Q&A: OSSEC, the open source host-based intrusion detection system

Daniel B. Cid is the founder of the open source OSSEC HIDS and a principal researcher at Trend Micro. He has a special interest in intrusion detection, log analysis and secure development. In this interview he discusses the the open source host-based intrusion detection system in detail.

Give our readers some background on the OSSEC project. How did it all start and evolve?
OSSEC is an open source HIDS that merges log analysis, file integrity monitoring, rootkit detection and active responses. It started as a side-project to help me solve some problems that I had on a previous job (6-7 years ago). They had the need to do integrity checking on multiple systems (Linux, Solaris AIX, etc) and Tripwire just didn’t scale for us. We were forced to make it scale, and started using it because was the only solution available at the time, but it was a pain to manage individually on 100+ servers.

To minimize my problems, I decided to spend some nights developing a solution that would act like a centralized Tripwire, with all the files, checksums and alerts on one system only. It was meant to be more secure and easy to manage and that’s how the Syscheck project was born.

Next, I needed was something like chkrootkit, but centralized and easy to add/remove stuff. A shell script with more than 1,000 lines didn’t do it for me. That’s how my second project, Rootcheck was born – it did all that chkrootkit did, but in a centralized and more elegant manner, with all the checks specified in configuration files centrally (later it evolved to system auditing and more advanced tests).

Being an open source fan, I released both as open source and created the OSSEC project to host them. My idea was to use OSSEC as my repository of open source security projects. A little while after, I released a centralized log analysis tool, osaudit, with a rule engine to analyze, decode and correlate logs.

Having these three projects separated and constantly installing the three on all my systems, I thought, why not merge them all together in a full HIDS package? That’s how the OSSEC HIDS started and we first released it as a full HIDS in 2005. Later we added active responses, Windows support, agentless options to monitor routers and switches a quite a few more.

Last year Third Brigade acquired the project and that helped even more with our development. Since then I can work on OSSEC during the day and have the luxury of sleep during the nights (when before it was the only time available to develop it).

When looking at OSSEC, what features would you emphasize as the most important? What do your users appreciate the most?
Many projects (especially commercial ones), add features based on market requirements or just based on the latest trend. Coming from a system admin background, I like to add features that makes the job of admins and security analysts easier. That’s the end goal of OSSEC.

I think what most users appreciate are the fact that we actually try to make their life easier and we listen to them. The installation is simple. I spent months trying to make a cross-platform installation script that would work everywhere (Linux, Solaris, AIX, HP-UX, Mac, etc). And one of the most common compliments I hear is that the installation is a breeze and secure by default. We create privilege separation users, setup a chroot jail, fix the permissions, all automatically (same with upgrades).

We also try to make our community very open and friendly. You can chat with active users on IRC almost any time of the day, and we do help out a lot.

How many developers and contributors work on the OSSEC project?
We have lots of contributors, especially people helping with translations, rules, testing, etc. The active development team is just me right now, but we have lots of people sending small patches or diffs for features that they like. We had some people that helped for a little while too, but due to job, family, and other commitments, they couldn’t stick very long.

The Splunk-for-OSSEC application made it possible to integrate OSSEC alerts into Splunk. Did this combinations bring in new users?

It’s more like a OSSEC-for-Splunk application, since we are feeding the data to them. It certainly brought new users because one thing OSSEC always lacked was a good web interface and Splunk gave that to us. If you combine our log analysis engine with their cool web search and reporting you get a very powerful tool. But at the end, I think we are giving them more users then the other way around 🙂

Over the years OSSEC has received numerous positive reviews. Does having well-known security professionals like Richard Bejtlich praising your work raise the bar on future versions? What kind of additions can we expect in the near future?
You know, most open source projects survive of passion and motivation alone. When someone of that caliber tells you
that he is using OSSEC and actually enjoying, it gives you so much motivation to keep working and keep improving the project. That applies not only to me, but to most open source developers out there.

Next time you try an open source tool and like it, send some kudos to the developers. That might give them the motivation they need to keep working on it. Right now Trend Micro pays me to develop OSSEC full time, but very few projects are that lucky.

As far as additions to the near future, OSSEC 2.2 is coming out in a few weeks!