0

I have just installed the current stable release of OSSEC (2.8.1) for Ubuntu, but at the end of the installation I noticed that it said:

- System is Debian (Ubuntu or derivative).
 - Init script modified to start OSSEC HIDS during boot.

 - Configuration finished properly.

 - To start OSSEC HIDS:
        /var/ossec/bin/ossec-control start

 - To stop OSSEC HIDS:
        /var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

So what is OSSEC HIDS, is it the actual program or something else? If it is the actual program then does this mean that I need to add the command /var/ossec/bin/ossec-control start to the list of startup applications?

Information Update:

I have found that unless I run this command to manually start OSSEC HIDS:

sudo /var/ossec/bin/ossec-control start

That if I run the command to check the status:

sudo /var/ossec/bin/ossec-control status

This is the output:

ossec-monitord not running...
ossec-logcollector not running...
ossec-syscheckd not running...
ossec-analysisd not running...
ossec-maild not running...
ossec-execd not running...

So it does not seem that it starts automatically, how can I get it to do this then? I have also found that I cannot add this to the list of startup applications as the start command requires sudo to be executed.

OS Information:

Description:    Ubuntu 14.10
Release:    14.10
  • I'd stick that command in /etc/rc.local, where the sudo wouldn't be needed. – muru Apr 05 '15 at 10:20
  • @muru: What? The start command? If yes, should I include sudo at the start of the command? –  Apr 05 '15 at 10:21
  • Yes, add /var/ossec/bin/ossec-control start to /etc/rc.local, and without the sudo. Commands in rc.local are run as root. – muru Apr 05 '15 at 10:23
  • @muru: Ok, will try that... most of that script at the moment seems to be commented out, should I uncomment out the first line #!/bin/sh -e at least? And should I just leave the exit 0 there? –  Apr 05 '15 at 10:24
  • @muru: And if I leave the exit 0 in there, should I put my command before or after it, or does it not matter? –  Apr 05 '15 at 10:26
  • #!/bin/sh -e is a shebang, not a comment. – muru Apr 05 '15 at 10:26
  • And of course you have to add your command before exit 0 - if the script exits before your command, how will it get executed? – muru Apr 05 '15 at 10:27
  • @muru: Oh yes, of course, sorry, silly me I forgot... Been working on too many programming languages at the same time now, and I've started to get them a little mixed up! :D –  Apr 05 '15 at 10:27
  • @muru: Ok, I will restart now and check if it worked... –  Apr 05 '15 at 10:28
  • @muru: Ok, I have now restarted, but it still did not run at start up (I checked with the status command). Although you should note that if the machine is not connected to the internet when that command is executed, the command fails, so that could be part of the problem, is there a way to start it at startup and to check it's exit code? So that if it fails you can just try to start it again until it starts? –  Apr 05 '15 at 10:34
  • How did you install it? configure make install or the install.sh. I checked the README/INSTALL docs, and the install.sh should make it autostart, but configure make install probably won't. I'm guessing you tried to super-manually install it and failed. – RobotHumans Apr 05 '15 at 11:35
  • @hbdgaf: I just installed it using the .sh file. Using the local mode, all of the installation should have been automated. But I would like to know how it makes it automated, so that maybe I could do that manually. –  Apr 10 '15 at 12:51
  • This is a version 14 question. With version 15 and systemd one can just use the systemd-provided mechanisms, throwing ossec-control completely away. – JdeBP May 04 '15 at 18:19
  • @muru: Could you please post as an answer that I should tell it to start in my /etc/rc.local file as this fixed my problem, but there is no answer to accept here. Also you should probably mention that on 15.04 it works fine without adding that because it already is started on system startup with systemd. :) –  Aug 20 '15 at 08:52
  • It did? I thought you said it failed to start because of the network not coming up in time? – muru Aug 20 '15 at 08:54
  • @muru: It did if I made sure that my Ethernet cable was plugged in during start up, otherwise I would have to start it manually after logging in, but I never really had a problem with it thanks to your solution. –  Aug 20 '15 at 09:02

3 Answers3

1

OSSEC = Open Source SECurity

HIDS = host-based intrusion detection system (HIDS)

http://www.ossec.net/

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

From the message, OSSEC will automatically start on boot and runs as a service in the back ground.

To manually start or stop use

sudo /var/ossec/bin/ossec-control start
sudo /var/ossec/bin/ossec-control stop

you do not need to do anything else.

See also http://ubuntuforums.org/showthread.php?t=213445

Although it is possible my forums post may be a bit dated, for the most part it should help. If there is a problem with the post, post in the forums.

Panther
  • 102,067
  • So it definitely starts on startup because I do not receive any emails from it until I start it manually? And when I start it manually it tells me that it has successfully started the services, instead of telling me that they are already running? –  Apr 04 '15 at 17:40
  • you may wish to install the web interface - http://www.ossec.net/wiki/index.php/OSSECWUI:Install – Panther Apr 04 '15 at 18:11
  • you can likely run sudo /var/ossec/bin/ossec-control status – Panther Apr 04 '15 at 18:12
  • If I do not first run the command to manually start OSSEC HIDS, then if I run the command to get the status this is the output: ossec-monitord not running... ossec-logcollector not running... ossec-syscheckd not running... ossec-analysisd not running... ossec-maild not running... ossec-execd not running... –  Apr 05 '15 at 10:08
  • I have added more information to my original question. –  Apr 05 '15 at 10:13
1

Not sure if you fixed this or not, but if you are still using 14.10 then you can try this:

sudo nano /etc/init.d/ossec

copy this:

 #!/bin/sh

case "$1" in
start)
  /var/ossec/bin/ossec-control start
;;
stop)
  /var/ossec/bin/ossec-control stop
;;
restart)
  $0 stop && sleep 3
  $0 start
;;
reload)
  $0 stop
  $0 start
;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac

Ctrl+o (save) Crtl+x (exit)

sudo chmod +x /etc/init.d/ossec
sudo update-rc.d ossec defaults

Test: sudo /etc/init.d/ossec start

Hope this helps.

Adathor
  • 61
  • 1
  • 1
  • 8
1

One way to run OSSEC at startup is to add the start command to /etc/rc.local before the exit 0 line and after #! /bin/sh. Though this is no longer necessary now that OSSEC supports systemd.

Community
  • 1
muru
  • 197,895
  • 55
  • 485
  • 740