[ossec-list] Re: Anybody using CIS controls with OSSEC? (https://github.com/awailly/cis-ubuntu-ansible)

2016-02-26 Thread Barry Kaplan 
Ok, here's a real CIS question. It looks like the CIS checks have only run 
on the ossec server. What does it take for these to run on the clients? Do 
I need to specify rootchecks on the client ossec.conf? Or should it get 
pushed down from the server?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Anybody using CIS controls with OSSEC? (https://github.com/awailly/cis-ubuntu-ansible)

2016-02-26 Thread Barry Kaplan 
One thing I noticed in kibana, the rule.groups goes down as far rootcheck, 
but not CIS. 

rule.groups
ossec, rootcheck

Wait, I was just going to ask for an easier way to filter on CIS alerts. 
But then I found the CIS kibana dashboard. :-)))


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Anybody using CIS controls with OSSEC? (https://github.com/awailly/cis-ubuntu-ansible)

2016-02-26 Thread Barry Kaplan 
I'm pretty sure now this was a decoy wrt cis-ubuntu-ansible. Something was 
blocking access from the agent to server, but it was not 
cis-ubuntu-ansible. In any case, I could not reproduce the problem after 
rebuilding the [ossec agent] node.

Pedro, thanks for the pointer to internal_options.conf -- that will 
certainly come in handy.

Jesus, yes I am running wazuh. Only after asking about this did I notice 
that OSSEC had support for checking CIS compliance. I need to dig thru logs 
because until I started using cis-ubuntu-ansible I was definitely not CIS 
compliant. Now I install OSSEC after running cis-ubuntu-ansible and the 
only non-compliance OSSEC complains about is not having all the separate 
partitions.

I think I said it before, but it warrants saying it again: OSSEC/wazuh is 
very, very nice. I really appreciate all the effort that has gone into it.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Anybody using CIS controls with OSSEC? (https://github.com/awailly/cis-ubuntu-ansible)

2016-02-26 Thread Jesus Linares 
Sorry, I thought you were using default OSSEC rootchecks (debian, redhat, 
etc). That is the reason I recommend you to use rootchecks with tags 
(groups). My bad.

I will try the *cis-ubuntu-ansible* rootchecks.


On Friday, February 26, 2016 at 12:00:12 PM UTC+1, Pedro S wrote:
>
> Hi,
>
> I am not familiar with *cis-ubuntu-ansible* but you can try to debug 
> OSSEC log to inspect what exactly is blocking the contact.
>
> Open internal_options.conf and set:
>
> remoted.debug=2
> syscheck.debug=2
> analysisd.debug=2
> logcollector.debug=2
> # Unix agentd
> agent.debug=2
>
> Restart and review what is happening. You can try a standard telnet 
> remoteserver 1514 to see if your host can really send messages using 1514 
> UDP.
>
> By the way, as Jesus says, if you need CIS tagging on OSSEC rootchecks use 
> that rootchecks.
>
> On Friday, February 26, 2016 at 8:06:56 AM UTC+1, Barry Kaplan wrote:
>>
>> I am trying to harden up our instances, but I find that after applying 
>> these controls the agent can longer contact the agent via UDP.
>>
>> I'm still trying to figure out exactly which bit is to blame. Has anybody 
>> else used the CIS controls on the same instance as OSSEC?
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Anybody using CIS controls with OSSEC? (https://github.com/awailly/cis-ubuntu-ansible)

2016-02-26 Thread Pedro S 
Hi,

I am not familiar with *cis-ubuntu-ansible* but you can try to debug OSSEC 
log to inspect what exactly is blocking the contact.

Open internal_options.conf and set:

remoted.debug=2
syscheck.debug=2
analysisd.debug=2
logcollector.debug=2
# Unix agentd
agent.debug=2

Restart and review what is happening. You can try a standard telnet 
remoteserver 1514 to see if your host can really send messages using 1514 
UDP.

By the way, as Jesus says, if you need CIS tagging on OSSEC rootchecks use 
that rootchecks.

On Friday, February 26, 2016 at 8:06:56 AM UTC+1, Barry Kaplan wrote:
>
> I am trying to harden up our instances, but I find that after applying 
> these controls the agent can longer contact the agent via UDP.
>
> I'm still trying to figure out exactly which bit is to blame. Has anybody 
> else used the CIS controls on the same instance as OSSEC?
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Anybody using CIS controls with OSSEC? (https://github.com/awailly/cis-ubuntu-ansible)

2016-02-26 Thread Jesus Linares 
Hi,

rootcheck is running properly? I mean, you see the logs "Starting 
rootcheck..." and "Ending rootcheck..."?. Maybe it is a syntax error.

If you are using ossec-wazuh , you 
will see that each control has a tag with the CIS and PCI reference (*{CIS: 
4.13 Debian Linux} {PCI_DSS: 2.2.2}*). That is like use "group" in rules.

[CIS - Debian Linux - 4.13 - Disable standard boot services - Web server 
Enabled *{CIS: 4.13 Debian Linux} {PCI_DSS: 2.2.2}*] [any] 
[http://www.ossec.net/wiki/index.php/CIS_DebianLinux]
f:/etc/init.d/apache;
f:/etc/init.d/apache2;

Example in alerts.json:

{
"rule": {
"level": 3,
"comment": "System Audit event.",
"sidid": 516,
"firedtimes": 5,
"groups": [
"ossec",
"rootcheck"
],





*"CIS": ["4.13 Debian Linux"],"PCI_DSS": [  
  "2.2.2"]*
},
"full_log": "System Audit: CIS - Debian Linux - 4.13 - Disable standard 
boot services - Web server Enabled {CIS: 4.13 Debian Linux} {PCI_DSS: 
2.2.2}. File: /etc/init.d/apache2. Reference: 
http://www.ossec.net/wiki/index.php/CIS_DebianLinux .",
"decoder": {
"name": "rootcheck"
},
"hostname": "LinMV",
"timestamp": "2016 Feb 26 10:48:36",
"location": "rootcheck"
}


Regards.
Jesus Linares.

On Friday, February 26, 2016 at 8:06:56 AM UTC+1, Barry Kaplan wrote:
>
> I am trying to harden up our instances, but I find that after applying 
> these controls the agent can longer contact the agent via UDP.
>
> I'm still trying to figure out exactly which bit is to blame. Has anybody 
> else used the CIS controls on the same instance as OSSEC?
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.