The more cloud services grow in complexity, size and reach, the more security and automation need to be enforced. There are many different approaches to ensuring that systems stay safe from the harm of threats such as DDoS attacks and rootkits, like antivirus software and firewalls. It is also highly beneficial to implement a custom Intrusion Detection System, to monitor your network and systems for malicious activity and policy violations.
Traditionally, Network Intrusion Detection Systems (NIDS) were used for this particular purpose, which analyzed network traffic. However, this approach may not be suitable for current system environments with changing infrastructure and cloud services.
Host Intrusion Detection Systems, or HIDS, monitor within the host machine itself, monitoring things like privilege escalation, rootkits, logs, etc. These systems overcome the shortcomings associated with NIDS.
OSSEC (Open Source Host-Based Intrusion Detection System) is an HIDS that monitors a wide assortment of events types that may indicate an invasion and matches these events to rules that, in turn, generate warnings (which are sent to email, or IM, etc.) and trigger responses (such as denying a specific host, or stopping a given process, etc).
The issue with using OSSEC in its current state is that it has several serious limitations. These include the need for human interaction in answering prompts, manual restarts of processes, and clumsy authentication. However, the software is solid and if we can automate it and ensure its accountability, then it can be an excellent way to implement a free, custom HIDS.
We’ve managed to overcome the pain points of OSSEC, with some authentication help, tweaks to event triggering, and automation of key events like restarts.
We use only upstream OSSEC code, simple and open dependencies, and Ansible for our automation, to provide a workable solution that anyone can implement for their own systems.
If you would like to know how to automate and enhance OSSEC for use in your systems, then please download our eBook, Tutorial: Automating OSSEC HIDS Deployment on Modern Infrastructure Pipelines for Security at a Touch. We can also help to create custom security solutions for your networks - ask us how.