OSSEC is an open source host-based intrusion detection system that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. It decodes and analyzes logs using rules to detect anomalies and security events. OSSEC includes components for log collection, rule-based analysis, alerting and active responses. It can be installed and configured in different modes and includes features for centralized management, file integrity monitoring, log source configuration, and rule management.
7. Compliance
PCI DSS
6.4. Follow change control procedures for all changes to
system components
10. Track and monitor all access to network resources and
cardholder data.
12. Maintain a policy that addresses information security for
all employees and contractors
8. The Problem
• There is NO standard !!
• There is NO guidance !!
• There is NO Consitency !!
10. We need to agree upon...
• Format
What does a log message look like ?
• Content
What do we put in a log message ?
• Transport
How do we send it ?
• Guidelines
How do we approach logging ? (ex. NIST 800-92)
12. not Syslog
• RFC 3164 (08/2001) : BSD Syslog Protocol
• It uses UDP
• It’s a garbage bin
• it’s a non-standard standard
13. Syslog Hell !
• Jun 11 03:06:38 (none) login
[3432] : ROOT LOGIN on `tty1`
• Jan 19 22:52:56 LT1 gdm-session-
worker[1659]: pam_unix
(gdm:session): session opened for
user wim by (uid=0)
• Jan 4 09:38:10 LT1 su[3510]:
pam_unix(su:session): session
opened for user root by wim
(uid=1000)
14. Syslog Hell !!
• <57> Jan 10 12:10:34:%SEC_LOGIN-5-
LOGIN_SUCCESS:Login Success
[user:frodo] [Source:
192.168.10.254] [localport:23]
at ...
• <13> Jan 18 10:15:45 2009 680
Security SYSTEM User Failure Audit
ENTERPRISE ...
15. Can I continue ?
• Jan 19 20:12:56 LT1 mycrappyapp
[3526]: I’m the awesome programmer
behind this crappy app and since
you asked me to log something I’ve
chosen to use syslog to dump all
this meaningless events in here so
you will still have to call and
pay me to get the bugs that I left
in there because I was surfing the
internet instead of working for
you solved. Eat that! And BTW, my
app crashed for no apparent
reason. kthxbai !
16. I promise to stop
• Feb 24 15:10:24 server transact
[5402]: user geoff transferred 500
dollars using credit card # XXX
• Apr 1 10:14:28 server MEDIC
[6420]: user kathy logged in to
module patient using password
selma1970
17. Then what ?
• IDMF (by IETF)
• XML based
• Complex
• Not widely adopted
• Academic
• WELF (by Webtrends)
• Proprietary
• didn’t scale
18. NEXT !
• CBE (by IBM)
• also XML based
• IBM didn’t even use it !
19. Event Taxonomy
Standard terminology
Log Syntax
Consistent data elements and format
Log Transport
Standard communications mechanisms
Log Recommendations
Suggested events to log
The future ?
21. Definition
OSSEC is an Open Source Host-based
Intrusion Detection System. It performs
log analysis, file integrity checking, policy
monitoring, rootkit detection, real-time
alerting and active response.
24. Install Modes
• Local
• Single Client
• Windows, AIX, Solaris, HP-UX, Linux
• Server
• Central Logging Point (250 clients/server)
• AIX,Solaris,HP-UX,Linux
• Client
• Reports to server
• Windows,AIX,Solaris,HP-UX,Linux
32. Predecoding
• Feb 25 12:00:47 beijing appdaemon:user john logged
on from 10.10.10.10
time/date
: Feb 25 12:00:47
Hostname
: beijing
Program_name :appdaemon
Log : user john logged on from 10.10.10.10
33. Decoding
• Feb 25 12:00:47 beijing appdaemon:user john logged
on from 10.10.10.10
time/date
: Feb 25 12:00:47
Hostname
: beijing
Program_name :appdaemon
Log : user john logged on from 10.10.10.10
srcip : 10.10.10.10
user : john
40. ossec.conf
syscheck
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>79200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
...
</syscheck>
46. Centralized
Management
/var/ossec/etc/shared/agent.conf
distributed to all agents
specify config per client id
specify config per OS
pushed by server
same syntax as ossec.conf