A free software entrant into the host-based intrusion detection system
(HIDS) arena, OSSEC, released
version 2.4 earlier this month, with a number of upgrades and bug fixes.
OSSEC may not be as well-known as other free software HIDS, like Samhain, AIDE, Osiris, or Open Source Tripwire,
but they are all trying to do a similar job: detect changes to a running
system that may have been caused by malicious activity. The techniques
used by HIDS varies considerably, from simply hashing file contents and comparing
them periodically to more sophisticated log file and behavioral analysis.
Conceptually, a HIDS should monitor everything about the system's state,
such that it can detect changes in behavior that stem from some kind of
host intrusion. Unlike network intrusion detections systems, which look at
the network traffic to try to detect intrusion attempts, HIDS will only see
problems after the fact. It is, in some sense, a second line of defense
that is generally deployed behind a NIDS, at least in those installations
with high security needs.
Most HIDS implementations only bite off some portion of the job. The
simplest look for changes to system files and binaries by using hashes of
their contents. Taking that a step further, and storing the hashes of
"important" files on a separate system or read-only media provides defense against an
intrusion that targets the files which store the hashes. OSSEC takes that
idea even further by moving most of the monitoring and analysis to
separate, presumably strongly hardened systems.
The basic architecture is intended to be client-server, with a
"manager" running on a central server and "agents" running on each of the
systems to be monitored. The agent is a small program that runs with low
privileges and forwards information to the manager. There is also a
"logcollector" process that runs as root on a client, and does just what
its name would imply. Configuration information is mostly stored by the
manager with some being locally cached. For obvious reasons, that
configuration cache is monitored and changes to it will cause an alert.
OSSEC can be run in standalone mode, where the analysis and gathering are
on the same host. The manager can also gather information from various
devices, such as routers, firewalls, and other IDS systems without using an
agent. There are agentless solutions for some devices, while others can
use remote syslog to send their log information to the manager system.
OSSEC is cross-platform,
running on most major Unix systems as well as various flavors of Windows.
There are four main features to OSSEC, starting with file integrity
monitoring. For logs, the monitoring rules are fairly extensive, covering
a wide range of free and proprietary applications like apache, asterisk,
Cisco IOS, McAfee anti-virus, MySQL, PostgreSQL, and so on. Much of what
OSSEC does with log files is similar to what logwatch or syslog-ng can do, but the
analysis can be done site-wide, and actions can be performed based on what
OSSEC finds. New rules can be added for additional services or
site-specific logging using an XML rule syntax.
As would be expected, system administrators can be alerted by email if some
class of problem is detected. In addition, OSSEC has the ability to
perform "active responses" based on certain kinds of attacks. OSSEC comes
with a handful of pre-defined responses for things like adding an IP
address to /etc/hosts.deny or to various firewalls' deny lists.
Adding additional active responses is done by creating an XML chunk that specifies
what to run and another to describe when to run it.
The fourth main feature of OSSEC is rootkit detection that runs
periodically on client systems. For Windows clients, there is an
additional feature that checks the registry for changes, and alerts the
administrator of any it finds.
OSSEC was originally written by Daniel Cid and released as free software in
2004. Since that time, the code has been acquired twice, most recently
by Trend Micro, which
offers commercial support for OSSEC. It is licensed under the GPLv3, and
is available as a tarball (along with SHA1/MD5 hashes for verification) from the installation
As with any HIDS solution, it will require some tweaking for specific
environments to reduce false-positives to a manageable level. OSSEC has a
number of useful features and looks to be a solution that is growing in
popularity. It would seem to be a good candidate for one or more
distributions to pick up and configure for their specific needs, which
would make it easier for their users to start monitoring with OSSEC. For
anyone considering HIDS for security at their site, OSSEC is worth a look.
to post comments)