bookmark_borderWindows policy monitoring

OSSEC v1.3 will come with support for Windows policy monitoring, allowing you to verify that all your systems conform to a set of policies regarding configuration settings, applications usage, etc. They are configured centrally on the ossec server and pushed down to all your agents.

With the Windows policy monitoring, you can get alerts like the following (detecting Skype and Yahoo):

2007 Jul 22 17:42:57 Rule Id: 514 level: 2
Location: (winhome) 192.168.2.190->rootcheck
Windows application monitor event.

Application Found: Chat/IM – Yahoo.

2007 Jul 22 17:42:57 Rule Id: 514 level: 2
Location: (winhome) 192.168.2.190->rootcheck
Windows application monitor event.

Application Found: Chat/IM/VoIP – Skype.

And compliance alerts like the following:

2007 Jul 23 13:44:54 Rule Id: 512 level: 3
Location: (winhome) 192.168.2.190->rootcheck
Windows Audit event.

Windows Audit: Null sessions allowed.

2007 Jul 23 13:44:54 Rule Id: 512 level: 3
Location: (winhome) 192.168.2.190->rootcheck
Windows Audit event.

Windows Audit: LM authentication allowed (weak passwords).

Interested? Read more how it works here. You can also try our beta version to help us improve it.

bookmark_borderSecurity Horizon journal

If you never read (or didn’t know) the Security Horizon journal you are missing on the good stuff. They release their security journal every few months with some interesting articles and their summer 2007 edition was just made available today.

If that wasn’t enough, they have an article about OSSEC, written by Chuck Little, entitled: “OSSEC-HIDS: Documenting my Further Adventures in Intrusion Detection” (on page 20). Excelent read!

bookmark_borderOSSEC v1.3 BETA1 – Testers Needed

OSSEC v1.3 is soon to be available and we really need some help beta testing it. As I always say, trying out our beta releases is a simpler and very effective way of helping the project.

How can you test it?
We created an entry in our Wiki with all the information necessary regarding beta testing. The test sets are very simple, but I plan to improve it as we progress. Download information, what to test and everything else is there.

Any help is very appreciated.

bookmark_borderOSSEC and GPLv3

When we release a new version of OSSEC and tell our users to update to it, what do you think they do? Well, most of them upgrade to the latest version without asking too many questions. However, some users with C and development experience go out and diff the code, look at the CVS changelog, and do a careful review to see if the new version fits their needs. But (big BUT), the user must know what he or she is doing to make an informed decision.

Anyway, what it has to do with GPL? Well, I am not a lawyer and I am not a license expert. If the FSF that wrote the GPLv2 (license that ossec currently uses), tells me to update to the GPLv3, what do you think I should do? If my expertise were in licenses, I would go and review the license before deciding, but since it is not, I will probably just trust them and update.

What does that mean? Unless there is a good reason not to do so, next version of OSSEC will be under the GPLv3. We trust the work that the FSF is doing for the open source community and the process to develop the GPLv3 was very good (open participation, lots of smart contributors, etc), so the final product must be good too.

Any comments? Any license expert willing to share your thoughts?

bookmark_borderOSSEC CVS list

For those interested to follow our CVS commits and be more directly involved with ossec, we created a few days ago a mailing list for it. You can subscribe by sending an e-mail to ossec-cvs-subscribe at googlegroups.com or you can just browse the archives at googlegroups or the ossec site.

*note: this list is reading-only. Discussions about any commit should go to the ossec-dev list.

bookmark_borderControl UI for the Windows agent

The next version of ossec for Windows will come with a very simple “control ui” to manage and configure some basic options in the windows agent (like server ip, auth keys, etc). The code is pretty much stable, but I would like some beta testers and some suggestions.

If you are interested, the executable can be downloaded from here. The source code is committed to CVS too. Just download it, play with it, try restarting, stopping, changing the configs, etc. Any feedback will be welcome.

Some screenshots:

Windows UI screenshot 1
Windows UI screenshot 2
Windows UI screenshot 3

*I am far from being a ui designer (especially on Windows), so help is also welcome to make it look/work better.