OSSEC Quick Refresher Notes
This notes details how to install and configure OSSEC.
Installation
There is no RPM for fedora, so, grab the tarball and install it manually:
tar zxf ossec-hids-[version].tar.gz ./install.sh
Configuration
The files are installed to /var/ossec (with a few files goes to /etc)
Edit the main configuration:
$ vim /var/ossec/etc/ossec.conf
In the global section, add the lines to enable email notification:
<global> <email_notification>yes</email_notification> <email_to>tester@localhost</email_to> <email_from>ossec@localhost</email_from> <smtp_server>127.0.0.1</smtp_server> <!-- Some other Global settings ... --> </global>
Reduce the check frequency, so the syscheck daemon will check for file modification more frequently (the default is check every 6 hours):
<syscheck> <!-- check every 20 minutes --> <frequency>1200</frequency> <!-- send notification for 'new files' --> <alert_new_files>yes</alert_new_files> <!-- do not suppress notification even files is modified too frequently --> <auto_ignore>no</auto_ignore> <!-- Some other syscheck settings ... --> </syscheck>
Explicitly set the alert level for email alert:
<alerts> <!-- Send all notification for all alert level --> <email_alert_level>1</email_alert_level> <log_alert_level>1</log_alert_level> </alerts>
Make sure it start on system boot:
$ chkconfig ossec on
Start ossec now:
$ /etc/init.d/ossec start