Blue Team Guides
Red Team GuidesRed Team RecipeDevSecOps Guides
  • Introduction
  • Preparation
  • Identify Scope
  • Protect Defend
  • Detect Visibility
  • Respond Analysis
  • Recover Remediate
  • Tactics Tips And Tricks
  • Incident Management Checklist
  • Security Incident-Identification Schema
  • Hardening
    • main
    • SCM
    • WSUS
    • OSSEC
    • Ansible
    • Firewalld
  • XDR
    • Wazuh
  • Query Language
    • KQL
    • EQL
  • Events
    • eventvwr
    • Sysmon
  • Threat Intelligence
    • Origin
    • IOC
  • CSIRT
    • Resources
  • Digital Forensic
    • Resources
  • SOAR
    • Workflow
  • Virtual Patching
    • Modsecurity
  • Resources
    • Book
    • Standards
    • Blogs
    • Labs
    • Certificate
  • Malware
    • Sandbox
  • Scenario
    • General
    • Purple Teaming
Powered by GitBook
On this page
  • Cheatsheet
  • Examples for Hardening with OSSEC
  1. Hardening

OSSEC

Cheatsheet

1. Install OSSEC

  • Download OSSEC -> Install OSSEC Server/Agent

2. Configure OSSEC

  • Edit ossec.conf -> Define configurations

3. Manage OSSEC Agents

  • Register agents -> Manage agent keys

4. Customize OSSEC Rules

  • Navigate to rules directory -> Customize or add new rules

5. Configure OSSEC Alerts

  • Edit ossec.conf -> Define email alerts

6. Monitor OSSEC Logs

  • Navigate to logs -> Monitor ossec.log

7. Upgrade OSSEC

  • Download new version -> Upgrade OSSEC

8. Integrate OSSEC with SIEM

  • Configure OSSEC -> Forward logs to SIEM

9. Analyze OSSEC Alerts

  • Navigate to alerts directory -> Analyze alerts.log

10. Secure OSSEC Communication

Configure agent and server -> Validate secure communication

Examples for Hardening with OSSEC

1. Install OSSEC Server

wget https://github.com/ossec/ossec-hids/archive/[VERSION].tar.gz
tar -zxvf [VERSION].tar.gz
cd ossec-hids-[VERSION]
sudo ./install.sh

2. Install OSSEC Agent

# Use the same steps as the server but select agent during installation.

3. Add an OSSEC Agent

sudo /var/ossec/bin/manage_agents
# Follow prompts to add an agent.

4. Extract Agent Key

sudo /var/ossec/bin/manage_agents
# Follow prompts to extract key.

5. Add Agent Key to OSSEC Agent

esudo /var/ossec/bin/manage_agents
# Follow prompts to add key.

6. Restart OSSEC

sudo /var/ossec/bin/ossec-control restart

7. Create a Custom OSSEC Rule

  • Navigate to /var/ossec/rules -> Create a custom rule file

8. Configure OSSEC to Send Email Alerts

  • Edit /var/ossec/etc/ossec.conf -> Add email alert settings

9. Check OSSEC Agent Status

sudo /var/ossec/bin/agent_control -l

10. View OSSEC Logs

ecat /var/ossec/logs/ossec.log

11. Analyze OSSEC Alerts

cat /var/ossec/logs/alerts/alerts.log

12. Upgrade OSSEC Server/Agent

  • Download new version -> Follow upgrade steps

13. Disable an OSSEC Rule

  • Navigate to /var/ossec/etc/rules/local_rules.xml -> Add rule to disable

14. Configure OSSEC Active Response

  • Edit /var/ossec/etc/ossec.conf -> Define active response settings

15. Test OSSEC Rule

/var/ossec/bin/ossec-logtest
# Enter log entry to test.

16. View OSSEC Agents

sudo /var/ossec/bin/agent_control -lc

17. Remove OSSEC Agent

sudo /var/ossec/bin/manage_agents
# Follow prompts to remove an agent.

18. Configure OSSEC Syscheck

  • Edit /var/ossec/etc/ossec.conf -> Define syscheck settings

19. View OSSEC Statistical Information

sudo /var/ossec/bin/ossec-logtest -s

20. Configure OSSEC to Monitor a File

  • Edit /var/ossec/etc/ossec.conf -> Add file to syscheck

PreviousWSUSNextAnsible

Last updated 1 year ago