Enhanced OSSEC to support agent profile configurations

194 views
Skip to first unread message

Christopher Moraes

unread,
Jun 9, 2011, 4:09:41 PM6/9/11
to ossec...@googlegroups.com
Hi everyone,

I have made a small enhancement to OSSEC to support different configuration profiles for agents.  If you are interested in this feature and would like to help, I would appreciate if you could help me test it out.

The code is available from my bitbucket repository at http://bitbucket.org/cmoraes/ossec.
(based off the current 2.6 beta source code)

Background -

I needed OSSEC to support different syscheck/rootkit/localfile rules for different categories of servers. For e.g. I needed one config for our Linux Oracle servers, another one for our Linux JEE App servers, another for our Windows Domain controllers, etc.

From what I found, ossec currently supports agent configurations based on agent name or OS name.  For my use case, creating a config for each agent name was too granular (I have 25 linux database (oracle) servers and wanted to create one configuration for all of them) and creating one for each OS was too coarse grained.   

So I have implemented a feature to support configuration "profiles".   Agents can be assigned a profile name (which can be any string) and that profile name is matched with the config profile in the shared agent.conf.

A new "profile" attribute is now supported in the agent.conf file.   

<agent_config profile="LinuxOracleDBServer">
.....
</agent_config>

And in the agent's etc/ossec.conf file, a new config element "config-profile" is added

<ossec_config>
  <client>
    <server-ip>10.200.36.157</server-ip>
    <config-profile>LinuxOracleDBServer</config-profile>
  </client>
</ossec_config>

This should make the enhancement backward compatible, so you don't have to change already deployed agents if you don't want to assign them a profile.

The code is in an alpha state.  I have tested it for a few use cases. If you can try it out, I'd love to hear your feedback.

Regards,
Chris



dan (ddp)

unread,
Jun 9, 2011, 4:30:54 PM6/9/11
to ossec...@googlegroups.com
This sounds like a neat idea! If you don't hear anything back remind
the list about it after 2.6 is released.

Jason Frisvold

unread,
Jun 9, 2011, 9:37:01 PM6/9/11
to ossec...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jun 9, 2011, at 4:09 PM, Christopher Moraes wrote:
> Hi everyone,


> This should make the enhancement backward compatible, so you don't have to change already deployed agents if you don't want to assign them a profile.
>
> The code is in an alpha state. I have tested it for a few use cases. If you can try it out, I'd love to hear your feedback.

This is brilliant.. I hope Daniel sees this and integrates it into either the 2.6 release (since your code is already written for 2.6) or puts it on the list for 2.7 ...

What would make it even cooler would be to allow multiple profiles. Have them combine, in order, so you can update for multi-purpose servers..

> Regards,
> Chris

- ---------------------------
Jason 'XenoPhage' Frisvold
xeno...@godshell.com
- ---------------------------
"Any sufficiently advanced magic is indistinguishable from technology."
- - Niven's Inverse of Clarke's Third Law

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)

iEYEARECAAYFAk3xdT8ACgkQ8CjzPZyTUTS8zQCeKStiHd6Nedh3C/YAP0+jLSG4
ToYAoJHCSKsVejWJtAbuLuiUR7hey+mr
=lbC+
-----END PGP SIGNATURE-----

Christopher Moraes

unread,
Jun 10, 2011, 10:02:41 AM6/10/11
to ossec...@googlegroups.com
What would make it even cooler would be to allow multiple profiles.  Have them combine, in order, so you can update for multi-purpose servers..


Could you explain this a little more? 

Did you mean that agent.conf should support multiple profiles?  If yes, then, that is supported.  Inside the managers agent.conf, you can have multiple <agent_config> blocks, each with a different profile name. 

Or did you mean inheritance of profiles.  E.g. "Linux-DBServer" inherits the base "Linux" profile

Jason 'XenoPhage' Frisvold

unread,
Jun 10, 2011, 11:09:40 AM6/10/11
to ossec...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/10/2011 10:02 AM, Christopher Moraes wrote:
> Could you explain this a little more?
>
> Did you mean that agent.conf should support multiple profiles? If yes,
> then, that is supported. Inside the managers agent.conf, you can have
> multiple <agent_config> blocks, each with a different profile name.
>
> Or did you mean inheritance of profiles. E.g. "Linux-DBServer" inherits
> the base "Linux" profile

The latter. So, on any given machine I can do something like this :

<ossec_config>
<client>
<server-ip>10.200.36.157</server-ip>

<config-profile>LinuxOracleDBServer,LinuxWebServer</config-profile>
</client>
</ossec_config>

Or

<ossec_config>
<client>
<server-ip>10.200.36.157</server-ip>
<config-profile>LinuxOracleDBServer</config-profile>

<config-profile>LinuxWebServer</config-profile>
</client>
</ossec_config>


Note : I'm thinking out loud here.. I like being able to use merging to
create profiles for disparate parts and combine them together as needed.


- --

- ---------------------------
Jason 'XenoPhage' Frisvold
xeno...@godshell.com
- ---------------------------
"Any sufficiently advanced magic is indistinguishable from technology."
- - Niven's Inverse of Clarke's Third Law
-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3yM7QACgkQ8CjzPZyTUTS21gCffl7VX4VJieGqlamfhyzgpbW7
3hUAnRdmsL6XlKyGc2+GIE5Wj8wbGf8v
=3xaq
-----END PGP SIGNATURE-----

Christopher Moraes

unread,
Jun 10, 2011, 3:16:27 PM6/10/11
to ossec...@googlegroups.com
I like your idea too and had initially thought about creating a nesting of profiles in the agent_config.  This seems like a neat way of doing merging. 

Daniel Cid

unread,
Jun 15, 2011, 8:42:03 AM6/15/11
to ossec...@googlegroups.com
Not on 2.6, since it has been frozen for the beta already, but
certainly on 2.7 :)

And yes, keep the patches coming.

Thanks!

Jason 'XenoPhage' Frisvold

unread,
Jun 15, 2011, 1:20:13 PM6/15/11
to ossec...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/15/2011 08:42 AM, Daniel Cid wrote:
> Not on 2.6, since it has been frozen for the beta already, but
> certainly on 2.7 :)

Then the logical question is.. When's 2.7 getting released? ;)

> And yes, keep the patches coming.

I'm going to need to learn how to use git so I can start contributing
rules.. :)

> Thanks!

- --

- ---------------------------
Jason 'XenoPhage' Frisvold
xeno...@godshell.com
- ---------------------------
"Any sufficiently advanced magic is indistinguishable from technology."
- - Niven's Inverse of Clarke's Third Law
-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk346c0ACgkQ8CjzPZyTUTSvvACePYA+wzlXIVeqtK45fdFY2gx8
bOQAn1BeRjoMlutKkRluSQryWWwoGWgR
=HZoT
-----END PGP SIGNATURE-----

dan (ddp)

unread,
Jun 15, 2011, 3:43:10 PM6/15/11
to ossec...@googlegroups.com
On Wed, Jun 15, 2011 at 1:20 PM, Jason 'XenoPhage' Frisvold
<xeno...@godshell.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 06/15/2011 08:42 AM, Daniel Cid wrote:
>> Not on 2.6, since it has been frozen for the beta already, but
>> certainly on 2.7 :)
>
> Then the logical question is..  When's 2.7 getting released?  ;)
>

After 2.6. ;)

>> And yes, keep the patches coming.
>
> I'm going to need to learn how to use git so I can start contributing
> rules..  :)
>

mercurial

Reply all
Reply to author
Forward
0 new messages