configuring ossec

useful links, though bit outdated

OSSEC For Website Security: Part I

https://hackertarget.com/defending-wordpress-ossec/

How to add an access log to ossec monitor
# /var/ossec/bin/util.sh addfile /var/log/httpd/somesite.access_log
how to start-stop ossec
service ossec start
service ossec stop
service ossec restart
service ossec status

You might find useful changing this file:

nano /var/ossec/etc/ossec.conf

<!-- Frequency that syscheck is executed - set to every 4 hours -->
<frequency>14400</frequency>

<!-- Directories to check  (perform all possible verifications) -->
<directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories realtime="yes" check_all="yes">/bin,/sbin</directories>
<directories realtime="yes" report_changes="yes" restrict=".htaccess|.php|.html|.js">[path to the root of your site]</directories>

<alert_new_files>yes</alert_new_files>
<scan_on_start>no</scan_on_start>
<auto_ignore>no</auto_ignore>

This reduces syscheck frequence to 14400, adds monitoring to site root path and alerts for new files.

To enable alerting for new files, edit

/var/ossec/rules/ossec_rules.xml

Go to rule 554 and change level to 7 like this:

<rule id=”554″ level=”7″>
 <category>ossec</category>
 <decoded_as>syscheck_new_entry</decoded_as>
 <description>File added to the system.</description>
 <group>syscheck,</group>
</rule>

Leave a comment

Your email address will not be published. Required fields are marked *