bookmark_borderWeek of OSSEC

Michael Starks from Immutable Security finished today his series of articles about OSSEC called “Week of OSSEC“. It was meant to coincide with his speak on OSSEC at the Rochester Security Summit.

From his blog:

As a service to the community and to coincide with my speaking on OSSEC at the Rochester Security Summit, every day during the week of October 25 through October 31, I’ll be posting a new tip on OSSEC based on my years of first-hand experience. These are the tips that make the software more usable for me and hopefully, it will for you, too. Have a tip that has helped you? Be sure to post it in the comments.

– Michael Starks

Links to the articles:

Be sure to check it out to learn more about OSSEC. Thanks Michael for sharing your experience with us.

bookmark_borderCreating a separated directory for testing OSSEC rules/config

A question that I often hear is how to use a separated directory for testing OSSEC rules and the configuration.

The easiest way is by doing the follow:

1. Choose the new directory to use as a test-base. In my case it is going to be /tmp/ossectest

2. Create that directory and a few important sub-directories.

# mkdir /tmp/ossectest
# mkdir /tmp/ossectest/etc
# mkdir /tmp/ossectest/queue/
# mkdir /tmp/ossectest/queue/fts
# mkdir /tmp/ossectest/rules

3. Move over your configuration files, rules and decoders

# cp -pr /var/ossec/etc/decoder.xml /tmp/ossectest/etc
# cp -pr /var/ossec/etc/ossec.conf /tmp/ossectest/etc
# cp -pr /var/ossec/rules/* /tmp/ossectest/rules/

4. Run ossec-logtest using the new configuration and rules

# /var/ossec/bin/ossec-logtest -D /tmp/ossectest/ -c /tmp/ossectest/etc/ossec.conf

5. Now you can modify the rules and configuration at /tmp/ossectest before moving over to the real running directory

If there is any error in the rules or in the configuration you will get the message:

# /var/ossec/bin/ossec-logtest -D /tmp/ossectest/ -c /tmp/ossectest/etc/ossec.conf
2009/10/28 12:40:27 ossec-config(1226): ERROR: Error reading XML file ‘/tmp/ossectest/etc/ossec.conf’: XML ERR: Element not closed: globalaa (line 7).
2009/10/28 12:40:27 ossec-testrule(1202): ERROR: Configuration error at ‘/tmp/ossectest/etc/ossec.conf’. Exiting.

Otherwise you will be able to send any logs to logtest to test your rules.

bookmark_borderRealtime file integrity monitoring

OSSEC supports realtime (continuous) file integrity monitoring on Linux systems (since v2.2) and on the latest snapshot we added support for Windows too.

The configuration is very simple. In the <directories> option where you specify what files or directories to monitor, you just need to add the realtime=”yes” attribute. For example:

<directories realtime=”yes” check_all=”yes”>/etc,/usr/bin,/usr/sbin</directories>
<directories check_all=”yes”>/bin,/sbin</directories>

In this case, the directories /etc/, /usr/bin and /usr/sbin will be monitored in real time. The same applies to Windows too. A few notes:

  1. The real time monitoring will not start right away. First OSSEC needs to scan the file system and adds each sub-directory to the realtime queue. It can take up to 30 minutes for that (wait for the log “ossec-syscheckd: INFO: Starting real time file monitoring” ).
  2. It only works with directories, not individual files. So you can monitor the /etc or C:program files directory, but not an individual file like /etc/file.txt.

If you are interested in this feature, please try it out on both Linux and Windows.