Tag Archives: ossec

How to remove OSSEC Agent on macOS Sierra

I’ve been trying to find a way to remove OSSEC on one of my Macs. Most documentation is a bit outdated and references files from yesteryear, so here’s how to do it on macOS Sierra in 2018.

These instructions were written with OSSEC 2.8 in mind. I’m not familiar with later versions.

Removing the three system users

The OSSEC Agent creates three system users that come up when your Mac is started. They’re called ossec, ossecm and ossecr. OSSEC uses these to run its various scrips and services.

To remove them on macOS, head over to System/Library/CoreServices/Applications and start the Directory Utility app. Unlock the little icon at the bottom left with your password to make changes (that lock icon only comes up when you click on Services or Search Policy).

Select the Directory Editor and search for “ossec”.  You should find the three system users. Select them and remove them using the little minus icon at the bottom left.

Removing files

We’ll have to remove all files from /var/ossec and the configuration file from /etc/ossec-init.conf.

Since OSSEC was likely installed from source, there are no handy graphic utilities to help us. Instead execute the following commands from the command line:

Removing System Daemons

While we find daemons in /etc/init.d on Linux distributions, they’re stored in .plist files in both /Library/LaunchAgents and /Library/LaunchDaemons. In the latter we find one like this:

The exact name will depend on your user name and machine name. Remove this file, then restart your system.

Further Reading

  • https://groups.google.com/forum/#!topic/ossec-list/ErhxXhQl5YE
  • https://en.wikipedia.org/wiki/Directory_Utility
  • https://stackoverflow.com/questions/15735320/osx-s-etc-init-d-equivalent
  • https://raymii.org/s/tutorials/Uninstall_OSSEC.html
  • https://github.com/ossec/ossec-hids

How to fix Duplicate Counter Error in OSSEC

You may come across a duplicated counter / duplicate error in OSSEC. This can happen when you try to add an agent to the server again which was previously added (say when you had to rebuild the OSSEC Server).

The agent is basically saying “hey I’ve got some data here which doesn’t line up with what I should be getting from the server”.

This problem can be resolved easily – let me show you how.

Continue reading How to fix Duplicate Counter Error in OSSEC

How to install OSSEC HIDS on CentOS 6 and 7

Remote computers are under constant attack by Evil Dudes – that’s especially true for Linux servers. To prevent such attacks by Evil Dudes from Hacker Land, I’ve been relying on the amazing OSSEC Host Intrusion Detection System on all my machines.

Even though the OSSEC website is great, I always forget the simple steps that are involved in getting it up and running on a brand new server. Here are the steps that work for me.

I’ve originally written this article in 2011 for OSSEC 2.6, but I’ve just updated and tested the instructions again with OSSEC 2.8.1 on CentOS 7. It’s my go-to guide on how to get OSSEC up and running. However, by the time you read this it may all be completely out of date – please bear that in mind. Thanks 😉
Continue reading How to install OSSEC HIDS on CentOS 6 and 7