OSSEC is a lightweight, but powerful piece of software that you can install on your server to monitor its integrity. On the official website, OSSEC is defined as:
[…] an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
I’m going to go through the installation of OSSEC with a focus on how to configure the file integrity checking to monitor your web accessible files and alert you when something has changed. In addition, I’ll touch on OSSEC’s configuration file and what it’s comprised of, so you can tweak the settings to match your needs.
Before we get started though, let’s briefly talk about the idea of file integrity monitoring and why it might be useful on your website.
Most of the time the files on your server that power your website don’t change very often. All of the data is usually stored in a database, so what’s left are the core files of your content management system, for example. The only time those files should change, is if either you or someone authorized is performing an update.
When a website is compromised through a vulnerability, there is a pretty high chance that a successful attack will either add or change at least one or two files on your website, so that the attacker can either execute additional attacks or perform malicious activity.
In a perfect world, you’d be immediately alerted when a file’s or directory’s contents, permissions or owner changes. This is exactly what OSSEC’s file monitoring system does. It provides you with the ability to monitor certain directories on your server, exclude folders that you expect to change frequently, such as caching or upload folders, and allows you to be alerted in real-time when something is added, removed or updated.
Let’s get started with getting OSSEC up and running.