Skip to main content

Raymii.org Raymii.org Logo

Quis custodiet ipsos custodes?
Home | About | All pages | Cluster Status | RSS Feed | Gopher

Uninstall and Remove OSSEC

Published: 01-10-2013 | Author: Remy van Elst | Text only version of this article


❗ This post is over eight years old. It may no longer be up to date. Opinions may have changed.

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real- time alerting and active response. It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows. It also includes agentless monitoring for use with for example Cisco or Juniper hardware.

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.

You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days.

If you are looking for an OSSEC installation tutorial, check this link. It covers the OSSEC client and server install, and includes MySQL support plus an awesome dashboard

This tutorial covers the removal of OSSEC, both the client or the server install type. Because OSSEC is installed from source, you don't have all the nice package management options. You have to remove all the things manually, that is, all the ossec files, the init files, the ossec users and ossec groups. The following shell commands do that:

sudo rm -f /etc/init.d/ossec /etc/rc0.d/K20ossec /etc/rc1.d/K20ossec /etc/rc2.d/S20ossec /etc/rc3.d/S20ossec /etc/rc4.d/S20ossec /etc/rc5.d/S20ossec /etc/rc6.d/K20ossec;
sudo rm -rf /var/ossec; 
sudo /usr/sbin/deluser ossec; 
sudo /usr/sbin/deluser ossecm; 
sudo /usr/sbin/deluser ossecr; 
sudo /usr/sbin/deluser ossecd; 
sudo /usr/sbin/delgroup ossec; 
sudo /usr/sbin/delgroup ossecd;

Here is all that in a nice one line copy command:

sudo rm -f /etc/init.d/ossec /etc/rc0.d/K20ossec /etc/rc1.d/K20ossec /etc/rc2.d/S20ossec /etc/rc3.d/S20ossec /etc/rc4.d/S20ossec /etc/rc5.d/S20ossec /etc/rc6.d/K20ossec; sudo rm -rf /var/ossec; sudo /usr/sbin/deluser ossec; sudo /usr/sbin/deluser ossecm; sudo /usr/sbin/deluser ossecr; sudo /usr/sbin/deluser ossecd; sudo /usr/sbin/delgroup ossec; sudo /usr/sbin/delgroup ossecd

Using Chef to deploy OSSEC and want to remove it from all nodes? Another handy one liner:

knife ssh -a ipaddress -x [SSH USERNAME] -c ~/path/to/knife.rb 'name:*' 'sudo rm -f /etc/init.d/ossec /etc/rc0.d/K20ossec /etc/rc1.d/K20ossec /etc/rc2.d/S20ossec /etc/rc3.d/S20ossec /etc/rc4.d/S20ossec /etc/rc5.d/S20ossec /etc/rc6.d/K20ossec; sudo rm -rf /var/ossec; sudo /usr/sbin/deluser ossec; sudo /usr/sbin/deluser ossecm; sudo /usr/sbin/deluser ossecr; sudo /usr/sbin/deluser ossecd; sudo /usr/sbin/delgroup ossec; sudo /usr/sbin/delgroup ossecd'

Using Ansible? Here you go:

ansible all -s -k -a "sudo rm -f /etc/init.d/ossec /etc/rc0.d/K20ossec /etc/rc1.d/K20ossec /etc/rc2.d/S20ossec /etc/rc3.d/S20ossec /etc/rc4.d/S20ossec /etc/rc5.d/S20ossec /etc/rc6.d/K20ossec; sudo rm -rf /var/ossec; sudo /usr/sbin/deluser ossec; sudo /usr/sbin/deluser ossecm; sudo /usr/sbin/deluser ossecr; sudo /usr/sbin/deluser ossecd; sudo /usr/sbin/delgroup ossec; sudo /usr/sbin/delgroup ossecd"
Tags: active-response , ansible , chef , file-monitoring , ids , integrity , intrusion-detection , monitoring , ossec , remove , rootkit , security , splunk , syslog , tutorials , uninstall