moving from host server to container on cloud: OSSEC HIDS starts up, but doesn't log agent alerts

12 views
Skip to first unread message

Coyot Linden (Glenn Glazer)

unread,
Dec 21, 2020, 9:19:33 AM12/21/20
to ossec...@googlegroups.com, Soft Linden, Malarthi, Simon Linden
Hi, all.

We have a physical host in a colocation facility for our OSSEC that we urgently need to move to a container running on an ECS host in AWS. The container uses the OSSEC buster debian package from Atomiccorp to deliver the OSSEC binaries, which we combine with the configuration files from the old host, changing only what is needful.

Following the advice at https://www.ossec.net/docs/docs/faq/unexpected.html#how-do-i-troubleshoot-ossec, here's some basic info:
root@f1719bb8a9ac:/var/ossec/etc# uname -a
Linux f1719bb8a9ac 4.19.0-12-cloud-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux
root@f1719bb8a9ac:/var/ossec/etc# /var/ossec/bin/ossec-analysisd -V

OSSEC HIDS v3.6.0 - OSSEC Foundation

For reference, that Debian version is Buster.

The ossec-init.conf and ossec.conf are attached.

Here's a ps from inside the container:

ossecm      38  0.0  0.0  23680  3460 ?        S    Dec20   0:00 /var/ossec/bin/ossec-maild
ossecm      39  0.0  0.0  23568  4060 ?        S    Dec20   0:00 /var/ossec/bin/ossec-maild
root        43  0.0  0.0  20924  2664 ?        S    Dec20   0:00 /var/ossec/bin/ossec-execd
ossec       47  0.0  0.1  25940  8524 ?        S    Dec20   0:00 /var/ossec/bin/ossec-analysisd
root        52  0.0  0.0  20968  3212 ?        S    Dec20   0:00 /var/ossec/bin/ossec-logcollector
ossecr      58  0.0  0.0 103448  3552 ?        Sl   Dec20   0:00 /var/ossec/bin/ossec-remoted
root        62  0.2  0.0  21632  3840 ?        S    Dec20   0:04 /var/ossec/bin/ossec-syscheckd
ossec       66  0.0  0.0  21204  3416 ?        S    Dec20   0:00 /var/ossec/bin/ossec-monitord

We have two problems:

1) While we get plenty of syscheck and rootcheck alerts, we aren't getting any PAM alerts, which are the ones we really want. On the colo host, we see the following when someone logs into the host or becomes root on either server or agent:
** Alert 1608069858.1457: - pam,syslog,authentication_success,
2020 Dec 15 22:04:18 ossec-phx0.lindenlab.com->/var/log/auth.log
Rule: 5501 (level 3) -> 'Login session opened.'
Dec 15 22:04:18 ossec-phx0.lindenlab.com sudo: pam_unix(sudo:session): session opened for user root by coyot(uid=0)
But we do not see this at all on either localhost login or with the agents. We sort of expect localhost to be a miss since docker exec into the container doesn't touch /var/log/auth.log, but the clients are a big problem.

To test: we run manage-agent on the server, get the key, verify it in /etc/client.keys and then reg the client using that key. We then ssh to client and try a sudo. Nothing server side under /var/logs/alerts at all.

We aren't doing anything to tell the agents where the server is, does it get that from the key?

2) We are interested in knowing if anyone has set up OSSEC to use Amazon SES as their SMTP server and what steps that involves. Right now, local postfix isn't working in the container and we'd just as soon use a regular service.

Many thanks in advance for any help you can provide.

Best,

coyot
GLENN GLAZER | Senior Software Engineer
m:
562.305.2920 | email:  co...@lindenlab.com | Second Life: Coyot Linden
LINDEN LAB | Create Virtual Experiences

ossec-init.conf
ossec.conf
Reply all
Reply to author
Forward
0 new messages