, not just alerts, but also OSSEC system logs for troubleshooting |
/var/ossec/etc/ | Configuration files (e.g., ossec.conf) |
Configuring OSSEC to Monitor Website Logs
Correctly configuring OSSEC is crucial for effective monitoring. By default, OSSEC monitors only a few system logs:
<location>/var/log/messages</location>
<location>/var/log/secure</location>
<location>/var/log/maillog</location>
<location>/var/log/httpd/access_log</location>
<location>/var/log/httpd/error_log</location>To extend monitoring to your website logs, you need to update the ossec.conf file with the paths of your log files.
Using util.sh for Easy Log Configuration
If you have multiple logs to add, the util.sh utility simplifies the process. For instance, if you want to monitor /var/log/httpd/somesite.access_log, use:
/var/ossec/bin/util.sh addfile /var/log/httpd/somesite.access_logThis will automatically append the following to your configuration:
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/somesite.access_log</location>
</localfile>Repeat this process for each log file you wish to monitor, including error logs.
Finding Other Logs to Monitor
If you’re unsure which logs exist on your system, use the following commands:
bashCopy codefind / -name "*.log" -type f | grep -v "/var/ossec/"
Or, to see currently active logs:
lsof | grep log | grep -v ".so" | egrep -v "ossec|proc|dev"Once done, restart OSSEC to apply your changes:
/var/ossec/bin/ossec-control restartConfiguring File Integrity Monitoring
The real strength of OSSEC lies in its ability to detect unauthorized changes to your files and directories. This is especially crucial for websites, which are common targets for attackers attempting to deploy malware.
Updating ossec.conf for Integrity Checks
All integrity-related configurations are made in the ossec.conf file. Here’s an example of the default syscheck section:
<!-- Run syscheck every 22 hours -->
<frequency>79200</frequency>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
We recommend reducing the frequency and enabling real-time monitoring:
<!-- Run syscheck every 4 hours -->
<frequency>14400</frequency>
<directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories realtime="yes" check_all="yes">/bin,/sbin</directories>
<directories realtime="yes" report_changes="yes" restrict=".htaccess|.php|.html|.js">/var/www/html</directories>
<alert_new_files>yes</alert_new_files>
<scan_on_start>no</scan_on_start>
<auto_ignore>no</auto_ignore>
This configuration enables real-time monitoring and limits notifications to changes in critical files like .php, .html, and .htaccess. It helps reduce noise by ignoring non-critical files such as images or text files.
Enhancing New File Alerts
By default, OSSEC does not alert on newly added files, which can lead to missing critical events. To enable this, update the rule in the local_rules.xml file rather than the default ossec_rules.xml, which may be overwritten during updates.
Here’s the default rule:
<rule id="554" level="0">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck</group>
</rule>
Modify it in local_rules.xml as follows:
<rule id="554" level="7" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<match>/var/www/html/</match>
<description>New file added to the website directory.</description>
<group>syscheck</group>
</rule>
By increasing the alert level and specifying the directories to monitor, you can reduce unnecessary alerts while still being notified of critical changes.
Leveraging OSSEC with a Log Management Platform
Once OSSEC is configured, you can send logs to a centralized log management platform, such as Trunc, for better visualization and analysis. This helps streamline the monitoring process, allowing you to quickly detect and respond to potential security threats.
By properly configuring OSSEC to monitor logs and track file integrity, you can significantly enhance the security of your website and stay ahead of potential threats. The configurations shared here are just the beginning—tailor them further to fit your specific needs and environment.