{"id":140,"date":"2008-12-12T21:52:34","date_gmt":"2008-12-12T21:52:34","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=140"},"modified":"2020-07-02T21:53:07","modified_gmt":"2020-07-02T21:53:07","slug":"agentless-monitoring-v1-7-preview","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2008\/12\/agentless-monitoring-v1-7-preview\/","title":{"rendered":"Agentless monitoring (v1.7 preview)"},"content":{"rendered":"\n

Agentless monitoring is another big feature coming up with our next version. Basically, it allows you to run integrity checking (and in the future log monitoring) on systems without an agent installed (including routers, firewalls, switches and even Linux\/BSD systems).<\/p>\n\n\n\n

*To try it out, download the latest snapshot from http:\/\/www.ossec.net\/files\/snapshots\/<\/a><\/em><\/p>\n\n\n\n

1-Getting started with agentless<\/h3>\n\n\n\n

After you installed the latest snapshot (or v1.7), you need to enable the agentless monitoring:<\/p>\n\n\n\n

  # \/var\/ossec\/bin\/ossec-control enable agentless<\/strong><\/pre>\n\n\n\n
And provide the SSH authentication to the host you want to access. For Cisco devices (PIX, routers, etc), you need to provide an additional parameter for the enable password. In this example, I am adding a Linux box (xx.net) and a PIX firewall (pix.fw.local):<\/p>\n\n\n\n
  # \/var\/ossec\/agentless\/register_host.sh add root@xx.net mypass1<\/strong> \n   *Host root@xx.netl added.\n  # \/var\/ossec\/agentless\/register_host.sh add pix@pix.fw.local pixpass enablepass<\/strong>\n   *Host pix@pix.fw.local added.\n\n# \/var\/ossec\/agentless\/register_host.sh list<\/strong>\n*Available hosts:\npix@pix.fw.local\nroot@xx.net<\/pre>\n\n\n\n
2-Configuring agentless<\/h3>\n\n\n\n
Once you have added all your systems, you need to configure OSSEC<\/a> to monitor them. By default, we have 4 agentless types (but we plan to add more soon): ssh_integrity_check_bsd<\/strong>, ssh_integrity_check_linux<\/strong>, ssh_generic_diff<\/strong> and ssh_pixconfig_diff<\/strong>. For the first two, you give a list of directories in the configuration and OSSEC will do the integrity checking of them on the remote box. On the ssh_generic_diff<\/em>, you give a set of commands to run on the remote box and OSSEC will alert when the output of them changes. The ssh_pixconfig_diff<\/em> will alert when a Cisco PIX\/router configuration changes.<\/p>\n\n\n\n
So, for my first system (root@xx.net), I will monitor the \/bin, \/etc and \/sbin directories every 10 hours (if I was using the ssh_integrity_check_bsd, the argument would be the directories as well):<\/p>\n\n\n\n
 <agentless> \n    <type>ssh_integrity_check_linux<\/type>\n    <frequency>36000<\/frequency>\n    <host>root@xx.net<\/host>\n    <state>periodic<\/state>\n    <arguments>\/bin \/etc\/ \/sbin<\/arguments>\n<\/agentless><\/pre>\n\n\n\n
For my PIX, the configuration looks like:<\/p>\n\n\n\n
  <agentless>\n    <type>ssh_pixconfig_diff<\/type>\n    <frequency>36000<\/frequency>\n    <host>pix@pix.fw.local<\/host>\n    <state>periodic_diff<\/state>\n  <\/agentless><\/pre>\n\n\n\n
And just to exemplify the ssh_generic_diff<\/em> I will also monitor ls -la \/etc; cat \/etc\/passwd<\/em> on the root@xx.net. Note that if you want to monitor any network firewall or switch, you can use the ssh_generic_diff and just specify the commands in the arguments<\/em> option.<\/p>\n\n\n\n
 <agentless>\n    <type>ssh_generic_diff<\/type>\n    <frequency>36000<\/frequency>\n    <host>root@xx.net<\/host>\n    <state>periodic_diff<\/state>\n    <arguments>ls -la \/etc; cat \/etc\/passwd<\/arguments>\n  <\/agentless><\/pre>\n\n\n\n
3-Running it<\/h3>\n\n\n\n
Once the configuration is completed, you can restart OSSEC. You should see something like \u201cStarted ossec-agentlessd\u201d in the output. Before each agentless connection is started, OSSEC will do a configuration check to make sure everything is fine. Look at \/var\/ossec\/logs\/ossec.log for any error. If you see:<\/p>\n\n\n\n
  2008\/12\/12 15:20:06 ossec-agentlessd: ERROR: Expect command not found (or bad arguments) for 'ssh_integrity_check_bsd'.\n  2008\/12\/12 15:20:06 ossec-agentlessd: ERROR: Test failed for 'ssh_integrity_check_bsd' (127). Ignoring.<\/pre>\n\n\n\n
It means that you don\u2019t have the expect library installed on the server (it is not necessary to install anything on the agentless systems to monitor). On Ubuntu you can do the following to install:<\/p>\n\n\n\n
# apt-get install expect<\/strong><\/pre>\n\n\n\n
After installing expect, you can restart OSSEC and you should see:<\/p>\n\n\n\n
  2008\/12\/12 15:24:12 ossec-agentlessd: INFO: Test passed for 'ssh_integrity_check_bsd'.<\/pre>\n\n\n\n
When it connects to the remote system, you will also see:<\/p>\n\n\n\n
2008\/12\/12 15:25:19 ossec-agentlessd: INFO: ssh_integrity_check_bsd: root@xx.net: Starting.\n2008\/12\/12 15:25:46 ossec-agentlessd: INFO: ssh_integrity_check_bsd: root@xx.net: Finished.<\/pre>\n\n\n\n
4-Alerts<\/h3>\n\n\n\n
These are some of the alerts you will get:<\/p>\n\n\n\n
For the ssh_generic_diff:<\/strong><\/p>\n\n\n\n
OSSEC HIDS Notification.
2008 Dec 12 01:58:30<\/p>
Received From: (ssh_generic_diff) root@xx.net->agentless
Rule: 555 fired (level 7) -> \u201cIntegrity checksum for agentless device changed.\u201d
Portion of the log(s):<\/p>
ossec: agentless: Change detected:
35c35
< -rw-r\u2013r\u2013 1 root wheel 34 Dec 10 03:55 hosts.deny
\u2014
> -rw-r\u2013r\u2013 1 root wheel 34 Dec 11 18:23 hosts.deny<\/p>
\u2013END OF NOTIFICATION<\/p><\/blockquote>\n\n\n\n
For the PIX:<\/strong><\/p>\n\n\n\n
OSSEC HIDS Notification.
2008 Dec 01 15:48:03<\/p>
Received From: (ssh_pixconfig_diff) pix@pix.fw.local->agentless
Rule: 555 fired (level 7) -> \u201cIntegrity checksum for agentless device changed.\u201d
Portion of the log(s):<\/p>
ossec: agentless: Change detected:
48c48
< fixup protocol ftp 21
\u2014
> no fixup protocol ftp 21
100c100
< ssh timeout 30
\u2014
> ssh timeout 50
More changes..<\/p>
\u2013END OF NOTIFICATION<\/p><\/blockquote>\n\n\n\n
That\u2019s it. If you run into any problems, let us know.<\/p>\n","protected":false},"excerpt":{"rendered":"
Agentless monitoring is another big feature coming up with our next version. Basically, it allows you to run integrity checking (and in the future log monitoring) on systems without an agent installed (including routers, firewalls, switches and even Linux\/BSD systems). *To try it out, download the latest snapshot from http:\/\/www.ossec.net\/files\/snapshots\/ 1-Getting started with agentless After you […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5,4],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/140"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=140"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/140\/revisions"}],"predecessor-version":[{"id":141,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/140\/revisions\/141"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=140"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=140"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=140"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}