Links

OSSEC

Cheatsheet

1. Install OSSEC
  • Download OSSEC -> Install OSSEC Server/Agent
2. Configure OSSEC
  • Edit ossec.conf -> Define configurations
3. Manage OSSEC Agents
  • Register agents -> Manage agent keys
4. Customize OSSEC Rules
  • Navigate to rules directory -> Customize or add new rules
5. Configure OSSEC Alerts
  • Edit ossec.conf -> Define email alerts
6. Monitor OSSEC Logs
  • Navigate to logs -> Monitor ossec.log
7. Upgrade OSSEC
  • Download new version -> Upgrade OSSEC
8. Integrate OSSEC with SIEM
  • Configure OSSEC -> Forward logs to SIEM
9. Analyze OSSEC Alerts
  • Navigate to alerts directory -> Analyze alerts.log
10. Secure OSSEC Communication
Configure agent and server -> Validate secure communication

Examples for Hardening with OSSEC

1. Install OSSEC Server
wget https://github.com/ossec/ossec-hids/archive/[VERSION].tar.gz
tar -zxvf [VERSION].tar.gz
cd ossec-hids-[VERSION]
sudo ./install.sh
2. Install OSSEC Agent
# Use the same steps as the server but select agent during installation.
3. Add an OSSEC Agent
sudo /var/ossec/bin/manage_agents
# Follow prompts to add an agent.
4. Extract Agent Key
sudo /var/ossec/bin/manage_agents
# Follow prompts to extract key.
5. Add Agent Key to OSSEC Agent
esudo /var/ossec/bin/manage_agents
# Follow prompts to add key.
6. Restart OSSEC
sudo /var/ossec/bin/ossec-control restart
7. Create a Custom OSSEC Rule
  • Navigate to /var/ossec/rules -> Create a custom rule file
8. Configure OSSEC to Send Email Alerts
  • Edit /var/ossec/etc/ossec.conf -> Add email alert settings
9. Check OSSEC Agent Status
sudo /var/ossec/bin/agent_control -l
10. View OSSEC Logs
ecat /var/ossec/logs/ossec.log
11. Analyze OSSEC Alerts
cat /var/ossec/logs/alerts/alerts.log
12. Upgrade OSSEC Server/Agent
  • Download new version -> Follow upgrade steps
13. Disable an OSSEC Rule
  • Navigate to /var/ossec/etc/rules/local_rules.xml -> Add rule to disable
14. Configure OSSEC Active Response
  • Edit /var/ossec/etc/ossec.conf -> Define active response settings
15. Test OSSEC Rule
/var/ossec/bin/ossec-logtest
# Enter log entry to test.
16. View OSSEC Agents
sudo /var/ossec/bin/agent_control -lc
17. Remove OSSEC Agent
sudo /var/ossec/bin/manage_agents
# Follow prompts to remove an agent.
18. Configure OSSEC Syscheck
  • Edit /var/ossec/etc/ossec.conf -> Define syscheck settings
19. View OSSEC Statistical Information
sudo /var/ossec/bin/ossec-logtest -s
20. Configure OSSEC to Monitor a File
  • Edit /var/ossec/etc/ossec.conf -> Add file to syscheck