bookmark_borderAgentless monitoring updated (v2.0 preview)

*updated from http://www.ossec.net/dcid/?p=154 by adding support for su and public key authentication

Agentless monitoring is another big feature coming up with our next version. Basically, it allows you to run integrity checking (and in the future log monitoring) on systems without an agent installed (including routers, firewalls, switches and even Linux/BSD systems).

*To try it out, download the latest snapshot from http://www.ossec.net/files/snapshots/

1-Getting started with agentless

After you installed the latest snapshot (or v2.0), you need to enable the agentless monitoring:

  # /var/ossec/bin/ossec-control enable agentless

And provide the SSH authentication to the host you want to access. For Cisco devices (PIX, routers, etc), you need to provide an additional parameter for the enable password. The same thing applies if you want to add support for “su”, it must be the additional parameter. In this example, I am adding a Linux box (xx.net) and a PIX firewall (pix.fw.local):

  # /var/ossec/agentless/register_host.sh add root@xx.net mypass1
   *Host root@xx.netl added.
  # /var/ossec/agentless/register_host.sh add pix@pix.fw.local pixpass enablepass
   *Host pix@pix.fw.local added.

# /var/ossec/agentless/register_host.sh list
*Available hosts:
pix@pix.fw.local
root@xx.net

2-Configuring agentless

Once you have added all your systems, you need to configure OSSEC to monitor them. By default, we have 4 agentless types (but we plan to add more soon): ssh_integrity_check_bsdssh_integrity_check_linuxssh_generic_diff and ssh_pixconfig_diff. For the first two, you give a list of directories in the configuration and OSSEC will do the integrity checking of them on the remote box. On the ssh_generic_diff, you give a set of commands to run on the remote box and OSSEC will alert when the output of them changes. The ssh_pixconfig_diff will alert when a Cisco PIX/router configuration changes.

So, for my first system (root@xx.net), I will monitor the /bin, /etc and /sbin directories every 10 hours (if I was using the ssh_integrity_check_bsd, the argument would be the directories as well):

 <agentless>
    <type>ssh_integrity_check_linux</type>
    <frequency>36000</frequency>
    <host>root@xx.net</host>
    <state>periodic</state>
    <arguments>/bin /etc/ /sbin</arguments>
</agentless>

For my PIX, the configuration looks like:

  <agentless>
    <type>ssh_pixconfig_diff</type>
    <frequency>36000</frequency>
    <host>pix@pix.fw.local</host>
    <state>periodic_diff</state>
  </agentless>

And just to exemplify the ssh_generic_diff I will also monitor ls -la /etc; cat /etc/passwd on the root@xx.net. Note that if you want to monitor any network firewall or switch, you can use the ssh_generic_diff and just specify the commands in the arguments option. To use “su”, you need to set the value “use_su” before the hostname (eg: <host>use_su root@xx.net</host>).

 <agentless>
    <type>ssh_generic_diff</type>
    <frequency>36000</frequency>
    <host>root@xx.net</host>
    <state>periodic_diff</state>
    <arguments>ls -la /etc; cat /etc/passwd</arguments>
  </agentless>

3-Running it

Once the configuration is completed, you can restart OSSEC. You should see something like “Started ossec-agentlessd” in the output. Before each agentless connection is started, OSSEC will do a configuration check to make sure everything is fine. Look at /var/ossec/logs/ossec.log for any error. If you see:

  2008/12/12 15:20:06 ossec-agentlessd: ERROR: Expect command not found (or bad arguments) for 'ssh_integrity_check_bsd'.
  2008/12/12 15:20:06 ossec-agentlessd: ERROR: Test failed for 'ssh_integrity_check_bsd' (127). Ignoring.

It means that you don’t have the expect library installed on the server (it is not necessary to install anything on the agentless systems to monitor). On Ubuntu you can do the following to install:

# apt-get install expect

After installing expect, you can restart OSSEC and you should see:

  2008/12/12 15:24:12 ossec-agentlessd: INFO: Test passed for 'ssh_integrity_check_bsd'.

When it connects to the remote system, you will also see:

2008/12/12 15:25:19 ossec-agentlessd: INFO: ssh_integrity_check_bsd: root@xx.net: Starting.
2008/12/12 15:25:46 ossec-agentlessd: INFO: ssh_integrity_check_bsd: root@xx.net: Finished.

4-Alerts

These are some of the alerts you will get:

For the ssh_generic_diff:

OSSEC HIDS Notification.
2008 Dec 12 01:58:30

Received From: (ssh_generic_diff) root@xx.net->agentless
Rule: 555 fired (level 7) -> “Integrity checksum for agentless device changed.”
Portion of the log(s):

ossec: agentless: Change detected:
35c35
< -rw-r–r– 1 root wheel 34 Dec 10 03:55 hosts.deny

> -rw-r–r– 1 root wheel 34 Dec 11 18:23 hosts.deny

–END OF NOTIFICATION

For the PIX:

OSSEC HIDS Notification.
2008 Dec 01 15:48:03

Received From: (ssh_pixconfig_diff) pix@pix.fw.local->agentless
Rule: 555 fired (level 7) -> “Integrity checksum for agentless device changed.”
Portion of the log(s):

ossec: agentless: Change detected:
48c48
< fixup protocol ftp 21

> no fixup protocol ftp 21
100c100
< ssh timeout 30

> ssh timeout 50
More changes..

–END OF NOTIFICATION

That’s it. If you run into any problems, let us know.

bookmark_borderOSSEC being detected as a malware

Some anti-virus products (BitDefender, F-Secure, etc) are detecting the version 1.6.1 of the OSSEC Windows Agent as a malware (more specifically Generic.Qhost).

We tried contacting some of them without much success. If you get any warning like that, it is a FALSE POSITIVE and let your anti-virus company know about it.

Link to the virustotal scan: http://www.virustotal.com/analisis/e1faf42be76cf372b60de79a500d7142

Thanks,

bookmark_borderOSSEC book as ‘Best Book Bejtlich Read in 2008′

I was glad to read that Richard Bejtlich considered the OSSEC book one of his best reads of 2008. From the post:

by Rory Bray, Daniel Cid and Andrew Hay. I have to congratulate the author team for OHG. Writing a book for Syngress with many contributors is usually a recipe for disaster. OHG features three lead authors, four contributors, and one foreword author — and they don’t step on each others’ toes.

Full review: amazon.com.

Andrew Hay also posted about it here.

bookmark_borderAnother book review

I just saw another review of the OSSEC book, this time by Kurt R. Hinson:

In these days of tight and/or frozen budgets, utilizing open source applications has become a must for many of us in the security realm. OSSEC is one such “must have” application that will give you visibility and insight into Windows, Mac and Linux machines on your network through the use of this Host Intrusion Detection application…

Full review at amazon.com