> Currently this is not possible, but you can open a feature request at: > > http://www.ossec.net/bugs/ > > > And we will take a look into implementing it.
I think this deserves an open discussion about the potential risks of implementing something like this. The OSSEC agent on Windows runs as SYSTEM, which means that it would potentially be able to kill any process, including several critical Windows processes. Would it be able to kill explorer.exe? Perhaps. What about antivirus? Probably. The OSSEC agent process, itself? Surely, unless that was protected in the code somehow. Also consider that in an Enterprise environment the Security Analyst often does not have privileged access to the systems which are being monitored. If the Windows agent can kill processes as SYSTEM at the discretion of the Analyst, that creates segregation of duties and security boundary issues. I'm guessing this kind of functionality would be implemented as a form of Active Response. This raises the question of false-positives and how they are handled. What if a process starts which the Analyst wants killed, but it has the same process name as something else? Which one gets killed? What if I, as a non-privileged user on the local system start something with the same process name as software I want killed, but don't have the rights to do it? Think AV. Then maybe I can perform a privilege escalation attack. Philosophically, one has to ask what the role of OSSEC is. Is it primarily detective or reactive? We already have Active Response which can do some neat things and it does truly add benefit. But as it's expanded we have to think about the not-so-neat and clever ways it can be abused. This may be useful functionality, but we should try to think about the ways in which it can be abused. Anyone else got any sadistic ideas? :)
