(This is part of a regular series where I discuss free information security products, tools, methodologies, hardware, etc. For a description of this column and to read other Free Lunch menus, check out the category archive)

OSSEC is an open source host based intrusion detection system. The website states, "It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting and active response." That is a mouthful.

Regardless of your opinion of a HIDS and IDSes in general, OSSEC probably covers at least one item on your I need that checklist. You may have log analysis tools already, but maybe lack host integrity checking. If you like the functionality of open source trip wire, but need centralized reporting and data gathering, then OSSEC is for you.

System integrity checking is one area that highlights OSSEC's architecture. One can choose to run in a client/server or standalone design. The agent is a slimmed down server install and doesn't listen on any ports. In classic client style, it active opens connections to the server when needing to communicate data. Communications occur over UDP 1514. Traffic is compressed and encrypted using Blowfish with 192 bits. Agents are authorized into the server using a pre-shared key, which also acts as the encryption key. In the case of host integrity checking, one no longer needs to store the integrity database on the server. Compared to other integrity checkers that store the database on a non-writable medium (very laborious) or in a risky obfuscated partition, OSSEC uses the client/server architecture to store data on server. The client sends snapshots to the server where in turn the integrity delta is calculated. Adding to OSSEC's security design is it's chroot by design. A vanilla install from source sets up a few users to run the separate processes and ensures that all the processes chroot themselves. This is a nice added benefit lacking in many open source products.

OSSEC does provide other features, which include log analysis, a Windows registry checker, rootkit detection, a robust alerting system and active response actions. There is too much in this product to cover in the regular monthly Free Lunch, but lets hone in log analysis for a moment. Log analysis is an important requirement for security monitoring. OSSEC ships with a ton of prebuilt log rules. During runtime, it monitors all the system logs and can be modified to monitor fewer or more log files in a few simple configuration statements. Logs are processed by a speedy engine, which attempts to match rules stored in XML files. The XML definitions are robust, allowing for options such as alert level, regular expression matching, process lookup, IP correspondence and over 25 other directives. One word of caution, learn how to write your own rules. This is especially important when needing to ignore log events. By default, all log lines will match something and send an alert. Great by design, as you'd rather be alerted by default. However this can be frightful at first when the storm of email alerts comes thundering at your inbox.

Product Rating

Features:
Ease of Use:
Documentation:
Community:
Overall:

Enough about the features lets quickly cover ease of use, documentation and community. After a few hours of tinkering, the system became easy to use and understand. Configuration directives are stored in simple to read and understand configuration files. Install was a breeze, though running upgrades are generally a better test of the install process. We'll have to wait for the next version and see. Documentation was adequate if you already have an idea as to what is going on. We would have liked more macro level discussions. Topics like deployment best practices and overall architecture design would be a nice addition. The community around OSSEC is hard to gauge. We noticed the mailing lists active and many references to OSSEC on the Internet, however the Wiki site seems ominously quite. This dichotomy leads one to believe that there aren't many active developers. Though we need to point out there are more than a dozen developers and contributor names on the OSSEC website. By all accounts, we don't think OSSEC is going away soon, but users should spend more time giving back.

OSSEC is licensed under the terms of version 2 of the GNU GPL.

Enjoy the Free Lunch.