c

c c c

c
c c
 c

c 
cc
c
cc
c
c  
c
cc


cc 
c c
c
c c

 c!
c
cc
cc

c"
#c

$c%$c& cc
c
 c
c
=
  



 2

 c
OSSEC is a full platform to monitor and control your systems. It mixes together all the aspects of
HIDS (host-based intrusion detection), log monitoring and SIM/SIEM together in a simple,
powerful and open source solution.

-
c  


  c 
c

OSSEC helps customers meet specific compliance requirements such as PCI, HIPAA etc. It lets
customers detect and alert on unauthorized file system modifications and malicious behavior
embedded in the log files of COTS products as well as custom applications. For PCI, it covers
the sections of file integrity monitoring, log inspection and monitoring, and policy
enforcement/checking.

c  
c

OSSEC lets customers implement a comprehensive host based intrusion detection system with
fine grained application/server specific policies across multiple platforms such as Linux, Solaris,
AIX, BSD, Windows, Mac OS X and VMware ESX.

 
c c   c c

OSSEC lets customers configure incidents they want to be alerted on which lets them focus on
raising the priority of critical incidents over the regular noise on any system. Integration with
smtp, sms and syslog allows customers to be on top of alerts by sending these on to e-mail and
handheld devices such as cell phones and pagers. Active response options to block an attack
immediately are also available.

   cc c  c

OSSEC will integrate with current investments from customers such as SIM/SEM (Security
Incident Management/Security Events Management) products for centralized reporting and
correlation of events.

   c
 
c

OSSEC provides a simplified centralized management server to manage policies across multiple
operating systems. Additionally, it also lets customers define server specific overrides for finer
grained policies.

 c c  c c

 c

OSSEC offers the flexibility of agent based and agentless monitoring of systems and networking
components such as routers and firewalls. It lets customers who have restrictions on software
being installed on systems meet security and compliance needs.c
-
c  c

 c 
c c

There is one thing in common to any attack to your networks and computers: they change your
systems in some way. The goal of file integrity checking (or FIM - file integrity monitoring) is to
detect these changes and alert you when they happen. It can be an attack, or a misuse by an
employee or even a typo by an admin, any file, directory or registry change will be alerted to
you.

 c  c

Your operating system wants to speak to you, but do you know how to listen? Every operating
system, application, and device on your network generate logs (events) to let you know what is
happening. OSSEC collects, analyzes and correlates these logs to let you know if something
wrong is going on (attack, misuse, errors, etc)

 c   c

Criminals (also known as hackers) want to hide their actions, but using rootkit detection you can
be notified when they (or trojans, viruses, etc) change your system in this way.

 c   c

Take immediate and automatic responses when something happens. Why wait for hours when
you can alert your admin and block an attack right way?


c


c
OSSEC supports the following operating systems and log formats.

  c!

c
The following operating systems are supported by the OSSEC agent:

ác *
"
#c'c
c

c!

("c

c c
c )c
ác 
c*+++c,c*++-c.c*++/c
ác .&c(,c- +- 0c'

c1c  )c
ác %$c'c
)c
ác 
$c'c
)c
ác $c'c
)c
ác c* 2c* /c* 3c
c4+c
ác ,c0 -c
c0 -c
 ác & cc,c4+ #c

@  c c  c!
 c

These systems/devices are also supported via remote syslog:

ác 1 c,c  c
c%&c'c
)c

ác 1 ccc'c
)c
ác â
c  
c'c
)c
ác 
 cc'c
)c
ác 1 
cc'c
)c
ác 1 cccc'c
)c
ác  c'
)cc'c
)c
ác 
c c'c
)c
ác 1 
cc
c'c
)c
ác & c. 
c(
c'/c
c/ 0)c
ác $ c#c'c
)c
ác 1 c. c 

c'c
)c

  c  c  c c  c!


c
Xsing OSSEC agentless options, the following systems are also supported (for log analysis and
file integrity checking):

ác 1 c,c  c
c%&c'c
)c

ác 1 ccc'c
)c
ác â
c  
c'c
)c
ác 
 cc'c
)c
ác 1 
cc'c
)c

c

 c

OSSEC is composed of multiple pieces. It has a central manager monitoring everything and
receiving information from agents, syslog, databases and from agentless devices.

   c

The manager is the central piece of the OSSEC deployment. It stores the file integrity checking
databases, the logs, events and system auditing entries. All the rules, decoders and major
configuration options are stored centrally in the manager, making it easy to administer even a
large number of agents.
 c

The agent is a small program or collection of programs installed on the systems you desire to
monitor. The agent will collect information in real time and forward it to the manager for
analysis and correlation. It has a very small memory and CPX footprint by default, not affecting
system¶s usage.

Y

 
: It runs with a low privilege user (created during the installation) and inside a
chroot jail isolated from the system. Most of the agent configuration is pushed from the manager,
with just some of configuration stored locally on each agent. In case these local options are
changed, the manager will receive the information and will generate an alert.

  c

For systems that you can¶t install an agent, OSSEC allows you to perform file integrity
monitoring on them without the agent installed. It can be very useful to monitor firewalls, routers
and even Xnix systems where you are not allowed to install the agent.

"   #"  c

OSSEC allows you to install the agent on the guest operating systems or inside the host
(VMware ESX). With the agent installed inside VMware ESX you can get alerts about when a
VM guest is being installed, removed, started, etc. It also monitors logins, logouts and errors
inside the ESX server. In addition to that, OSSEC performs the Center for Internet Security
(CIS) checks for VMware, alerting if there is any insecure configuration option enabled or any
other issue.

  $c c c  c

OSSEC can receive and analyze syslog events from a large variety of firewalls, switches and
routers. It supports all Cisco routers, Cisco PIX, Cisco FWSM, Cisco ASA, Juniper Routers,
Netscreen firewall, Checkpoint and many others.

The central manager receives events from the agents and system logs from remote devices.
When something is detected, active responses can be executed and the admin is notified.

u

 c

The agent_control tool allows you to query and get information from any agent you have
configured on your server and it also allows you to restart (run now) the syscheck/rootcheck scan
on any agent.

 %  c 

c  c
Ô c

Display the help message

Ô
c

List available (active or not) agents

Ô
c

List active agents

Ô
 c

Extracts information from an agent

Ôc

Run the integrity/rootcheck checking on agents. Must be utilized with u
 u or
u
 

Ôc

Xtilizes all agents.

Ô
 c

Magent_id> that will preform the request action.

 %  c &

 c  c
'&
 c()cc c  c  c

The first interesting argument is u
  , to list the connected (active agents). To list all
of them, use u
  only.

w 


Ô









 !"# # 
$%!&'()  '!*


 (!"#+ #!&',('-.(', !*

 /!"#0
!&',('-.( (1!*

'-/!"#2

(!&',('-.(,,!*

')1!"#

3+ !&',('-.( (1!*


'&
 c*)c+ 
c 
 c
c  c,,*c

To query an agent, just use the u
  option followed by the agent id.
w 


Ô (




*
 #
 
*
 (
*
"#+ #
&',('-.(', 


*


4
 5
#6
7 +8&& 
$9
(- %


 '/Ô"&Ô . 1'(

:4
;*4(/'133 3( .

5 :




;*4(/ / )'3( .
<
 :




;*4(/ , 1'(( .

'&
 c.)c'& c
 c c  c c

  
c

To execute the syscheck/rootcheck scan immediately, use the u
  option followed
by the u
  with the agent id.

w 


ÔÔ 




<

 5 :<
 :


5
c