A few words about OSSEC ("Open Source Security") IDS/system scanning daemon
This is an example of v2.3 running on AIX
Product
AUTHOR="Trend Micro Inc." --> provides enterprise support for the OSS product
Start/Stop
Inittab
hids:2345:once:/var/ossec/bin/ossec-control start > /dev/null 2>&1 #Autostart OSSEC HIDSRC script
/var/ossec/bin/ossec-control {start|stop|restart|status}Processes
root 5308448 1 0 Oct 25 - 3:16 /var/ossec/bin/ossec-logcollector root 6225966 1 0 Oct 25 - 446:29 /var/ossec/bin/ossec-syscheckd ossec 6553622 1 0 Oct 25 - 9:10 /var/ossec/bin/ossec-agentdossec-agentd communicates with the server via UDP port 1514.
Filesystem
/var/ossec
Users
ossec - runs the privsep agent
groups=ossec,staff
home=/var/ossec
shell=/bin/false
Configuration files
/var/ossec/etc/internal_options.conf
(default numeric parameters)
/var/ossec/etc/ossec-init.conf
DIRECTORY="/var/ossec"VERSION="v2.3"DATE="Tue Jun 22 10:09:48 DFT 2010"TYPE="agent"/var/ossec/etc/ossec.conf
<ossec_config> <client> <server-ip>_server_IP_address_</server-ip> </client> <syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>79200</frequency> <!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> </syscheck> <rootcheck> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> </rootcheck> <active-response> <disabled>yes</disabled> </active-response> <!-- Files to monitor (localfiles) --> <localfile> <log_format>syslog</log_format> <location>/var/adm/auth.log</location> </localfile></ossec_config>