OSSEC
A few words about OSSEC ("Open Source Security") IDS/system scanning daemon
This is an example of v2.3 running on AIX
Product
AUTHOR="Trend Micro Inc." --> provides enterprise support for the OSS product
Start/Stop
Inittab
hids:2345:once:/var/ossec/bin/ossec-control start > /dev/null 2>&1 #Autostart OSSEC HIDS
RC script
/var/ossec/bin/ossec-control {start|stop|restart|status}
Processes
root 5308448 1 0 Oct 25 - 3:16 /var/ossec/bin/ossec-logcollector
root 6225966 1 0 Oct 25 - 446:29 /var/ossec/bin/ossec-syscheckd
ossec 6553622 1 0 Oct 25 - 9:10 /var/ossec/bin/ossec-agentd
ossec-agentd communicates with the server via UDP port 1514.
Filesystem
/var/ossec
Users
ossec - runs the privsep agent
groups=ossec,staff
home=/var/ossec
shell=/bin/false
Configuration files
/var/ossec/etc/internal_options.conf
(default numeric parameters)
/var/ossec/etc/ossec-init.conf
DIRECTORY="/var/ossec"
VERSION="v2.3"
DATE="Tue Jun 22 10:09:48 DFT 2010"
TYPE="agent"
/var/ossec/etc/ossec.conf
<ossec_config>
<client>
<server-ip>_server_IP_address_</server-ip>
</client>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>79200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
</rootcheck>
<active-response>
<disabled>yes</disabled>
</active-response>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/adm/auth.log</location>
</localfile>
</ossec_config>