How to do it..._Instant OSSEC Host-based Intrusion Detection System-QQ阅读男生武侠网

上QQ阅读APP看书，第一时间看更新

How to do it...

OSSEC developers provide a wrapper script to encapsulate the configure, build, and install process into a single, prompted installation. The installation is guided, but we can look at a few important prompts along the way:

To get started, run the installation script with superuser privileges as follows:
```
$ sudo ./install.sh
```
The first important question is what type of installation we will be performing:
```
1- What kind of installation do you want (server, agent, local, hybrid or help)?
```
The simplest configuration is the local profile. This configures OSSEC as a standalone daemon analyzing and correlating only locally to this system. It's a good starting point to get familiar with OSSEC.
After a few simple questions, check for a prompt asking which analyzers to enable:
```
3.2- Do you want to run the integrity check daemon? (y/n) [y]:
```
The integrity check daemon monitors your critical files and binaries for changes. This is usually referred to as file integrity monitoring or FIM.
```
3.3- Do you want to run the rootkit detection engine? (y/n) [y]:
```
The rootkit detection engine is a combination of signature- and anomaly-based checks to discover the presence of popular or yet-to-be-discovered rootkits on Linux/BSD systems. It looks for out-of-place or hidden files and strange-network behavior.
```
3.4- Do you want to enable active response? (y/n) [y]:
```
Active response provides a functionality to run scripts when alerts are triggered. This feature provides the capacity for OSSEC to move beyond a detection system into a prevention system. There are a few tested responses that come standard with OSSEC.
```
- Do you want to enable the firewall-drop response? (y/n) [y]:
```
If you have an active response enabled, OSSEC ships with a firewall-drop response that works on almost every operating system, without modification, and creates a firewall rule to drop traffic coming from IPs identified by the rules as attackers.
```
- Do you want to add more IPs to the white list? (y/n)? [n]:
```
If you have the firewall-drop response enabled, you'll be prompted to create a whitelist of IPs that will never be blocked by the active response system. If you have networks or IPs that you'd prefer not to be blocked, you can configure them here. Generally, critical systems should be excluded: DNS servers, LDAP servers, and mail servers. Without this protection, OSSEC may interrupt key communication channels during an attack. If you selected yes, use spaces to separate IPs and/or networks in CIDR notation, for example:
```
- IPs (space separated):
 192.168.0.0/23 10.0.0.0/8 1.2.3.4
```
OSSEC will now be built based on your answers to questions and information attained through the build tools on your system. If everything goes successfully, the last message you see should look something similar to the following:
```
Installation Completed.
```

If you don't see this message, check the error message and correct the issue. OSSEC is designed to build without external libraries but failures will occur if there's no C compiler found.