Question about OSSEC 2.7 and agents configurations

[Michiel van Es]

Hello,

i have some basic questions about OSSEC server <-> agent model:

- is it correct that the agents ossec.conf can be as small as:

<ossec_config>

  <client>

    <server-hostname>OSSEC-SERVERNAME</server-hostname>

  </client>

</ossec_config>

- I push all checks on the server via /var/ossec/etc/shared/agent.conf (the file being synched) ?

- If I want to run the netstat command on all nodes via the shared/agent.conf on the server that I have to do the following:

1) change the agent.conf to include:

<localfile>

    <log_format>full_command</log_format>

    <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>

  </localfile>

2) change the /var/ossec/etc/internal_options.conf on all agents that include:

logcollector.remote_commands=1

3) restart the server and then all agents ossec ?

Option 2) seems to cause an extra security risk (like Nagios NRPE): if the ossec server is compromised all servers can be reached or can be used to execute command remotely via the ossec server, is that correct?

Thanks for clearing things up :)

Michiel

[dan (ddp)]

On Wed, Nov 20, 2013 at 9:30 AM, Michiel van Es <vanesm...@gmail.com> wrote:
> Hello,
>
> i have some basic questions about OSSEC server <-> agent model:
>
> - is it correct that the agents ossec.conf can be as small as:
> <ossec_config>
> <client>
> <server-hostname>OSSEC-SERVERNAME</server-hostname>
> </client>
> </ossec_config>
>
> - I push all checks on the server via /var/ossec/etc/shared/agent.conf (the
> file being synched) ?
>

Most things work just fine in the agent.conf.

> - If I want to run the netstat command on all nodes via the
> shared/agent.conf on the server that I have to do the following:
>
> 1) change the agent.conf to include:
> <localfile>
> <log_format>full_command</log_format>
> <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>
> </localfile>
> 2) change the /var/ossec/etc/internal_options.conf on all agents that
> include:
> logcollector.remote_commands=1
> 3) restart the server and then all agents ossec ?
>

Seems correct.

> Option 2) seems to cause an extra security risk (like Nagios NRPE): if the
> ossec server is compromised all servers can be reached or can be used to
> execute command remotely via the ossec server, is that correct?
>

Correct, and I believe this is why remote commands are disabled by default.

> Thanks for clearing things up :)
>
> Michiel
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

[Michiel van Es]

Op woensdag 20 november 2013 19:24:01 UTC+1 schreef dan (ddpbsd):

Do you know if there is another way of accomplishing the netstat -tan diff on all agents without the need to enable the remote commands on all agents?

Specify it in the ossec.conf on all agents?

I only have:

 <ossec_config> 
   <client> 
     <server-hostname>OSSEC-SERVERNAME</server-hostname> 
   </client> 
 </ossec_config> 

 

What should I need to add the netstat command?

Only add the following to the ossec.conf for the agents : 

<localfile>

    <log_format>full_command</log_format>

    <command>netstat -tan |grep LISTEN|grep -v 127.0.0.1</command>

</localfile>

and can I specify how often this needs to run on the agents? (I want to randomise the time it should run).

Michiel

[dan (ddp)]

Yes, that configuration belongs in the ossec.conf of the agent.

> I only have:
>
> <ossec_config>
> <client>
> <server-hostname>OSSEC-SERVERNAME</server-hostname>
> </client>
> </ossec_config>
>
> What should I need to add the netstat command?
> Only add the following to the ossec.conf for the agents :
>
> <localfile>
> <log_format>full_command</log_format>
> <command>netstat -tan |grep LISTEN|grep -v 127.0.0.1</command>
> </localfile>
>
> and can I specify how often this needs to run on the agents? (I want to
> randomise the time it should run).
>

Yes, frequency.

[Michiel van Es]

2013/12/3 dan (ddp) <ddp...@gmail.com>

Ok, would this be sufficient to make it work on the agents?

<ossec_config>

  <client>

    <server-hostname>OSSEC-SERVER</server-hostname>

  </client>

  

  <localfile>

        <!-- Frequency that syscheck is executed - default to every 22 hours -->

       <frequency>7200</frequency>

       <log_format>full_command</log_format>

       <command>netstat -tan |grep LISTEN|grep -v 127.0.0.1</command>

  </localfile>

</ossec_config>

Or does the <localfile> stanza need to be used with a <syscheck> or <rootcheck> block?

 

> Michiel
>
>>
>>
>> > Thanks for clearing things up :)
>> >
>> > Michiel
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/groups/opt_out.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

--

---

You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/t1x6fL7lUV4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

[dan (ddp)]

I haven't tested it, but that looks to be correct. I also like to add
an <alias> to my entries to make it easier to create rules.

> Or does the <localfile> stanza need to be used with a <syscheck> or
> <rootcheck> block?
>

localfile definitions are not for syscheck or rootcheck. Take a look
at your agent.conf, you probably have an example there.