OSSEC Explained - platiumsecnet/psnNIDS GitHub Wiki

OSSEC Explained

1. What is OSSEC?

In the realm of full-featured open source HIDS tools, there is OSSEC and not much else. The great news is OSSEC is very good at what it does and is rather extensible.

OSSEC runs on almost any major operating system and includes client/server based management and logging architecture, which is very important in a HIDS system. Since local HIDS can be compromised at the same time the OS is, it is very important security and forensic information leave the host and be stored elsewhere asap to avoid any kind of tampering or obfuscation that would prevent detection.

OSSEC's client/server architecture incorporates this strategy by delivering alerts and logs to a centralized server where analysis and notification can occur even if the host system is taken offline or compromised. Another advantage of client/server architecture is the ability to centrally manage agents from a single server. Since deployments can range from one to thousands of installations, the ability to make global changes from a central server is critical for an administrator's sanity.

When discussing OSSEC (and other HIDS) there is often anxiety over installing an agent or software on critical servers. It should be noted that the installation of OSSEC is extremely light (the installer is under 1MB) and the majority of analysis actually occurs on the server which means very little CPU is consumed by OSSEC on the host. OSSEC also has the ability to send OS logs to the server for analysis and storage, which is particularly helpful on Windows machines that have no native and cross-platform logging mechanisms.

2. Features

  1. Agents for almost every OS
  2. Compiled Agent for Windows
  3. Lots of functionality than just FIM
  4. Rigid but simple installation process
  5. Good community support
  6. File integrity monitoring (FIM)
  7. Log monitoring collects, analyzes, and correlates system logs
  8. Rootkit detection, which searches for system modifications similar to rootkits
  9. Active response can invoke automated response action when alerts are triggered
  10. Client/Server architecture
  11. Multi-platform support (Linux, Solaris, Windows, MacOS, etc.)
  12. Supports compliance requirements for FIM
  13. Real-time and configurable alerts
  14. Integration with current infrastructure
  15. Centralized server for mass policy management
  16. Agent and agentless monitoring
  17. A plugin for OSSEC is available for AlienVault USM Anywhere.

3. Disadvantages