OSSEC is a type of security application called a “host based intrusion detection system” (HIDS). It provides the following features:
- File integrity checking like aide and TripWire
- rootkit detection
- log analysis and alerting
- limited remediation
It uses a client/server architecture where agents on each host send data to a central server where it is analyzed and alerts are generated. I am testing it for use as a part of my core infrastructure. My goal is to have a robust security and monitoring infrastructure that proactively alerts me to potential problems. Big problems can have small symptoms so its important to watch the logs. Or, even better, have OSSEC watch them for you.
OSSEC is a powerful tool and I recommend it. I think its client server architecture is more secure than the host only approach that aide uses so I am using OSSEC as my primary file integrity monitor. Its rule based monitoring system is very flexible and can even be used to monitor processes. You could have it check the clamav scan results, for example, and have it alert you if it finds a virus. You could use to check the results of automated SCAP runs.
OSSEC’s power comes with complexity. Be prepared to invest a lot of time in this tool. I think that investment is worthwhile given the central role OSSEC can play in your security and monitoring architecture. One of the reasons I recommend it is that it comes with a large set of useful rules by default. OSSEC is pre-programmed to check for certain log signatures and generate appropriate events. If it were merely a rules and logging framework I would not be that positive.
I wish other open source projects would understand the key point: the tool is not important, the content is. Users need to solve real problems, real business problems. They want a solution that will directly solve them as quickly and easily as possible. The tool doesn’t matter, solving the problems does. I hope the automated CM tool vendors will soon understand that their tools are just commodities, it’s the roles/cookbooks that really count. But I digress.
OSSEC’s primary documentation is, as expected, terrible. Fortunately there is decent secondary documentation in the form of two books: OSSEC Host-Based Intrusion Detection Guide and Instant OSSEC Host-based Intrusion Detection System. I bought them both. I recommend you do so as well if you are serious about OSSEC.
When you first install OSSEC you will get a lot of alerts. They will report every odd thing that is happening on your servers. This is useful because it exposes small problems that you wouldn’t otherwise see. Still, you will want to customize these default alerts so you are not overwhelmed.
I have developed ossec-client and ossec-server roles for Ansible and will post them as soon as they are ready. Installing OSSEC has a few gotchas that I still have to work out.
I am also designing my overall logging and monitoring architecture. I am unsure where exactly OSSEC fits in. I intend to use a central syslog server and Elasticsearch for log storage. I just haven’t figured out yet how to wire all the components together.