Skip to main content

Raymii.org Logo (IEC resistor symbol) logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

Uninstall and Remove OSSEC

Published: 01-10-2013 | Author: Remy van Elst | Text only version of this article


Table of Contents


OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real- time alerting and active response. It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows. It also includes agentless monitoring for use with for example Cisco or Juniper hardware.

If you like this article, consider sponsoring me by trying out a Digital Ocean VPS. With this link you'll get $100 credit for 60 days). (referral link)

If you are looking for an OSSEC installation tutorial, check this link. It covers the OSSEC client and server install, and includes MySQL support plus an awesome dashboard

This tutorial covers the removal of OSSEC, both the client or the server install type. Because OSSEC is installed from source, you don't have all the nice package management options. You have to remove all the things manually, that is, all the ossec files, the init files, the ossec users and ossec groups. The following shell commands do that:

sudo rm -f /etc/init.d/ossec /etc/rc0.d/K20ossec /etc/rc1.d/K20ossec /etc/rc2.d/S20ossec /etc/rc3.d/S20ossec /etc/rc4.d/S20ossec /etc/rc5.d/S20ossec /etc/rc6.d/K20ossec;
sudo rm -rf /var/ossec; 
sudo /usr/sbin/deluser ossec; 
sudo /usr/sbin/deluser ossecm; 
sudo /usr/sbin/deluser ossecr; 
sudo /usr/sbin/deluser ossecd; 
sudo /usr/sbin/delgroup ossec; 
sudo /usr/sbin/delgroup ossecd;

Here is all that in a nice one line copy command:

sudo rm -f /etc/init.d/ossec /etc/rc0.d/K20ossec /etc/rc1.d/K20ossec /etc/rc2.d/S20ossec /etc/rc3.d/S20ossec /etc/rc4.d/S20ossec /etc/rc5.d/S20ossec /etc/rc6.d/K20ossec; sudo rm -rf /var/ossec; sudo /usr/sbin/deluser ossec; sudo /usr/sbin/deluser ossecm; sudo /usr/sbin/deluser ossecr; sudo /usr/sbin/deluser ossecd; sudo /usr/sbin/delgroup ossec; sudo /usr/sbin/delgroup ossecd

Using Chef to deploy OSSEC and want to remove it from all nodes? Another handy one liner:

knife ssh -a ipaddress -x [SSH USERNAME] -c ~/path/to/knife.rb 'name:*' 'sudo rm -f /etc/init.d/ossec /etc/rc0.d/K20ossec /etc/rc1.d/K20ossec /etc/rc2.d/S20ossec /etc/rc3.d/S20ossec /etc/rc4.d/S20ossec /etc/rc5.d/S20ossec /etc/rc6.d/K20ossec; sudo rm -rf /var/ossec; sudo /usr/sbin/deluser ossec; sudo /usr/sbin/deluser ossecm; sudo /usr/sbin/deluser ossecr; sudo /usr/sbin/deluser ossecd; sudo /usr/sbin/delgroup ossec; sudo /usr/sbin/delgroup ossecd'

Using Ansible? Here you go:

ansible all -s -k -a "sudo rm -f /etc/init.d/ossec /etc/rc0.d/K20ossec /etc/rc1.d/K20ossec /etc/rc2.d/S20ossec /etc/rc3.d/S20ossec /etc/rc4.d/S20ossec /etc/rc5.d/S20ossec /etc/rc6.d/K20ossec; sudo rm -rf /var/ossec; sudo /usr/sbin/deluser ossec; sudo /usr/sbin/deluser ossecm; sudo /usr/sbin/deluser ossecr; sudo /usr/sbin/deluser ossecd; sudo /usr/sbin/delgroup ossec; sudo /usr/sbin/delgroup ossecd"
Tags: active-response , ansible , chef , file-monitoring , ids , integrity , intrusion-detection , monitoring , ossec , remove , rootkit , security , splunk , syslog , tutorials , uninstall