OSSEC HIDS, Host Based Intrusion Detection System

1
OSSEC HIDS, Host Based Intrusion Detection System

• Aurora Mazzone, INFN Sezione di Torino
• Parte Seconda

2
Installazione

• Scelta del tipo di installazione
• server, agent o local?

3
Installazione

• E-mail notification
• invio di e-mail per segnalare eventi rilevanti,
  importanti o gravi.

4
Installazione

• Integrity check daemon
• controllo su file di configurazione ed eseguibili.

5
Installazione

• Rootkit detection engine
• ricerca di rootkit.

6
Installazione

• Active response
• risposta ad un evento.

7
File di configurazione

• /var/ossec/etc/ossec.conf
• opzioni globali, completamente personalizzabili.
• /var/ossec/etc/internal_options.conf
• opzioni chiave per il funzionamento generale, da
  modificare solo in casi particolari.

8
ossec.conf e-mail ltglobalgt

• Configurazione e-mail (sezione global)
• ltglobalgt
• ltemail_notificationgtyeslt/email_notificationgt
• ltemail_togtroot_at_localhostlt/email_togt
• ltsmtp_servergt127.0.0.1lt/smtp_servergt
• ltemail_fromgtossecm_at_localhost.localdomainlt/emai
  l_fromgt
• ltemail_maxperhourgt70lt/email_maxperhourgt
• lt/globalgt

9
ossec.conf e-mail ltemail_alertsgt

• Configurazione e-mail granulare (sezione
  email_alerts)
• ltemail_togt
• ltevent_locationgt
• ltgroupgt
• ltlevelgt
• ltrule_idgt
• ltdo_not_delay /gt
• ltdo_not_group /gt
• ltformatgt

10
ossec.conf e-mail ltemail_alertsgt

• Configurazione e-mail granulare (sezione
  email_alerts)
• ltemail_alertsgt
• ltemail_togtpluto_at_localhostlt/email_togt
• ltlevelgt12lt/levelgt
• ltdo_not_group/gt
• ltdo_not_delay/gt
• lt/email_alertsgt

11
ossec.conf e-mail ltemail_alertsgt

• Configurazione e-mail granulare (sezione
  email_alerts)
• ltemail_alertsgt
• ltemail_togtpippo_at_localhostlt/email_togt
• ltevent_locationgtvm-ossec-cvm-ossec-d192.
  168.0.0/24lt/event_locationgt
• ltdo_not_group/gt
• lt/email_alertsgt

12
ossec.conf e-mail ltemail_alertsgt

• Configurazione e-mail granulare (sezione
  email_alerts)
• ltemail_alertsgt
• ltemail_togtanna_at_localhostlt/email_togt
• ltgroupgtsyschecklt/groupgt
• ltformatgtsmslt/formatgt
• lt/email_alertsgt

13
ossec.conf e-mail ltemail_alertsgt

• Configurazione e-mail granulare (sezione
  email_alerts)
• ltemail_alertsgt
• ltemail_togtadmin_at_localhostlt/email_togt
• ltrule_idgt40111lt/rule_idgt
• ltformatgtsmslt/formatgt
• lt/email_alertsgt

14
ossec.conf e-mail ltalertsgt

• Configurazione e-mail (sezione alerts)
• ltalertsgt
• ltlog_alert_levelgt1lt/log_alert_levelgt
• ltemail_alert_levelgt7lt/email_alert_levelgt
• lt/alertsgt

15
ossec.conf e-mail ltalertsgt

• Level 0 Ignored, no action taken. Scanned before
  all others (grouping).
• Level 2 System low priority notification and
  catch all rule with BAD_WORD.
• Level 3 Successful/authorized events.
• Level 4 System low priority errors.
• Level 5 User generated error (missed passwords,
  denied actions, etc.).
• Level 7 Syscheck.
• Level 8 First time seen events. Stats alerts.

16
ossec.conf e-mail ltalertsgt

• Level 10 Multiple user generated errors
  multiple bad passwords, multiple failed logins.
• Level 12 High importance event error or warning
  messages from the system, kernel, etc. or
  something that might indicate an attack against a
  specific application.
• Level 13 Unusual error. Common attack patterns.
• Level 14 High importance security event
  correlation of multiple attack rules.
• Level 15 Attack successful.

17
internal_options.conf e-mail grouping

• Configurazione e-mail
• Maild grouping (0disabled, 1enabled)?
• Groups alerts within the same e-mail.
• maild.groupping1

18
Stats

• Numero di eventi generati
• per ogni ora della giornata
• per ogni giorno della settimana
• totali

19
ossec.conf stats ltglobalgt

• ltglobalgt
• ltstatsgt8lt/statsgt
• lt/globalgt
• Ogni variazione significativa del numero di
  eventi segnalati in un certo periodo di tempo
  genera un alert di livello 8.

20
Internal_options.conf stats

• Analysisd stats maximum diff.
• analysisd.stats_maxdiff25000
• Analysisd stats minimum diff.
• analysisd.stats_mindiff250
• Analysisd stats percentage (how much to differ
  from average)?
• analysisd.stats_percent_diff30

21
ossec.conf file di log da monitorare ltlocalfilegt?

• ltlocalfilegt
• ltlog_formatgtsysloglt/log_formatgt
• ltlocationgt/var/log/messageslt/locationgt
• lt/localfilegt
• Formati supportati nativamente
• syslog, snort-full, snort-fast, squid, iis,
  eventlog, nmapg (greppable nmap formatted logs),
  mysql_log, postgresql_log, apache.

22
ossec.conf file integrity check ltsyscheckgt?

• Opzioni ltsyscheckgt
• ltfrequencygt
• ltscan_daygt
• ltscan_timegt
• ltscan_on_startgt
• ltdirectoriesgt
• ltignoregt
• ltauto_ignoregt
• ltalert_new_filesgt
• ltwindows_registrygt
• ltregistry_ignoregt

23
ossec.conf file integrity check ltsyscheckgt

• Configurazione ltsyscheckgt day/time
• ltsyscheckgt
• ltscan_daygtmondaylt/scan_daygt
• ltscan_timegt8 pmlt/scan_timegt
• ltscan_on_startgtnolt/scan_on_startgt
• ltauto_ignoregtnolt/auto_ignoregt
• ...
• lt/syscheckgt

24
ossec.conf file integrity check ltsyscheckgt

• Configurazione ltsyscheckgt frequency
• ltsyscheckgt
• ltfrequencygt7200lt/frequencygt
• ltauto_ignoregtnolt/auto_ignoregt
• ltalert_new_filesgtyeslt/alert_new_filesgt
• ...
• lt/syscheckgt

25
ossec.conf file integrity check ltsyscheckgt

• Configurazione ltsyscheckgt ltdirectoriesgt
• ltsyscheckgt
• ltdirectories check_all"yes"gt/etc,/usr/bin,/usr/
  sbinlt/directoriesgt
• ltdirectories check_all"yes"gt/bin,/sbinlt/directo
  riesgt ltwindows_registrygtHKEY_LOCAL_MACHINE\Softwar
  elt/windows_registrygt
• ...
• lt/syscheckgt

26
ossec.conf file integrity check ltsyscheckgt?

• Configurazione ltsyscheckgt ltdirectoriesgt
  attributes
• check_all
• check_sum
• check_size
• check_owner
• check_group
• check_perm

27
ossec.conf file integrity check ltsyscheckgt

• Configurazione ltsyscheckgt ltignoregt
• ltsyscheckgt
• ltignoregt/etc/mtablt/ignoregt ltignoregtC\WINDOWS/S
  ystem32/LogFileslt/ignoregt ltregistry_ignoregtHKEY_CU
  RRENT_USERlt/registry_ignoregt
• ...
• lt/syscheckgt
• I file ignorati sul server vengono ignorati anche
  su tutti gli agent.

28
internal_options.conf file integrity check

• Syscheck checking/usage speed. To avoid large
  cpu/memory usage, you can specify how much to
  sleep after generating the checksum of X files.
  The default is to sleep 2 seconds after reading
  15 files.
• syscheck.sleep2
• syscheck.sleep_after15

29
ossec.conf rootkit detection engine and policy
enforcement ltrootcheckgt

• Opzioni ltrootcheckgt
• ltdisabledgt
• ltfrequencygt
• ltrootkit_filesgt
• ltrootkit_trojansgt
• ltsystem_auditgt
• ltwindows_auditgt
• ltwindows_appsgt
• ltwindows_malwaregt

30
ossec.conf rootkit detection engine and policy
enforcement ltrootcheckgt

• Opzioni ltrootcheckgt
• ltrootkit_filesgt application level rootkit
  signatures file
• ltrootkit_trojansgt application level trojan
  signatures file

31
ossec.conf rootkit detection engine and policy
enforcement ltrootcheckgt?

• Opzioni ltrootcheckgt policy enforcement
• ltsystem_auditgt
• ltwindows_auditgt
• ltwindows_appsgt
• ltwindows_malwaregt
• Controllo su
• f file o directory (e loro contenuto)?
• r registry key
• p processo

32
Tool

• Principali tool di gestione (versione 1.6)
• /var/ossec/bin
• ossec-control
• syscheck_control
• clear_stats
• rootcheck_control
• agent_control
• list_agents
• syscheck_update
• manage_agents

33
Demoni

• Principali demoni (versione 1.6)
• /var/ossec/bin
• ossec-remoted
• ossec-agentd
• ossec-execd
• ossec-syscheckd
• ossec-analysisd
• ossec-logcollector
• ossec-maild
• ossec-monitord
• girano come root

34
(No Transcript)