OSSEC HIDS is an open-source tool used to monitor and assist in preventing unwanted access to a host. Other configurations can be done depending on what is needed for the specific scenario, and integration with monitoring platforms such as OSSIM, Splunk, or ELK are relatively simple.
This guide covers the installation and basic usage of OSSEC HIDS version 3.3.0.
Installation#
Download and Extract#
Download the source code and uncompress it:
wget https://github.com/ossec/ossec-hids/archive/3.3.0.tar.gz
tar -zxvf 3.3.0.tar.gz
cd ossec-hids-3.3.0
Install Dependencies#
The following packages are required, and these can vary depending on whether it’s a Debian or Red Hat based system.
For Debian/Ubuntu:#
apt install libpcre2-dev zlib1g-dev build-essential
For CentOS/Red Hat:#
yum install libpcre2-devel zlib-devel libevdev libevent libevent-devel openssl-devel
Configure Build Environment#
Run the following command to enable pcre2 for the compilation process:
PCRE2_SYSTEM=yes
Run Installation Script#
Inside the OSSEC folder, run the install.sh script:
./install.sh
During the installation process:
- Choose your preferred language for the installer and press enter
- Press enter again to continue
- For a standalone installation (as shown in this example), select “local”
- Leave all other options as they are shown by default
- If email notifications are required, configure an email account and SMTP settings
- If email notifications are not required, simply type “N” and continue
Once the compilation is finished, OSSEC will be installed under /var/ossec.
Usage#
Starting, Stopping, and Restarting OSSEC#
To control the OSSEC service, navigate to the following path:
cd /var/ossec/bin
Then run the control command with the desired action:
./ossec-control [start|restart|stop]
Replace [start|restart|stop] with the appropriate action:
start- Start the OSSEC servicerestart- Restart the OSSEC servicestop- Stop the OSSEC service