Give our readers some background on the OSSEC project. How did it all start and evolve?
OSSEC is an open source HIDS that merges log analysis, file integrity monitoring, rootkit detection and active responses. It started as a side-project to help me solve some problems that I had on a previous job (6-7 years ago). They had the need to do integrity checking on multiple systems (Linux, Solaris AIX, etc) and Tripwire just didn't scale for us. We were forced to make it scale, and started using it because was the only solution available at the time, but it was a pain to manage individually on 100+ servers.
To minimize my problems, I decided to spend some nights developing a solution that would act like a centralized Tripwire, with all the files, checksums and alerts on one system only. It was meant to be more secure and easy to manage and that's how the Syscheck project was born.
Next, I needed was something like chkrootkit, but centralized and easy to add/remove stuff. A shell script with more than 1,000 lines didn't do it for me. That's how my second project, Rootcheck was born - it did all that chkrootkit did, but in a centralized and more elegant manner, with all the checks specified in configuration files centrally (later it evolved to system auditing and more advanced tests).
Being an open source fan, I released both as open source and created the OSSEC project to host them. My idea was to use OSSEC as my repository of open source security projects. A little while after, I released a centralized log analysis tool, osaudit, with a rule engine to analyze, decode and correlate logs.
Having these three projects separated and constantly installing the three on all my systems, I thought, why not merge them all together in a full HIDS package? That's how the OSSEC HIDS started and we first released it as a full HIDS in 2005. Later we added active responses, Windows support, agentless options to monitor routers and switches a quite a few more.
Last year Third Brigade acquired the project and that helped even more with our development. Since then I can work on OSSEC during the day and have the luxury of sleep during the nights (when before it was the only time available to develop it).
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.