OSSEC agentless questions

[jplee3]

Hi all,

I guess this is more confirmation than anything but...

1) OSSEC agentless basically just includes syscheck - is this correct?
So rootcheck is not something that's done, nor log analysis.

2) There is no Windows implementation for OSSEC agentless
monitoring...?

3) Is there any major difference in how standard syscheck in local/
agent mode runs compared to in agentless mode?



I'm in the process of evaluating whether OSSEC in agentless mode will
satisfy FIM-specific requirements of PCI. Obviously, rootcheck would
be a really nice [and more secure] thing to have but that's not
necessarily a requirement as far as PCI is concerned.

[dan (ddp)]

On Tue, Aug 24, 2010 at 7:16 PM, jplee3 <jpl...@gmail.com> wrote:
> Hi all,
>
> I guess this is more confirmation than anything but...
>
> 1) OSSEC agentless basically just includes syscheck - is this correct?
> So rootcheck is not something that's done, nor log analysis.
>

Correct. http://www.ossec.net/doc/manual/agent/agentless-monitoring.html

> 2) There is no Windows implementation for OSSEC agentless
> monitoring...?
>

Also correct.

[Dave S]

Agentless ossec clients can support log analysis if you have another
means to send the logs to the server.

For example, there are several packages for Windows that take incoming
messages to the Event Log and convert them to syslog messages.
My favorite is http://www.syslog.org/wiki/Main/Evtsys but there are
several that are more sophisticated.

Then you can configure the ossec server to accept these messages and
it will analyze them like normal.

- Dave

[Jeremy Rossi]

> Hi all,
>
> I guess this is more confirmation than anything but...
>
> 1) OSSEC agentless basically just includes syscheck - is this correct?
> So rootcheck is not something that's done, nor log analysis.

The scripts supplied with OSSEC only do syscheck, you can do just about
anything you would like by writing your own script.

I have some blog posts on agentless and the agentless docs have been update
recently.

http://www.ossec.net/doc/manual/agent/index.html
http://praetorianprefect.com/?s=ossec

> 2) There is no Windows implementation for OSSEC agentless
> monitoring...?

Agentlessd runs on a centralized ossec server which much be a UNIX. This is
also where agentless scripts are run. Their is nothing to limit an
agentless script from connecting and preforming active on a windows box or
any other system for that matter.

>
> 3) Is there any major difference in how standard syscheck in local/
> agent mode runs compared to in agentless mode?

full ossec agent does far more then any script does (that I know of), but
the scripts could do more if needed.

Another reason the full agent is useful is that it's writen in C and far
faster.

[jplee3]

Thanks all for the info! So as far as from a security standpoint, it's
probably better to go with agent rather than agentless. Also, from a
performance standpoint this seems to make more sense. In short, go
with the agent where you are able to and agentless where you
absolutely cannot.

My remaining concern is with performance impacts of putting the agent
on a machine that often gets taxed (which is why I was considering
agentless in the first place). And though it sounds like the footprint
is smaller, the determining factor will likely have to be just trying
it out on a test or staging system either way.

[dan (ddp)]

On Thu, Aug 26, 2010 at 12:11 PM, jplee3 <jpl...@gmail.com> wrote:
> Thanks all for the info! So as far as from a security standpoint, it's
> probably better to go with agent rather than agentless. Also, from a
> performance standpoint this seems to make more sense. In short, go
> with the agent where you are able to and agentless where you
> absolutely cannot.
>

Correct.

> My remaining concern is with performance impacts of putting the agent
> on a machine that often gets taxed (which is why I was considering
> agentless in the first place). And though it sounds like the footprint
> is smaller, the determining factor will likely have to be just trying
> it out on a test or staging system either way.
>
>

Definitely test it out. Syscheck seems to be the biggest performance
hog on the agent side, but there are a few syscheck settings that can
help with performance (including scheduling syscheck scans to run at
certain times).

[jplee3]

I found some posts where <scan_time> and <scan_day> can be used for
specific scheduling. But in those posts I noticed people were having
trouble, especially with <scan_day> - has anyone gotten this to
successfully work? And if so, what is the proper syntax/format? Would
it be like this?:

<scan_time>01:55</scan_time>
<scan_day>Friday</scan_day>

[dan (ddp)]

On Thu, Aug 26, 2010 at 12:41 PM, jplee3 <jpl...@gmail.com> wrote:
>
> I found some posts where <scan_time> and <scan_day> can be used for
> specific scheduling. But in those posts I noticed people were having
> trouble, especially with <scan_day> - has anyone gotten this to
> successfully work? And if so, what is the proper syntax/format? Would
> it be like this?:
>
> <scan_time>01:55</scan_time>
> <scan_day>Friday</scan_day>
>

I haven't tested it in a while, but I think I successfully tried it a
while back.
According to the following link, I believe you have the syntax correct:
http://www.ossec.net/doc/manual/syscheck.html

Also look at the following settings:
# Syscheck checking/usage speed. To avoid large cpu/memory
# usage, you can specify how much to sleep after generating
# the checksum of X files. The default is to sleep 2 seconds
# after reading 15 files.
syscheck.sleep=2
syscheck.sleep_after=15

They are in ossec/etc/internal_options.conf