Atlas Group's New England, New York, and California offices leverage our Biddeford, Maine operations center to deliver excellent and unique project based solutions.

OSSEC Security


OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System(HIDS).  it has a powerful correlation and analysis engine, integrated log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting, and active response.

It runs on most operating systems including Linux, OpenBSD, FreeBSD, MacOS, Solaris, and Windows.

OSSEC is a free software and will remain so in the future; you can redistribute it and/or modify it under the terms of the GNU General Public License(version 3) as published by the FSF-Free Software Foundation.

OSSEC is a growing project with more than 5,000 downloads per month on average.  It is being used by ISPs, universities, governments, and even large corporate data centers as their main HIDS solution.  In addition to being deployed as an HIDS, it is commonly used strictly as a log analysis tool, monitoring and analyzing firewalls, IDSs, web servers, and authentication logs.

OSSEC Architecture

OSSEC is composed of multiple pieces.  It has a central manager monitoring everything and receiving information from agents, syslog, databases, and from agentless devices.

  • Manager: The manager is the central piece of the OSSEC deployment.  It stores the file integrity checking databases, the logs, events, and system auditing entries.  All the rules, decoders, and major configuration options are stored centrally in the manager, making it easy to administer even a large number of agents.
  • Agents: The agent is a small program installed on the systems you desire to monitor.  It will collect information on real time and forward to the manager for analysis and correlation.  It has a very small memory and CPU footprint by default, not affecting the system's usage.
  • Agent Security: It runs with a low privelage user(created during the installation) and inside a chroot jail isolated from the system.  Most of the agent configuration is pushed from the manager, with just some of them are stored locally on each agent.  In case these local options are changed, the manager will receive the information and will generate an alert.
  • Agentless: For systems that you can't install an agent, OSSEC allows you to perform file integrity monitoring on them without the agent installed.  It can be very useful to monitor firewalls, routers, and even Unix systems where you are not allowed to install the agent.
  • Virtualization/VMware: OSSEC allows you to install the agent on the guest operating systems or inside the host(VMware ESX).  With the agent installed inside the VMware ESX, you can get alerts about when the VM guest is being installed, removed, started, etc.  It also monitors logins, logouts, and errors inside the ESX server.  In addition to that, OSSEC performs the CIS checks for VMware, alerting if there is any insecure configuration option enabled or any other issue.
  • Firewalls, switches, and routers: OSSEC can analyze syslog events from a large variety of firewalls, switches, and routers.  Is supports all Cisco routers, Cisco PIX, Cisco FWSM, Cisco ASA, Juniper routers, Netscreen firewalls, Checkpoint, and many others.