We have a physical host in a colocation facility for our OSSEC that we urgently need to move to a container running on an ECS host in AWS. The container uses the OSSEC buster debian package from Atomiccorp to deliver the OSSEC binaries, which we combine with the configuration files from the old host, changing only what is needful.
Following the advice at https://www.ossec.net/docs/docs/faq/unexpected.html#how-do-i-troubleshoot-ossec, here's some basic info:
root@f1719bb8a9ac:/var/ossec/etc# uname -a
Linux f1719bb8a9ac 4.19.0-12-cloud-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux
root@f1719bb8a9ac:/var/ossec/etc# /var/ossec/bin/ossec-analysisd -V
OSSEC HIDS v3.6.0 - OSSEC Foundation
For reference, that Debian version is Buster.
The ossec-init.conf and ossec.conf are attached.
Here's a ps from inside the container:
ossecm 38 0.0 0.0 23680 3460 ? S Dec20 0:00 /var/ossec/bin/ossec-maild
ossecm 39 0.0 0.0 23568 4060 ? S Dec20 0:00 /var/ossec/bin/ossec-maild
root 43 0.0 0.0 20924 2664 ? S Dec20 0:00 /var/ossec/bin/ossec-execd
ossec 47 0.0 0.1 25940 8524 ? S Dec20 0:00 /var/ossec/bin/ossec-analysisd
root 52 0.0 0.0 20968 3212 ? S Dec20 0:00 /var/ossec/bin/ossec-logcollector
ossecr 58 0.0 0.0 103448 3552 ? Sl Dec20 0:00 /var/ossec/bin/ossec-remoted
root 62 0.2 0.0 21632 3840 ? S Dec20 0:04 /var/ossec/bin/ossec-syscheckd
ossec 66 0.0 0.0 21204 3416 ? S Dec20 0:00 /var/ossec/bin/ossec-monitord
We have two problems:
1) While we get plenty of syscheck and rootcheck alerts, we aren't getting any PAM alerts, which are the ones we really want. On the colo host, we see the following when someone logs into the host or becomes root on either server or agent:
** Alert 1608069858.1457: - pam,syslog,authentication_success,But we do not see this at all on either localhost login or with the agents. We sort of expect localhost to be a miss since docker exec into the container doesn't touch /var/log/auth.log, but the clients are a big problem.
2020 Dec 15 22:04:18 ossec-phx0.lindenlab.com->/var/log/auth.log
Rule: 5501 (level 3) -> 'Login session opened.'
Dec 15 22:04:18 ossec-phx0.lindenlab.com sudo: pam_unix(sudo:session): session opened for user root by coyot(uid=0)
To test: we run manage-agent on the server, get the key, verify it in /etc/client.keys and then reg the client using that key. We then ssh to client and try a sudo. Nothing server side under /var/logs/alerts at all.
We aren't doing anything to tell the agents where the server is, does it get that from the key?
2) We are interested in knowing if anyone has set up OSSEC to use Amazon SES as their SMTP server and what steps that involves. Right now, local postfix isn't working in the container and we'd just as soon use a regular service.
Many thanks in advance for any help you can provide.
Best,
coyot
GLENN GLAZER | Senior Software Engineer
m: 562.305.2920 | email: co...@lindenlab.com | Second Life: Coyot Linden
LINDEN LAB | Create Virtual Experiences
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/693633fe-2776-6819-3972-34ca3c4410ef%40lindenlab.com.
root@f1719bb8a9ac:/var/ossec/etc# cat ossec-init.conf DIRECTORY="/var/ossec" VERSION="v3.6.0" DATE="Sun Mar 15 18:35:42 UTC 2020" TYPE="server"
root@f1719bb8a9ac:/var/ossec/etc# cat ossec.conf <!-- OSSEC example config -->
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>ossec-noti...@lindenlab.com</email_to>
<smtp_server>localhost</smtp_server>
<email_from>os...@ossec.lindenlab.com</email_from>
<!-- This is useful for debugging events from clients -->
<!-- <logall>yes</logall> -->
</global>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>symantec-ws_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<!-- <include>ms_ftpd_rules.xml</include> -->
<include>ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>roundcube_rules.xml</include>
<include>wordpress_rules.xml</include>
<include>cimserver_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>vmpop3d_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
<include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>nginx_rules.xml</include>
<include>php_rules.xml</include>
<include>mysql_rules.xml</include>
<include>postgresql_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>cisco-ios_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>sonicwall_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>dovecot_rules.xml</include>
<!-- <include>ms-exchange_rules.xml</include> -->
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<include>mcafee_av_rules.xml</include>
<include>trend-osce_rules.xml</include>
<include>ms-se_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>zeus_rules.xml</include>
<include>solaris_bsm_rules.xml</include>
<include>vmware_rules.xml</include>
<!-- <include>ms_dhcp_rules.xml</include> -->
<include>asterisk_rules.xml</include>
<include>ossec_rules.xml</include>
<include>attack_rules.xml</include>
<include>local_rules.xml</include>
</rules>
<syscheck>
<!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>72000</frequency>
<!-- Directories to check -->
<directories check_all="yes" realtime="yes"
report_changes="yes">/etc,/local/www</directories>
<directories check_all="yes"
realtime="yes">/bin,/sbin,/usr/bin,/usr/sbin,/usr/local/bin,/usr/local/sbin</directories>
<!-- Alert if new files are created -->
<alert_new_files>yes</alert_new_files>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore type="sregex">.gz$</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
</rootcheck>
<global>
<white_list>127.0.0.1</white_list>
<white_list>192.168.2.1</white_list>
<white_list>192.168.2.190</white_list>
<white_list>192.168.2.32</white_list>
<white_list>192.168.2.10</white_list>
</global>
<remote>
<connection>secure</connection>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/mail.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/daemon.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/user.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/cron.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/ossec-wui-access.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/ossec-wui-error.log</location>
</localfile>
<!-- Check the state of various system processes -->
<localfile>
<log_format>full_command</log_format>
<command>/sbin/iptables -nL</command>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tan | grep LISTEN | grep -v 127.0.0.1 | sort</command>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 10</command>
</localfile>
</ossec_config>
