Set up OSSEC Host Intrusion Detection System with vulnerability scanning capabilities, CVE database integration, and automated alerting for comprehensive security monitoring across your infrastructure.
Prerequisites
- Root access to the server
- Internet connectivity for CVE database updates
- Email server for alert notifications
- Minimum 2GB RAM and 10GB disk space
What this solves
OSSEC provides real-time vulnerability detection by comparing your system's installed packages against known CVE databases and security advisories. This tutorial shows you how to configure OSSEC with vulnerability scanning, automated CVE matching, and alert notifications to detect security issues before they can be exploited.
Step-by-step configuration
Install OSSEC HIDS
Start by installing OSSEC and its dependencies. We'll install the server version which includes the vulnerability detection module.
sudo apt update
wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash
sudo apt install -y ossec-hids-serverRun initial OSSEC configuration
Configure OSSEC with the setup script. Choose server mode and enable email notifications for vulnerability alerts.
sudo /var/ossec/bin/ossec-control stop
sudo /var/ossec/bin/install.shWhen prompted, select:
- Installation type: server
- Enable email notifications: yes
- SMTP server: your mail server or localhost
- Email from: ossec@example.com
- Email to: admin@example.com
Configure vulnerability detection module
Enable and configure the vulnerability detection module in OSSEC's main configuration file.
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>admin@example.com</email_to>
<smtp_server>localhost</smtp_server>
<email_from>ossec@example.com</email_from>
</global>
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<provider name="canonical">
<enabled>yes</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<os>jammy</os>
<os>noble</os>
<update_interval>1h</update_interval>
</provider>
<provider name="debian">
<enabled>yes</enabled>
<os>wheezy</os>
<os>jessie</os>
<os>stretch</os>
<os>buster</os>
<os>bullseye</os>
<os>bookworm</os>
<update_interval>1h</update_interval>
</provider>
<provider name="redhat">
<enabled>yes</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<os>9</os>
<update_interval>1h</update_interval>
</provider>
<provider name="nvd">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
</ossec_config>Configure vulnerability alert rules
Create custom rules for vulnerability detection alerts with different severity levels.
<?xml version="1.0" encoding="UTF-8"?>
<group name="vulnerability,">
<rule id="23502" level="7" frequency="1">
<if_sid>23500</if_sid>
<field name="vulnerability.severity">High</field>
<description>High severity vulnerability found: $(vulnerability.cve)</description>
<group>vulnerability,pci_dss_6.2,gdpr_IV_35.7.d,</group>
</rule>
<rule id="23503" level="10" frequency="1">
<if_sid>23500</if_sid>
<field name="vulnerability.severity">Critical</field>
<description>Critical vulnerability found: $(vulnerability.cve)</description>
<group>vulnerability,pci_dss_6.2,gdpr_IV_35.7.d,</group>
</rule>
<rule id="23504" level="5" frequency="1">
<if_sid>23500</if_sid>
<field name="vulnerability.severity">Medium</field>
<description>Medium severity vulnerability found: $(vulnerability.cve)</description>
<group>vulnerability,pci_dss_6.2,gdpr_IV_35.7.d,</group>
</rule>
<rule id="23505" level="12" frequency="1">
<if_sid>23500</if_sid>
<field name="vulnerability.cvss">^[9-9]\.|^10\.0</field>
<description>Very high CVSS score vulnerability: $(vulnerability.cve) (CVSS: $(vulnerability.cvss))</description>
<group>vulnerability,pci_dss_6.2,gdpr_IV_35.7.d,</group>
</rule>
</group>Set up automated CVE database updates
Configure automatic updates for CVE databases to ensure you're always checking against the latest vulnerability information.
<wodle name="vulnerability-detector">
<disabled>no</disabled>
<interval>5m</interval>
<run_on_start>yes</run_on_start>
<update_interval>60m</update_interval>
<provider name="nvd">
<enabled>yes</enabled>
<update_from_year>2016</update_from_year>
<update_interval>1h</update_interval>
</provider>
</wodle>Configure email alerting for vulnerabilities
Set up email notifications that trigger immediately when vulnerabilities are detected.
<email_alerts>
<email_to>security-team@example.com</email_to>
<level>7</level>
<rule_id>23502,23503,23504,23505</rule_id>
<do_not_delay>yes</do_not_delay>
<do_not_group>yes</do_not_group>
</email_alerts>
<email_alerts>
<email_to>critical-alerts@example.com</email_to>
<level>10</level>
<rule_id>23503,23505</rule_id>
<do_not_delay>yes</do_not_delay>
<do_not_group>yes</do_not_group>
</email_alerts>Enable active response for critical vulnerabilities
Configure automatic responses to isolate systems when critical vulnerabilities are detected.
<command>
<name>vulnerability-quarantine</name>
<executable>vulnerability-response.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>vulnerability-quarantine</command>
<location>local</location>
<rules_id>23503,23505</rules_id>
<timeout>3600</timeout>
</active-response>Create vulnerability response script
Create a script that handles critical vulnerability responses by logging details and optionally isolating affected systems.
#!/bin/bash
OSSEC Vulnerability Response Script
LOGFILE="/var/ossec/logs/active-responses.log"
ACTION=$1
USER=$2
IP=$3
ALERT_ID=$4
RULE_ID=$5
echo "$(date '+%Y-%m-%d %H:%M:%S') - Vulnerability Response: Action=$ACTION, User=$USER, IP=$IP, Alert=$ALERT_ID, Rule=$RULE_ID" >> $LOGFILE
case "$ACTION" in
add)
echo "$(date '+%Y-%m-%d %H:%M:%S') - CRITICAL VULNERABILITY DETECTED on $IP" >> $LOGFILE
# Log to syslog for external monitoring
logger -p local0.crit "OSSEC: Critical vulnerability detected on $IP - Alert ID: $ALERT_ID"
# Optional: Send SNMP trap
# snmptrap -v2c -c public monitoring-server '' 1.3.6.1.4.1.12345.1 1.3.6.1.4.1.12345.1.1 s "Critical vulnerability: $IP"
;;
delete)
echo "$(date '+%Y-%m-%d %H:%M:%S') - Vulnerability response timeout for $IP" >> $LOGFILE
;;
esac
exit 0sudo chmod 750 /var/ossec/active-response/bin/vulnerability-response.sh
sudo chown root:ossec /var/ossec/active-response/bin/vulnerability-response.shConfigure vulnerability scan scheduling
Set up regular vulnerability scans and configure scan exclusions for development systems.
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<ignore_time>6h</ignore_time>
<max_queue_size>16384</max_queue_size>
<feed name="ubuntu-18">
<disabled>no</disabled>
<update_interval>60m</update_interval>
</feed>
<feed name="redhat-9">
<disabled>no</disabled>
<update_interval>60m</update_interval>
</feed>
</vulnerability-detector>Start OSSEC and enable services
Start the OSSEC service and enable it to run automatically on system boot.
sudo /var/ossec/bin/ossec-control start
sudo systemctl enable ossecVerify the vulnerability detector is running:
sudo /var/ossec/bin/ossec-control status
tail -f /var/ossec/logs/ossec.log | grep vulnerabilityVerify your setup
Check that OSSEC is properly detecting vulnerabilities and the CVE database is updating:
# Check OSSEC status
sudo /var/ossec/bin/ossec-control status
Verify vulnerability detector is active
grep "vulnerability-detector" /var/ossec/logs/ossec.log
Check CVE database updates
ls -la /var/ossec/wodles/vulnerability-detector/
Test vulnerability detection manually
sudo /var/ossec/bin/ossec-logtest
Check recent vulnerability alerts
tail -20 /var/ossec/logs/alerts/alerts.log | grep vulnerability
Verify email configuration
sudo /var/ossec/bin/ossec-maild -tNote: The initial CVE database download can take 15-30 minutes. Monitor
/var/ossec/logs/ossec.log for download progress.Configure advanced vulnerability filtering
Create severity-based filtering
Configure OSSEC to only alert on specific CVSS scores or vulnerability types to reduce noise.
<vulnerability-detector>
<enabled>yes</enabled>
<filters>
<cvss_score>7.0</cvss_score>
<severity>High,Critical</severity>
<ignore_package>test-package,dev-tools</ignore_package>
</filters>
<alerts>
<format>json</format>
<severity_levels>medium,high,critical</severity_levels>
</alerts>
</vulnerability-detector>Set up JSON output for external tools
Configure OSSEC to output vulnerability data in JSON format for integration with SIEM systems or monitoring tools.
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
</global>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>203.0.113.10</allowed-ips>
</remote>Common issues
| Symptom | Cause | Fix |
|---|---|---|
| Vulnerability detector not starting | Missing CVE database or network issues | Check /var/ossec/logs/ossec.log and verify internet connectivity |
| No vulnerability alerts generated | No vulnerable packages found or filtering too restrictive | Lower CVSS threshold or check /var/ossec/logs/vulnerability-detector.log |
| CVE database download fails | Firewall blocking HTTPS or insufficient disk space | Allow HTTPS outbound and check df -h /var/ossec |
| Email alerts not sending | SMTP configuration incorrect | Test with sudo /var/ossec/bin/ossec-maild -t |
| High false positive rate | Default rules too sensitive | Adjust severity levels in vulnerability detector config |
| Performance issues during scans | Scan interval too frequent | Increase min_full_scan_interval to 12h or 24h |
Integration with monitoring systems
OSSEC vulnerability data can be integrated with external systems for centralized monitoring. You can configure OSSEC integration with Splunk or set up OSSEC with fail2ban integration for comprehensive threat response.
For production environments, consider implementing OSSEC active response to automatically respond to critical vulnerabilities.
Next steps
- Integrate OSSEC with Splunk for centralized security monitoring
- Configure OSSEC active response for automated threat blocking
- Set up OSSEC agent deployment and centralized management
- Configure OSSEC compliance monitoring for PCI-DSS and GDPR
- Implement OSSEC vulnerability remediation automation
Running this in production?
Want this handled for you? Setting this up once is straightforward. Keeping it patched, monitored, backed up and performant across environments is the harder part. See how we run infrastructure like this for European teams.
Automated install script
Run this to automate the entire setup
install.sh
#!/usr/bin/env bash
set -euo pipefail
# OSSEC HIDS Vulnerability Detection Installation Script
# Production-quality installer for vulnerability scanning and CVE detection
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
# Configuration variables
ADMIN_EMAIL="${1:-admin@localhost}"
FROM_EMAIL="${2:-ossec@$(hostname -f)}"
SMTP_SERVER="${3:-localhost}"
# Usage message
usage() {
echo "Usage: $0 [admin_email] [from_email] [smtp_server]"
echo "Example: $0 admin@company.com ossec@server.com mail.company.com"
exit 1
}
# Logging functions
log_info() { echo -e "${GREEN}[INFO]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
log_error() { echo -e "${RED}[ERROR]${NC} $1"; }
# Cleanup function for rollback
cleanup() {
log_error "Installation failed. Performing cleanup..."
systemctl stop ossec >/dev/null 2>&1 || true
[ -f /var/ossec/etc/ossec.conf.backup ] && mv /var/ossec/etc/ossec.conf.backup /var/ossec/etc/ossec.conf
[ -f /var/ossec/rules/local_rules.xml.backup ] && mv /var/ossec/rules/local_rules.xml.backup /var/ossec/rules/local_rules.xml
}
trap cleanup ERR
# Check if running as root
if [[ $EUID -ne 0 ]]; then
log_error "This script must be run as root"
exit 1
fi
# Validate email format
if [[ ! "$ADMIN_EMAIL" =~ ^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$ ]]; then
log_error "Invalid admin email format"
usage
fi
# Auto-detect distribution
if [ -f /etc/os-release ]; then
. /etc/os-release
case "$ID" in
ubuntu|debian)
PKG_MGR="apt"
PKG_UPDATE="apt update"
PKG_INSTALL="apt install -y"
SERVICE_MGR="systemctl"
;;
almalinux|rocky|centos|rhel|ol|fedora)
PKG_MGR="dnf"
PKG_UPDATE="dnf update -y"
PKG_INSTALL="dnf install -y"
SERVICE_MGR="systemctl"
;;
amzn)
PKG_MGR="yum"
PKG_UPDATE="yum update -y"
PKG_INSTALL="yum install -y"
SERVICE_MGR="systemctl"
;;
*)
log_error "Unsupported distribution: $ID"
exit 1
;;
esac
else
log_error "Cannot detect distribution"
exit 1
fi
log_info "Detected distribution: $PRETTY_NAME"
echo "[1/8] Updating system packages..."
$PKG_UPDATE
echo "[2/8] Installing prerequisites..."
if [[ "$PKG_MGR" == "apt" ]]; then
$PKG_INSTALL wget curl gnupg2 lsb-release
else
$PKG_INSTALL wget curl gnupg2
fi
echo "[3/8] Adding Atomicorp repository..."
wget -q -O - https://updates.atomicorp.com/installers/atomic | bash
echo "[4/8] Installing OSSEC HIDS..."
$PKG_INSTALL ossec-hids-server
echo "[5/8] Stopping OSSEC for configuration..."
$SERVICE_MGR stop ossec || true
echo "[6/8] Backing up original configuration..."
[ -f /var/ossec/etc/ossec.conf ] && cp /var/ossec/etc/ossec.conf /var/ossec/etc/ossec.conf.backup
[ -f /var/ossec/rules/local_rules.xml ] && cp /var/ossec/rules/local_rules.xml /var/ossec/rules/local_rules.xml.backup
echo "[7/8] Configuring OSSEC vulnerability detection..."
cat > /var/ossec/etc/ossec.conf << EOF
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>$ADMIN_EMAIL</email_to>
<smtp_server>$SMTP_SERVER</smtp_server>
<email_from>$FROM_EMAIL</email_from>
<email_maxperhour>12</email_maxperhour>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<provider name="canonical">
<enabled>yes</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<os>jammy</os>
<os>noble</os>
<update_interval>1h</update_interval>
</provider>
<provider name="debian">
<enabled>yes</enabled>
<os>wheezy</os>
<os>jessie</os>
<os>stretch</os>
<os>buster</os>
<os>bullseye</os>
<os>bookworm</os>
<update_interval>1h</update_interval>
</provider>
<provider name="redhat">
<enabled>yes</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<os>9</os>
<update_interval>1h</update_interval>
</provider>
<provider name="nvd">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
<syscheck>
<disabled>no</disabled>
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
</syscheck>
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
</rootcheck>
</ossec_config>
EOF
# Create vulnerability detection rules
cat > /var/ossec/rules/local_rules.xml << 'EOF'
<group name="vulnerability">
<rule id="23502" level="10" frequency="1">
<if_sid>23500</if_sid>
<field name="vulnerability.severity">Critical</field>
<description>Critical vulnerability found: $(vulnerability.cve)</description>
<options>no_email_alert</options>
</rule>
<rule id="23503" level="7" frequency="1">
<if_sid>23500</if_sid>
<field name="vulnerability.severity">High</field>
<description>High severity vulnerability found: $(vulnerability.cve)</description>
</rule>
<rule id="23504" level="5" frequency="1">
<if_sid>23500</if_sid>
<field name="vulnerability.severity">Medium</field>
<description>Medium severity vulnerability found: $(vulnerability.cve)</description>
</rule>
<rule id="23505" level="3" frequency="1">
<if_sid>23500</if_sid>
<field name="vulnerability.severity">Low</field>
<description>Low severity vulnerability found: $(vulnerability.cve)</description>
</rule>
</group>
EOF
# Set proper ownership and permissions
chown -R ossec:ossec /var/ossec/etc/ossec.conf
chown -R ossec:ossec /var/ossec/rules/local_rules.xml
chmod 644 /var/ossec/etc/ossec.conf
chmod 644 /var/ossec/rules/local_rules.xml
echo "[8/8] Starting and enabling OSSEC service..."
$SERVICE_MGR enable ossec
$SERVICE_MGR start ossec
# Verification
sleep 5
if $SERVICE_MGR is-active --quiet ossec; then
log_info "OSSEC service is running successfully"
else
log_error "OSSEC service failed to start"
exit 1
fi
# Check if vulnerability detection is enabled
if grep -q "vulnerability-detector" /var/ossec/etc/ossec.conf; then
log_info "Vulnerability detection module configured"
else
log_error "Vulnerability detection configuration missing"
exit 1
fi
log_info "OSSEC HIDS with vulnerability detection installed successfully!"
log_info "Configuration details:"
echo " - Admin email: $ADMIN_EMAIL"
echo " - From email: $FROM_EMAIL"
echo " - SMTP server: $SMTP_SERVER"
echo " - Config file: /var/ossec/etc/ossec.conf"
echo " - Rules file: /var/ossec/rules/local_rules.xml"
echo " - Logs: /var/ossec/logs/ossec.log"
log_warn "Please configure your SMTP server settings for email alerts"Review the script before running. Execute with: bash install.sh