Agentless monitoring allows you to run integrity checking on systems without an agent installed (including routers, firewalls, switches and even Linux/BSD systems). It can be executed just like our normal file integrity checking (alerting of checksum changes) or doing diffs and showing exactly what has changed.
Agentless configuration options¶
This is the section that will contain the agentless configuration.
This controls the number of seconds between each run.
This defines the username and agentless host.
This determines whether the checks are periodic or periodic_diff.
- periodic: The output from the scripts is processed by the OSSEC processes.
- periodic_diff: The output from the scripts is compared to the output of previous runs.
This defines the arguments passed to the script.
Check _manual-agentless-scripts for more information.
Getting started with agentless¶
After you installed OSSEC, you need to enable the agentless monitoring:
# /var/ossec/bin/ossec-control enable agentless
And provide the SSH authentication to the host you want to access. For Cisco devices (PIX, routers, etc), you need to provide an additional parameter for the enable password. The same thing applies if you want to add support for “su”, it must be the additional parameter. In this example, I am adding a Linux box (example.net) and a PIX firewall (pix.fw.local):
# /var/ossec/agentless/register_host.sh add firstname.lastname@example.org mypass1 *Host email@example.com added. # /var/ossec/agentless/register_host.sh add firstname.lastname@example.org pixpass enablepass *Host email@example.com added. # /var/ossec/agentless/register_host.sh list *Available hosts: firstname.lastname@example.org email@example.com
register_host.sh is a shell script, special characters may need to be escaped to not be interpreted by the shell.
If you want to use public key authentication instead of passwords, you need to provide NOPASS as the password and create the public key:
# sudo -u ossec ssh-keygen
It will create the public keys inside /var/ossec/.ssh . After that, just scp the public key to the remote box and your password less connection should work.
Once you have added all your systems, you need to configure OSSEC to monitor them. By default, we have 4 agentless types (but we plan to add more soon):
For the first two, you give a list of directories in the configuration and OSSEC will do the integrity checking of them on the remote box. On the ssh_generic_diff, you give a set of commands to run on the remote box and OSSEC will alert when the output of them changes. The ssh_pixconfig_diff will alert when a Cisco PIX/router configuration changes.
So, for my first system (firstname.lastname@example.org), I will monitor the /bin, /etc and /sbin directories every 10 hours (if I was using the ssh_integrity_check_bsd, the argument would be the directories as well):
<agentless> <type>ssh_integrity_check_linux</type> <frequency>36000</frequency> <host>email@example.com</host> <state>periodic</state> <arguments>/bin /etc/ /sbin</arguments> </agentless>
For my PIX, the configuration looks like:
<agentless> <type>ssh_pixconfig_diff</type> <frequency>36000</frequency> <host>firstname.lastname@example.org</host> <state>periodic_diff</state> </agentless>
And just to exemplify the ssh_generic_diff I will also monitor ls -la /etc; cat /etc/passwd on the email@example.com. Note that if you want to monitor any network firewall or switch, you can use the ssh_generic_diff and just specify the commands in the arguments option. To use “su”, you need to set the value “use_su” before the hostname (eg: <host>use_su firstname.lastname@example.org</host>).
<agentless> <type>ssh_generic_diff</type> <frequency>36000</frequency> <host>email@example.com</host> <state>periodic_diff</state> <arguments>ls -la /etc; cat /etc/passwd</arguments> </agentless>
Running the completed setup¶
Once the configuration is completed, you can restart OSSEC. You should see something like “Started ossec-agentlessd” in the output. Before each agentless connection is started, OSSEC will do a configuration check to make sure everything is fine. Look at /var/ossec/logs/ossec.log for any error. If you see:
2008/12/12 15:20:06 ossec-agentlessd: ERROR: Expect command not found (or bad arguments) for 'ssh_integrity_check_bsd'. 2008/12/12 15:20:06 ossec-agentlessd: ERROR: Test failed for 'ssh_integrity_check_bsd' (127). Ignoring.'
It means that you don’t have the expect library installed on the server (it is not necessary to install anything on the agentless systems to monitor). On Ubuntu you can do the following to install:
# apt-get install expect
After installing expect, you can restart OSSEC and you should see:
2008/12/12 15:24:12 ossec-agentlessd: INFO: Test passed for 'ssh_integrity_check_bsd'.'
When it connects to the remote system, you will also see:
2008/12/12 15:25:19 ossec-agentlessd: INFO: ssh_integrity_check_bsd: firstname.lastname@example.org: Starting. 2008/12/12 15:25:46 ossec-agentlessd: INFO: ssh_integrity_check_bsd: email@example.com: Finished.
These are some of the alerts you will get:
For the ssh_generic_diff:
OSSEC HIDS Notification. 2008 Dec 12 01:58:30 Received From: (ssh_generic_diff) firstname.lastname@example.org->agentless Rule: 555 fired (level 7) -> "Integrity checksum for agentless device changed." Portion of the log(s): ossec: agentless: Change detected: 35c35 < -rw-r-r- 1 root wheel 34 Dec 10 03:55 hosts.deny -- > -rw-r-r- 1 root wheel 34 Dec 11 18:23 hosts.deny -END OF NOTIFICATION
For the PIX:
OSSEC HIDS Notification. 2008 Dec 01 15:48:03 Received From: (ssh_pixconfig_diff) email@example.com->agentless Rule: 555 fired (level 7) -> "Integrity checksum for agentless device changed." Portion of the log(s): ossec: agentless: Change detected: 48c48 < fixup protocol ftp 21 -- > no fixup protocol ftp 21 100c100 < ssh timeout 30 -- > ssh timeout 50 More changes.. -END OF NOTIFICATION