moving from host server to container on cloud: OSSEC HIDS starts up, but doesn't log agent alerts
26 views
Skip to first unread message
Coyot Linden (Glenn Glazer)
Dec 21, 2020, 9:19:33 AM12/21/20
to ossec...@googlegroups.com, Soft Linden, Malarthi, Simon Linden
Hi, all.
We have a physical host in a colocation facility for our OSSEC that we urgently need to move to a container running on an ECS host in AWS. The container uses the OSSEC buster debian package from Atomiccorp to deliver the OSSEC binaries, which we combine with the configuration files from the old host, changing only what is needful.
Following the advice at https://www.ossec.net/docs/docs/faq/unexpected.html#how-do-i-troubleshoot-ossec, here's some basic info:
For reference, that Debian version is Buster.
The ossec-init.conf and ossec.conf are attached.
Here's a ps from inside the container:
We have two problems:
1) While we get plenty of syscheck and rootcheck alerts, we aren't getting any PAM alerts, which are the ones we really want. On the colo host, we see the following when someone logs into the host or becomes root on either server or agent:
To test: we run manage-agent on the server, get the key, verify it in /etc/client.keys and then reg the client using that key. We then ssh to client and try a sudo. Nothing server side under /var/logs/alerts at all.
We aren't doing anything to tell the agents where the server is, does it get that from the key?
2) We are interested in knowing if anyone has set up OSSEC to use Amazon SES as their SMTP server and what steps that involves. Right now, local postfix isn't working in the container and we'd just as soon use a regular service.
Many thanks in advance for any help you can provide.
Best,
coyot
GLENN GLAZER | Senior Software Engineer
m: 562.305.2920 | email: co...@lindenlab.com | Second Life: Coyot Linden
LINDEN LAB | Create Virtual Experiences
We have a physical host in a colocation facility for our OSSEC that we urgently need to move to a container running on an ECS host in AWS. The container uses the OSSEC buster debian package from Atomiccorp to deliver the OSSEC binaries, which we combine with the configuration files from the old host, changing only what is needful.
Following the advice at https://www.ossec.net/docs/docs/faq/unexpected.html#how-do-i-troubleshoot-ossec, here's some basic info:
root@f1719bb8a9ac:/var/ossec/etc# uname -a
Linux f1719bb8a9ac 4.19.0-12-cloud-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux
root@f1719bb8a9ac:/var/ossec/etc# /var/ossec/bin/ossec-analysisd -V
OSSEC HIDS v3.6.0 - OSSEC Foundation
For reference, that Debian version is Buster.
The ossec-init.conf and ossec.conf are attached.
Here's a ps from inside the container:
ossecm 38 0.0 0.0 23680 3460 ? S Dec20 0:00 /var/ossec/bin/ossec-maild
ossecm 39 0.0 0.0 23568 4060 ? S Dec20 0:00 /var/ossec/bin/ossec-maild
root 43 0.0 0.0 20924 2664 ? S Dec20 0:00 /var/ossec/bin/ossec-execd
ossec 47 0.0 0.1 25940 8524 ? S Dec20 0:00 /var/ossec/bin/ossec-analysisd
root 52 0.0 0.0 20968 3212 ? S Dec20 0:00 /var/ossec/bin/ossec-logcollector
ossecr 58 0.0 0.0 103448 3552 ? Sl Dec20 0:00 /var/ossec/bin/ossec-remoted
root 62 0.2 0.0 21632 3840 ? S Dec20 0:04 /var/ossec/bin/ossec-syscheckd
ossec 66 0.0 0.0 21204 3416 ? S Dec20 0:00 /var/ossec/bin/ossec-monitord
We have two problems:
1) While we get plenty of syscheck and rootcheck alerts, we aren't getting any PAM alerts, which are the ones we really want. On the colo host, we see the following when someone logs into the host or becomes root on either server or agent:
** Alert 1608069858.1457: - pam,syslog,authentication_success,But we do not see this at all on either localhost login or with the agents. We sort of expect localhost to be a miss since docker exec into the container doesn't touch /var/log/auth.log, but the clients are a big problem.
2020 Dec 15 22:04:18 ossec-phx0.lindenlab.com->/var/log/auth.log
Rule: 5501 (level 3) -> 'Login session opened.'
Dec 15 22:04:18 ossec-phx0.lindenlab.com sudo: pam_unix(sudo:session): session opened for user root by coyot(uid=0)
To test: we run manage-agent on the server, get the key, verify it in /etc/client.keys and then reg the client using that key. We then ssh to client and try a sudo. Nothing server side under /var/logs/alerts at all.
We aren't doing anything to tell the agents where the server is, does it get that from the key?
2) We are interested in knowing if anyone has set up OSSEC to use Amazon SES as their SMTP server and what steps that involves. Right now, local postfix isn't working in the container and we'd just as soon use a regular service.
Many thanks in advance for any help you can provide.
Best,
coyot
GLENN GLAZER | Senior Software Engineer
m: 562.305.2920 | email: co...@lindenlab.com | Second Life: Coyot Linden
LINDEN LAB | Create Virtual Experiences
Reply all
Reply to author
Forward
0 new messages