{"id":111,"date":"2015-06-08T00:35:36","date_gmt":"2015-06-07T22:35:36","guid":{"rendered":"https:\/\/blog.unetresgrossebite.com\/?p=111"},"modified":"2015-07-25T02:02:22","modified_gmt":"2015-07-25T00:02:22","slug":"ossec","status":"publish","type":"post","link":"https:\/\/blog.unetresgrossebite.com\/?p=111","title":{"rendered":"OSSEC"},"content":{"rendered":"

Looking for jobs on Elance and UpWork, I stumbled upon this proposal, quoting a blog post<\/a> about hardening security on a small network, according to PCI standards.
\nHaving already heard of Snort, Auditd, mod_security and Splunk, I was quite curious about OSSEC.<\/p>\n

OSSEC purpose is to keep an eye on your systems integrity, and raise alerts upon suspicious changes.
\nArguably, it could be compared to Filetraq,\u00a0though\u00a0it’s intelligent enough to qualify as an IDS.<\/p>\n

Installation process is pretty straight-forward. The main difficulty is to properly create a certificate \u00a0for ossec-authd, the register all your nodes, and don’t forget to shut ossec-authd down, once you’re done deploying agents.
\nUsing Wazuh<\/a> packages (debian and ubuntu only), almost everything is pre-configured. They’re not perfect, if you happend to install both ossec-hids<\/em> and ossec-hids-agent<\/em>, a few files would be defined twice, upon installing the second packages the first one would be partially removed, you’ll lose files such as \/etc\/init.d\/ossec<\/em>, preventing the last package to install properly, … You’ll have to purge both packages, purge\u00a0\/var\/ossec<\/em> from your filesystem and reinstall either ossec-hids<\/em> or ossec-hids-agent<\/em>.<\/p>\n

Setting it up on my kibana server, I ended up writing a module dealing with both agent and master server setup<\/a>, as well as installing ossec-webui from github.
\nNote: the module does not deal with installing the initial key to your main ossec instance. As explained in the module README, you would need to install it on \/var\/ossec\/etc<\/em> prior to starting ossec service.
\nPassed that step, puppet would deal with everything else, including agent registration to your main instance.
\nAlso note ossec-webui is not the only web frontend to OSSEC. There’s also Analogi<\/a> I haven’t tried yet. Mainly because I don’t want to install yet another MySQL.<\/p>\n

During my first tests, I noticed a small bug, cutting communications from an agent to its master.
\nMore details about this\u00a0over here<\/a>. Checking \/var\/ossec\/logs\/ossec.log<\/em>, you would find the ID corresponding to your faulty node. Stopping OSSEC, removing \/var\/ossec\/queue\/rids\/$your_id<\/em> and starting OSSEC back should be enough.<\/p>\n

An other problem that could occur, is nodes showing up inactive on the web manager, while the agent seems\u00a0properly running. Your manager logs would contain something like:<\/p>\n

ossec-agentd(pid): ERROR: Duplicated counter for 'fqdn'.
\nossec-agentd(pid): WARN: Problem receiving message from 10.42.X.X<\/code><\/p>\n

When you would have identified something like this, you may then run \/var\/ossec\/bin\/manage_agents<\/em> on your manager, and drop the existing key for incriminated agents. Then connect to your agents, drop \/var\/ossec\/queues\/rids\/<\/em> content, stop ossec<\/em> service, create a new key with \/var\/ossec\/bin\/agent-auth<\/em> and restart ossec<\/em>.<\/p>\n

\"OSSEC\"<\/a>

OSSEC Logs view<\/p><\/div>\n

Stay tuned for my next commits, as I would be adding FreeBSD support, as soon as I would have build the corresponding package on my RPI.<\/p>\n","protected":false},"excerpt":{"rendered":"

Looking for jobs on Elance and UpWork, I stumbled upon this proposal, quoting a blog post about hardening security on a small network, according to PCI standards. Having already heard of Snort, Auditd, mod_security and Splunk, I was quite curious about OSSEC. OSSEC purpose is to keep an eye on your systems integrity, and raise […]<\/p>\n","protected":false},"author":2,"featured_media":143,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[8,7,6,2],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/posts\/111"}],"collection":[{"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=111"}],"version-history":[{"count":9,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/posts\/111\/revisions"}],"predecessor-version":[{"id":144,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/posts\/111\/revisions\/144"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/media\/143"}],"wp:attachment":[{"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=111"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=111"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=111"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}