Is there a way to monitor content of files in the tmp directory
Peter M. Abraham
Reviewing http://www.ossec.net/dcid/?p=158 specifically "<arguments>ls
-la /etc; cat /etc/passwd</arguments>" I was wondering if it would be
possible to monitor the ** contents ** of files in /tmp or other tmp-
like directories.
I.e. alert if a file within /tmp contained '/usr/bin/perl' or '/usr/
local/bin/perl' or other system type commands.
Is that possible with ossec 1.6.1?
If so, how?
Is that possible with ossec BETA 2.x?
If so, how?
Thank you.
Daniel Cid
This is possible to do with the policy monitoring. For example, if you
modify the
file /var/ossec/etc/shared/system_audit_rcl.txt to include:
[File found on /tmp with perl on it] [any] []
d:/tmp -> -> r:<?|^#!;
It will alert if any file on tmp starts with #! or <? (php).
You can also restrict to any file that ends with .txt (for example):
[File found on /tmp with perl on it, ending with .txt] [any] []
d:/tmp -> .txt$ -> r:<?|^#!;
If you want more than one directory or for a few system commands:
[File found on /tmp with perl on it, ending with .txt] [any] []
d:/tmp,/var/tmp -> -> r:ls|rename|mkdir|id|whoami|cat;
Btw, you only need to change this file on the server side and it will be pushed
to your agents (after a while).
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
Peter M. Abraham
Thank you for your prompt and detailed reply.
QUESTIONS:
1. Is /var/ossec/etc/shared/system_audit_rcl.txt included by default
or does it have to be activated in /var/ossec/etc/ossec.conf if any
way?
2. Can /var/ossec/etc/shared/system_audit_rcl.txt be mentioned on
the main manual pages?
Here the stock php.ini locations, and web directories didn't fit our
install base, and I never knew this file existed in order to modify it
for H-Sphere.
Thank you.
Peter M. Abraham
From doing some digging none of our servers -- the ossec server or
agent had the following in the <rootcheck> section:
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</
system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</
system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</
system_audit>
While I did see "/var/ossec/etc/shared/system_audit_rcl.txt"
propagated from the server to the agents, am I correct that the server
and agents all need the following added to them for it to really
work?:
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</
system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</
system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</
system_audit>
Thank you.
Peter M. Abraham
I made sure /var/ossec/etc/shared/system_audit_rcl.txt is included in
the ossec.conf on the server and agent level, but I don't think it is
working.
I created a file named 'test' in /tmp on a server I know /var/ossec/
etc/shared/system_audit_rcl.txt was propagated to include the syntax
you provided (1st example).
In that file I put in two lines:
#!/usr/local/bin/perl
#
So far, nothing from ossec; is there a way to force the check?
Also, would I be correct in the php.ini checks that if I wanted to
check for "On" and "1" I would use "On|1;" ?
How would I check for "Off,0, and then nothing such as
"register_globals = " (when off)?
I also noticed on the web_dirs there are a number of checks, but they
don't seem to recurse through directories. Most hosting automation
systems do have a starting web document directory, and then have files
from there on down.
Such as
/hsphere/local/home -- H-Sphere start
/hsphere/local/home/[user id] -- User start
/hsphere/local/home/[user id]/[domain name] -- Web directory for user
start
Is there a way for the audit to recurse through the web directories?
Thank you.
Peter M. Abraham
1. Would I be correct in the php.ini checks that if I wanted to check
"register_globals = " (when off)?
3. I'm having no success with the /tmp file check.
I did the following to test on agents that have the 1.5 ossec
rootcheck installed:
# make sure the ossec-rootcheck is using the most up to date audits:
cd /usr/local/src/rootcheck/db
mv rootkit_files.txt rootkit_files.txt.orig
mv rootkit_trojans.txt rootkit_trojans.txt.orig
mv system_audit_rcl.txt system_audit_rcl.txt.orig
ln -s /var/ossec/etc/shared/rootkit_files.txt .
ln -s /var/ossec/etc/shared/rootkit_trojans.txt .
ln -s /var/ossec/etc/shared/system_audit_rcl.txt .
/usr/local/src/rootcheck/ossec-rootcheck
And in no instance are files in /tmp (purposely placed there) that
have "#!" as the very first line or "<?" as the very first line are
being reported.
Thoughts?
Thank you.
Daniel Cid
You need to have the <system_audit> entry for it to work and it has been
added by default since v1.5. However, if you have been upgrading from previous
versions, this entry is not added on updates. I will make sure to document it
better (there are lots of features not well documented in there).
For your other questions:
>1. Would I be correct in the php.ini checks that if I wanted to check
>for "On" and "1" I would use "On|1;" ?
Yes. However, you need to use the regex type: r:On|1; It is explained a bit
in here:
http://ossec.net/wiki/index.php/Know_How:WindowsPolicy#Format_of_policy_files
>2. How would I check for "Off,0, and then nothing such as
>"register_globals = " (when off)?
I didn't understand what you are trying to do in here...
>3. I'm having no success with the /tmp file check.
The easiest way to test is to go to inside the ossec package and to
src/rootcheck and run:
# make binary
# ./ossec-rootcheck
It will allow you to test it right away... You just need to modify the
files inside
the ./db directory of the package. Once you get it working in there, move your
changes to /var/ossec/etc/shared . Also note that you can't use version 1.5
of rootcheck to test them, since we changed it a lot for v1.6/v1.6.1.
If it is still not working, send to us the output from rootcheck and the entries
you added...
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
Peter M. Abraham
1. If I wanted to test On|1 from
[PHP - Register globals are enabled] [any] []
f:$php.ini -> r:^register_globals = On;
Would the change then be
[PHP - Register globals are enabled] [any] []
f:$php.ini -> r:^register_globals = r:On|1;
Based on you response?
2. In H-Sphere for register_globals being off, it uses
register_globals =
Rather than "register_globals = 0"
So I wanted to know how to test for "register_globals = ". How may I
do so?
3. I've tried the remake of ossec-rootcheck and /tmp files with perl
or php are still not being detected.
$tmp_dirs=/tmp,/dev/shm;
# Temp directory checks
# http://groups.google.com/group/ossec-list/browse_thread/thread/b555f6ed0ef4839d
[File found on /tmp or /dev/shm with perl php in it] [any] []
d:$tmp_dirs -> -> r:<?|^#!;
NOTE:
If I change "d:$tmp_dirs -> -> r:<?|^#!;" to "d:$tmp_dirs -> test ->
r:<?|^#!;" where "test" is the file name in /tmp that has perl in it,
it does work with the following output:
[INFO]: System Audit: File found on /tmp or /dev/shm with perl php in
it. File: /tmp/test.
However, if I use what you provided to check all files in /tmp, it
doesn't work.
Please advise.
Thank you.
Peter M. Abraham
I did some digging, and found some interesting results:
cat /var/ossec/queue/rootcheck\/\(web.dy*
!1233829834!1233849935!1233849935 Starting rootcheck scan.
!1233849942!1233849942 System Audit: File found on /tmp or /dev/shm
with perl php in it. File: /tmp/test3.
!1233849942!1233849942 System Audit: File found on /tmp or /dev/shm
with perl php in it. File: /tmp/test2.
!1233849956!1233849956 File '/dev/gpmctl' present on /dev. Possible
hidden file.
A. /dev/gpmctl is a false positive; please correct in a future
release. If gpm / gpm-devel are installed this will happen.
B. The above shows that the system audit is finding the various
tests, BUT there are no emails.
In /var/ossec/rules/ossec_rules.xml we have
<rule id="510" level="7">
<category>ossec</category>
<decoded_as>rootcheck</decoded_as>
<description>Host-based anomaly detection event (rootcheck).</
description>
<group>rootcheck,</group>
</rule>
And /var/ossec/etc/ossec.conf is set up to email alerts when the level
is 3 or higher.
So I'm not sure why /var/ossec/queue/rootcheck\/\(web.dy* is showing
the catch of an audit that is then not emailed.
Can you please help clear up the mystery, Daniel?
Thank you.
Peter M. Abraham
I found I needed to create a separate rule (local_rules.xml)
<group name="ossec,">
<rule id="210000" level="9">
<if_sid>510</if_sid>
<match>File found on</match>
<description>Potential malicious file found</description>
<group>rootcheck,</group>
</rule>
</group> <!-- OSSEC -->
However, I also found that "d:/tmp -> -> r:<?|^#!;" can have many
false positives due to "<?" as in "<?xml version="1.0" ?>" which is
not PHP but XML.
QUESTION:
Is there a way to have "d:/tmp -> -> r:<?|^#!;" scan all files EXCEPT
for compressed (i.e. .tar, .tar.gz, .gz, .zip, etc.) or binary (.exe)
files as I'm getting a lot of false positives on binary and compressed
files?
Thank you.
Peter M. Abraham
Daniel Cid
You are not getting the emails because the system auditing rule is by
default level 3:
<rule id="516" level="3">
<if_sid>510</if_sid>
<match>^System Audit</match>
<description>System Audit event.</description>
<group>rootcheck,</group>
</rule>
If you increase the severity, you will get the emails.
For the "d:/tmp -> -> r:<?|^#!;" pattern to work on all files inside
the /tmp, you need
to have an extra space between the 2 arrows: "d:/tmp -> ->
r:<?|^#!;". To alert
for any file except the compressed ones, you can ignore directly on the rule:
<match>.gz.|.tgz|.exe.</match>
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
Peter M. Abraham
We have emails set up for level 3 and higher, so that's not the issue
<smile>.
On the ignore match rule, should it be using the "!" as part of the
rule?
<match>!.gz.|!.tgz|!.exe.</match>
Thank you.