0

I have just installed the current stable release of OSSEC (2.8.1) for Ubuntu, but at the end of the installation I noticed that it said:

- System is Debian (Ubuntu or derivative).
 - Init script modified to start OSSEC HIDS during boot.

 - Configuration finished properly.

 - To start OSSEC HIDS:
        /var/ossec/bin/ossec-control start

 - To stop OSSEC HIDS:
        /var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

So what is OSSEC HIDS, is it the actual program or something else? If it is the actual program then does this mean that I need to add the command /var/ossec/bin/ossec-control start to the list of startup applications?

Information Update:

I have found that unless I run this command to manually start OSSEC HIDS:

sudo /var/ossec/bin/ossec-control start

That if I run the command to check the status:

sudo /var/ossec/bin/ossec-control status

This is the output:

ossec-monitord not running...
ossec-logcollector not running...
ossec-syscheckd not running...
ossec-analysisd not running...
ossec-maild not running...
ossec-execd not running...

So it does not seem that it starts automatically, how can I get it to do this then? I have also found that I cannot add this to the list of startup applications as the start command requires sudo to be executed.

OS Information:

Description:    Ubuntu 14.10
Release:    14.10

3 Answers3

1

OSSEC = Open Source SECurity

HIDS = host-based intrusion detection system (HIDS)

http://www.ossec.net/

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

From the message, OSSEC will automatically start on boot and runs as a service in the back ground.

To manually start or stop use

sudo /var/ossec/bin/ossec-control start
sudo /var/ossec/bin/ossec-control stop

you do not need to do anything else.

See also http://ubuntuforums.org/showthread.php?t=213445

Although it is possible my forums post may be a bit dated, for the most part it should help. If there is a problem with the post, post in the forums.

Panther
  • 104,528
1

Not sure if you fixed this or not, but if you are still using 14.10 then you can try this:

sudo nano /etc/init.d/ossec

copy this:

 #!/bin/sh

case "$1" in
start)
  /var/ossec/bin/ossec-control start
;;
stop)
  /var/ossec/bin/ossec-control stop
;;
restart)
  $0 stop && sleep 3
  $0 start
;;
reload)
  $0 stop
  $0 start
;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac

Ctrl+o (save) Crtl+x (exit)

sudo chmod +x /etc/init.d/ossec
sudo update-rc.d ossec defaults

Test: sudo /etc/init.d/ossec start

Hope this helps.

Adathor
  • 61
1

One way to run OSSEC at startup is to add the start command to /etc/rc.local before the exit 0 line and after #! /bin/sh. Though this is no longer necessary now that OSSEC supports systemd.

Community
  • 1
muru
  • 207,228