We have a physical host in a colocation facility for our OSSEC that
we urgently need to move to a container running on an ECS host in
AWS. The container uses the OSSEC buster debian package from
Atomiccorp to deliver the OSSEC binaries, which we combine with the
configuration files from the old host, changing only what is
Following the advice at
here's some basic info:
root@f1719bb8a9ac:/var/ossec/etc# uname -a
Linux f1719bb8a9ac 4.19.0-12-cloud-amd64 #1 SMP Debian 4.19.152-1
(2020-10-18) x86_64 GNU/Linux
OSSEC HIDS v3.6.0 - OSSEC Foundation
For reference, that Debian version is Buster.
The ossec-init.conf and ossec.conf are attached.
Here's a ps from inside the container:
ossecm 38 0.0 0.0 23680 3460
? S Dec20 0:00 /var/ossec/bin/ossec-maild
ossecm 39 0.0 0.0 23568 4060 ? S Dec20 0:00
root 43 0.0 0.0 20924 2664 ? S Dec20 0:00
ossec 47 0.0 0.1 25940 8524 ? S Dec20 0:00
root 52 0.0 0.0 20968 3212 ? S Dec20 0:00
ossecr 58 0.0 0.0 103448 3552 ? Sl Dec20 0:00
root 62 0.2 0.0 21632 3840 ? S Dec20 0:04
ossec 66 0.0 0.0 21204 3416 ? S Dec20 0:00
We have two problems:
1) While we get plenty of syscheck and rootcheck alerts, we aren't
getting any PAM alerts, which are the ones we really want. On the
colo host, we see the following when someone logs into the host or
becomes root on either server or agent:
** Alert 1608069858.1457: -
2020 Dec 15 22:04:18
Rule: 5501 (level 3) -> 'Login session opened.'
Dec 15 22:04:18 ossec-phx0.lindenlab.com sudo:
pam_unix(sudo:session): session opened for user root by
But we do not see this at all on either localhost login or with the
agents. We sort of expect localhost to be a miss since docker exec
into the container doesn't touch /var/log/auth.log, but the clients
are a big problem.
To test: we run manage-agent on the server, get the key, verify it
in /etc/client.keys and then reg the client using that key. We then
ssh to client and try a sudo. Nothing server side under
/var/logs/alerts at all.
We aren't doing anything to tell the agents where the server is,
does it get that from the key?
2) We are interested in knowing if anyone has set up OSSEC to use
Amazon SES as their SMTP server and what steps that involves. Right
now, local postfix isn't working in the container and we'd just as
soon use a regular service.
Many thanks in advance for any help you can provide.
GLENN GLAZER | Senior Software Engineer
m: 562.305.2920 | email:
co...@lindenlab.com | Second
Life: Coyot Linden
LINDEN LAB | Create Virtual Experiences