The CVE-2015-3222 vulnerability, which allows for root escalation via sys check has been fixed in OSSEC 2.8.2. Read more about it here – which allows for root escalation via sys check. 2.8.2 can be obtained on the OSSEC Downloads page. A new OSSEC virtual appliance is forthcoming.
I have updated the OSSEC Virtual Appliance to include OSSEC 2.8.1 and Elasticsearch-Logstash-Kibana (ELK) log management and the ElasticHQ system to handle ELK monitoring. It is a single gzipped OVA that can be easily imported into VirtualBox or any other virtualization system that supports OVA files.
Look for it in the Downloads section.
OSSEC 2.8.1 has been released to address the security issue identified by Jeff Petersen of Roka Security LLC. Full details of the issue can be found on the OSSEC Github repository – https://github.com/ossec/ossec-hids/releases/tag/2.8.1.
This correction will create the temp file for the hosts deny file in /var/ossec and will use mktemp where available to create NON-predictable temp file name. In cases where mktemp is not available we have written a BAD version of mktemp, but should be a little better then just process id.
In terms of features this release is the same as OSSEC 2.8. The OSSEC 2.8 Windows agent has not been updated.
The OSSEC developers have been hard at work on version 2.8 and we have made Beta-1 packages available for testing. See the Downloads page. Helps us with the testing and fine tuning of this preliminary release.
New features and bug fixes:
- Add hybrid mode – allows the same host to be both a server and an agent, useful for multi-tier OSSEC deployment.
- Add ‘ manage_agents -f’ option for bulk generation of client keys from an input file.
- Add prelinking support – reduce confusion when a file change is the result of prelinking. (Beta-1: We realize there is a performance penalty. Please report if you notice a performance impact.)
- Add fine-grained configuration control – allows you to turn ON/OFF individual rootcheck tasks for more efficiency and flexibility. The default is all ON.
- Add GeoIP lookup support – allows geographical city names to be associated with IP addresses in OSSEC alerts, for more intelligent correlation. (Beta-1: Fixed potential string buffer overflow issues).
Alert options and syslog output
- Add syscheck MD5/SHA1 sum to alerts for easier integration with third-party file signature checking.
- Support JSON and Splunk formats in syslog output.
Rules and other notable changes/fixes
- Windows 2000 logs support has been deprecated (but will probably still work fine). Vista and Windows Server 2008 logs are now officially supported.
- Windows registry syscheck alert level has been reduced from 7 to 5 to reduce unnecessary noise from alerts which do not indicate a compromise.
- Update decoders include: PIX, auditd, apache, pam, php…
- Many updated rules, such as new checks for vulnerable web apps exploitation attempts.
- Update rootcheck rules
- ossec-client.sh now allows for 'reload', in addition to 'restart'
- Many bug fixes…
- Windows Agent 2.7 Beta-1
How to test the BETA?
Download the beta-1 package from here.
How to report bugs, contribute bug fixes?
Please post successful testing of features to Google group 'ossec-dev' with subject line starting with identification such as [2.7-beta1-rootcheck] , similarly do the same for reporting bugs and providing bug fixes. If privacy is a concern, you can send email to us at ossecproject @ gmail.com.
JB Cheng – 2012-09-24
- Added IPv6 support
- Lots of new rules (OpenBSD, Clamav, BRO-ids, active response logs, etc, etc)
- Added os-authd – For automatically creating and setting up the agent keys
- Added CEF support to client syslog
- Improved reporting for file changes
- Added option to Block repeated offenders with OSSEC
- Many bug fixes
This was also the release with the biggest number of contributors and we have to thank them all for the help.
Specially to Dan Parriott for all the work on the rules and documentation,Michael Starks for lots of new rules, Jeremy Rossi, the guys over at Atomicorp, Christopher Moraes, Xavier Mertens, Scott R. Shinn, Dean Proctor, Jason Frisvold, Paul Southerington, Anh Ky Huynh, Trey Dockendorf and many others. If I missed anyone, let me know and I will fix it.
Daniel B. Cid (in name of the OSSEC + Trend team)