Saturday, June 2, 2012

Installing ossec in mac OSX lion

I'm installing OSSec on my mac as both a server and an agent-so mac host is the server that manages everything, and mac is also an agent of itself. My VM's will also have agents installed, and they will be responsible to my mac host.

Installation log:

2- Setting up the installation environment.

 - Choose where to install the OSSEC HIDS [/var/ossec]: 

    - Installation will be made at  /var/ossec .

3- Configuring the OSSEC HIDS.

  3.1- Do you want e-mail notification? (y/n) [y]: 

   - What's your e-mail address? 
   - What's your SMTP server ip/host?

  3.2- Do you want to run the integrity check daemon? (y/n) [y]: 

   - Running syscheck (integrity check daemon).

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]: 

   - Running rootcheck (rootkit detection).

  3.4- Active response allows you to execute a specific 
       command based on the events received. For example,
       you can block an IP address or disable access for
       a specific user.  
       More information at:
   - Do you want to enable active response? (y/n) [y]: 

     - Active response enabled.
   - By default, we can enable the host-deny and the 
     firewall-drop responses. The first one will add
     a host to the /etc/hosts.deny and the second one
     will block the host on iptables (if linux) or on
     ipfilter (if Solaris, FreeBSD or NetBSD).
   - They can be used to stop SSHD brute force scans, 
     portscans and some other forms of attacks. You can 
     also add them to block on snort events, for example.

   - Do you want to enable the firewall-drop response? (y/n) [y]: 

     - firewall-drop enabled (local) for levels >= 6

   - Default white list for the active response:

   - Do you want to add more IPs to the white list? (y/n)? [n]: 

  3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: 

   - Remote syslog enabled.

  3.6- Setting the configuration to analyze the following logs:
    -- /var/log/secure.log
    -- /var/log/system.log

 - If you want to monitor any other file, just change 
   the ossec.conf and add a new localfile entry.
   Any questions about the configuration can be answered
   by visiting us online at

While installing, I ran into this error:

To fix it, I found this:

Which later led me to this:!topic/ossec-list/CcpufVmh6rM
So I installed a different version of gcc with ports, gcc47.
This put /opt/local/gcc-mp-4.7; i merely did sudo mv gcc-mp-4.7, ran the installer, and then moved it back. This succeeded, and then I got this build log:
This was funny because it gave a LOT of warnings in the compilation of the components. Compilation didn't fail (I didn't put the compilation warnings in the pastebin link), but there was some funny inability to do chmod on ossec. It complained about some argument errors.... I'm not sure if that is something that I  should look into or if it will be ok, but I'm going to try and use it and hopefully things will work out fine. I'll look into things further if they don't pan out or if it malfunctions.

Final result: 

 - System is Darwin.
 - Init script modified to start OSSEC HIDS during boot.

 - Configuration finished properly.

 - To start OSSEC HIDS:
/var/ossec/bin/ossec-control start

 - To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

    Thanks for using the OSSEC HIDS.
    If you have any question, suggestion or if you find any bug,
    contact us at or using our public maillist at
    ( ).

    More information can be found at

No comments:

Post a Comment