I just found this script while attempting to remove OSSEC-HIDS from my virtual machine. Feeling like it could be somehow useful for me in the near future, so i decided to post it here for later reference. This script is written by Han The Thanh.
# a simple script to uninstall ossec (tested on debian)
# Author: Han The Thanh <h a n t h e t h a n h @ g m a i l . c o m>
# Public domain.
# this script has been tested on debian; it should also work on other linux
# systems but I have not tested. If you want to be careful and need to see
# would be done without executing any real action, uncomment the following
# dryrun="echo "
files=`ls /etc/init.d/ossec /etc/rc[0-9S].d/[SK][0-9][0-9]ossec`
users=`egrep '^ossec' /etc/passwd | sed 's/:.*//'`
groups=`egrep '^ossec' /etc/group | sed 's/:.*//'`
deluser=`which deluser` || true
if [ -z "$deluser" ]; then
delgroup=`which delgroup` || true
if [ -z "$delgroup" ]; then
echo "I am going to remove the following:"
echo ">>> Files:"
for f in $files; do
ls -l $f
echo ">>> Directory:"
for f in $dirs; do
ls -ld $f
echo ">>> Users:"
echo ">>> Group:"
echo "If you have not backed up your config file(s), they will be lost
read -p "Is this want you want (yes/no)? "
if [ "$REPLY" = "yes" ]; then
$dryrun /etc/init.d/ossec stop
$dryrun rm -f $files
$dryrun rm -rf $dirs
for u in $users; do
$dryrun $deluser $u
for g in $groups; do
$dryrun $delgroup $g