The CVE-2015-3222 vulnerability, which allows for root escalation via sys check has been fixed in OSSEC 2.8.2. Read more about it here – which allows for root escalation via sys check. 2.8.2 can be obtained on the OSSEC Downloads page. A new OSSEC virtual appliance is forthcoming.
OSSEC CON 2014 was held in Cork Ireland this year to promote OSSEC in EMEA where we have many users. This year we had several members of the current OSSEC Team speak to our audience.
Jeremy Rossi, currently the OSSEC Development Manager, told us about some of the OSSEC open source history and shared the statistics on number of OSSEC contributions over the years. The good news is there are more lines of code and programmers contributing them than ever before. Jeremy did all the heavy lifting to move OSSEC over to Github which has really encouraged more people to work on it.
Santiago Gonzales joined us again this year reviewed his work using Cuckoo in conjunction with OSSEC to detect malware that shows up on Windows based systems.
New OSSEC Team member and author of Instant OSSEC Host-based Intrusion Detection System Brad Lhotsky talked to us about what he has done with OSSEC to help automate his security operations at Booking.com.
Barry O’Meara from AleinVault shared his experiences with using OSSEC with Amazon CloudTrail to provide intrusion detection for AWS instances.
I gave a talk on using Elasticsearch to manage OSSEC security alerts. I have posted all the slides from this and previous OSSEC conferences in the Documentation section of this site.
Finally, Cork was simply beautiful. The weather was great and the hotel accommodations at the Gresham-Metropole were superb. thanks again to our good friends at AlienVault for sponsoring OSSEC CON 2014. And thanks to all of our conference attendees.
Look for the conference next year to be held at one of the major Unix conferences – to be determined. Thanks to all who attended.
See you next year.
OSSEC 2.8.1 has been released to address the security issue identified by Jeff Petersen of Roka Security LLC. Full details of the issue can be found on the OSSEC Github repository – https://github.com/ossec/ossec-hids/releases/tag/2.8.1.
This correction will create the temp file for the hosts deny file in /var/ossec and will use mktemp where available to create NON-predictable temp file name. In cases where mktemp is not available we have written a BAD version of mktemp, but should be a little better then just process id.
In terms of features this release is the same as OSSEC 2.8. The OSSEC 2.8 Windows agent has not been updated.
OSSEC Commercial Support contracts will no longer be available directly from Trend Micro as of March 2014; however all existing agreements will continue to be fully supported until the end of their respective terms.
If you are still interested in OSSEC and requrie commercial support, Trend Micro is aware of some 3rd party vendors who may be able to provide some deployment assistance or post-sale support options. Please note that Trend Micro does not specifically endorse these vendors, but is merely providing this information as a convenience for users. Interested parties are advised to directly contact the vendor for more information on their specific capabilities or offerings around OSSEC.
While AlienVault does not offer stand-alone support options for OSSEC, it does offer OSSEC support through it’s commercial offering. OSSEC is one of many open source tools found in the AlienVault Unified Security Management (USM) platform which provides OSSEC users with an interface to manage and configure large agents deployments, customize rules, generate reports or dashboards and correlate incoming agents data. To learn more visit: http://www.alienvault.com/landing/ossec or contact us at firstname.lastname@example.org.
OSSEC Training Resources from the AlienVault Community:
- Advanced OSSEC Training Webcast
- Installing OSSEC agent in a Windows server
- Reading a log file with OSSEC agent
- Deploying OSSEC agents to Linux Hosts
AtomiCorp is the maker of Atomic Secured Linux – the complete security solution for Linux web servers which features OSSEC as one of its primary security tools. AtomiCorp has long been involved with the OSSEC Project and currently builds the OSSEC RPM packages for each release. If you are interested in the Atomic Secured Linux, AtomiCorp provides commericial support for the system You can find out more about Atomic Secured linux by contating AtomiCorp sales at email@example.com.
The recently disclosed CVE-2014-0160 vulnerability – heartbleed read overrun – in OpenSSL may impact OSSEC installations where OSSEC was deployed with OpenSSL support, either when built from source or installed from RPMs. In particular this issue leaves ossec-authd open to attack.
The CVE-2014-0160 vulnerability has been fixed in OpenSSL 1.0.1g as described here – https://www.openssl.org/news/secadv_20140407.txt. OSSEC users are advised to replace their existing OpenSSL shared libraries with version 1.0.1.g which you can obtain as a source tarball on the OpenSSL website here http://www.openssl.org/source/. As of this writing it does not appear that yum repositories for CentOS 6.x have pushed this version of OpenSSL to the repository servers.
It is further advised that, until you patch your OpenSSL components, you do not leave ossec-authd running when it is not receiving requests from your OSSEC agents.
Our friends at AlienVault have created and now host Debian packages of OSSEC for Ubuntu Wheezy, Jessie and Sid. See the Downloads page for the links to the packages and AlienVault's respositories. Thanks to OSSEC Project team member Santiago Gonzalez for taking the time to create these packages and AlientVault for hosting them
And just a reminder, we have RPMs for all the major RedHat derived distros courtesy of our friends at Atomicorp and long time team member Scott Shinn.
OSSEC is moving from bitbucket to github, and in the process moving to a new method for accepting contributions. This is an exciting change that we feel will help push OSSEC forward in 2014 and further into the future.
The overall goals of the change are to allow OSSEC to be more dynamic, agile, and quicker to respond to the needs of the community.
This change will not be without issues or problems, but we aim to make it as seamless as possible. To do this we are committing to the following task to be completed 7 days from now:
- Port all code to github
- Port all Open Issues to github issues
- Port all Open Pull Requests to github Pull Requests
1) Porting code
This is currently done every 30 minutes (when hg-git does not break). We have set up and enabledgithib.com/ossec/ossec-hids
This will continue till to the cut over date of Feb 7th 2014.
2) Port all Open Issues
We will copy all open issues from Bitbucket to github. Due to the api avaiable, and reporting user and all comments on issues will show up as the user performing the migration. Test runs are being preformed togithib.com/jrossi/issue-migration-test
3) Port all Open Pull Requests
This process will be the hardest, and will be the hardest to detail, but we shall attempt it here.
Contact pull request author to request they move to github and resubmit using github. If no response is recevied before the following:
- Create github.com/ossec/bitbucket-pull-requests as a fork of github.com/ossec/ossec-hids/
- Export each Pull Request as a patch bb-gh-pull-request-##.patch
Import each patch into a branch named bb-gh-pull-request-##
- Apply correct author/email git infomation so no infomation is lost.
- Create a github pull request for each branch.
For authors who email addresses match between githib and bitbucket everything will show up as expected. Authors can also use github email settings to add second or third email address.
Once completed, each pull request will stand on its own and be reviewed for merging based on the Collective Code Construction Contract.
It was sunny and pleasant throughout the two days of OSSEC CON in Cupertino, California. This is the first of its kind and we did not know what to expect. The agenda says 11:00am to 1:00pm Thursday for registration and lunch and I was thinking people probably won't show up until 12 or 12:30pm. When the first attendee appeared at 11 AM sharp, we were pleasantly surprised. Gradually, more people arrived and we had boxed lunch and casual conversation throughout lunch period. The atmosphere was that people were simply happy to meet other long-time OSSEC users face-to-face, as if you would expect in a 20 year high school reunion.
By the way, you can get the full agenda and introductory slides for the symposium here.
OSSEC CON Day 1
The OSSEC project, as most of you already know, was founded by Daniel Cid almost 10 years ago. In 2008, Third Brigade acquired the OSSEC project, and in 2009, Trend Micro acquired Third Brigade. Fast forward to 2012: the time has come for Trend Micro to reach out to the OSSEC user community, actively seeking feedback and contributions. The OSSEC vision for 2012 is "Three in One", as shown in the following diagram.
Trend Micro's strategy for OSSEC can be summarized as:
- Promote Trend Micro brand through OSSEC Project sponsorship
- Engage in Open Source development and learn from the community
- Ensure timely technical support for Trend Micro’s paid support customers
The community, which consists of OSSEC Contributors and Users, have these goals in general:
- Provide the OSSEC user community with regular bug fixes and new features.
- Provide timely announcements of OSSEC rule and platform enhancements thru the new OSSEC website and social media
- Promote OSSEC and Trend Micro brand and development through regular community meetings
- Increase adoption of the OSSEC HIDS platform.
Going forward, we expect these three entities to collaborate closely and benefit each other. The OSSEC project will remain open and free, while together we will set the direction for future enhancements and work on future releases.
After a brief introduction of all attendees, Trend Micro Legal Counsel, John Chen, appeared on stage and restated that the OSSEC source code and rules are still governed under GPL license terms, as it has been stated on the OSSEC License page.
The center piece of presentation on Day 1 was Keynote I – Experiences Applying OSSEC. Michael Starks, in his Ninja outfit (just kidding), energized the audience with his humor and extensive wisdom that one can only expect from a very experienced user of OSSEC. His presentation slides can be found here.
The keynote led to an open discussion by all participants about their pain points, which are summarized into several categories at the end of this article.
OSSEC CON Day 2
Day 2 started with continental breakfast (9:00am ~ 9:45am) and again we were pleasantly surprised to see the first attendee arrived before 9am. The enthusiasm was amazing throughout the second day as well. First, Trend Micro presented its product strategy; in particular, the DeepSecurity product lineup, in a world fast moving to the virtualized cloud environment. While OSSEC is a very capable tool for HIDS (Host-based Intrusion Detection System), DeepSecurity is a powerful and versatile HIPS (Host-based Intrusion Prevention System) that meets enterprise server security needs, including Anti-Virus, Web Reputation, Firewall, in addition to the standard OSSEC features of File Integrity and Log Inspection. Interested users are advised to contact Trend Micro for more details.
Next, experiences with high volume OSSEC deployment were shared. One installation had 3,000 OSSEC Windows agents and 500 Unix agents (mix of HP / AIX / Linux / SunOS). This was before 'authd' was available and the deployment consisted of three steps:
- Use OSSEC make option to set maximum number of agents to be greater than 256 (default). Generate all 3500 keys in advance, leaving the IP addresses as 'ANY' in OSSEC manager's clients.keys file initially.
- After basic install and as the agents came up and checked in with the manager, the real agent IP addresses were placed into clients.keys file by scripts.
- Each agent waited for extra 30 seconds to allow the manager to push agent.conf to the agent and merge the configuration together, then restart the agent.
Some manager performance tuning was performed. For example, the Unix fs cache was set to 10%, from the default value of 90%. This allowed OSSEC 'analysisd'/'remoted' to grab as much memory as needed. As for server spec, one manager was able to handle 4,000 agents with 72 GB RAM and 1 TB disk. The installation had 'logall' turned on to MySQL database, while alerts are piped to Splunk for noise reduction and further correlation. The 500 MB limitation on free version of Splunk was not a problem at all in this example.
Next, a list of 3rd party add-on tools were discussed. Splunk topped the list as the most popular among attending participants. Others include OSSIM, logstash, logZilla, ELSA, ArcSight, EnVision, LogCentral, AnaLogi. A demonstration of OSSEC and ELSA was shown and interested users can refer to http://code.google.com/p/enterprise-log-search-and-archive/ to find more about ELSA.
After a nice lunch break, Day 2 afternoon started with Keynote II – OSSEC Feature Wish List. Michael Starks took the stage again with his charm. He first used an example to illustrate the importance of having a shared vision; the lack of a shared vision and realistic goals often puts a project on hold. Michael painted the future of OSSEC with the following wish list:
- Interoperability based on standards, e.g., common standard for rule writing. This should result in better OSSEC rules taxonomy and ease of understanding
- Interface well with other tools such as CVE, OVAL, syslog-ng, etc., adapting format such as CEE (Common Event Expression http://cee.mitre.org/)
- A collective attitude which encourages and supports contributions
It was noted that to be an OSSEC contributor, writing code is not necessary. Everyone has something to offer. Can you submit a bug report? Are you an artist? Do you have an idea? With a friendly and encouraging community, talent naturally emerges. The presentation slides can be found here.
The Big OSSEC TO DO List
To summarize the pain points as well as the wish list, the complete list is shown below:
Dealing with BugsReducing the noise level – Tune rules to avoid alerts flooding
- JB Cheng is coordinating the next OSSEC minor release, which will focus on bug fixes.
- Michael is helping to prioritize existing bugs
- Existing patches contributed by users will be collected and included after passing review.
- Roadmap will be communicated and beta testers of the new release will be recruited.
- Suggestion to document the current development process in an FAQ section.
- Ideally an auto regression framework can be built to make sure bug fixes do not break existing functionality. This is to be considered.
Reducing the noise level – Tune rules to avoid alerts flooding
- In general, Linux rules are OK; but Windows rules generate too many alerts by default.
- Suggestion to gather feedback and adjust Windows rules in future releases. By default, email alerts should be meaningful and actionable (stay consistent and informative) while the rest can be viewed in a GUI.
- One use case is piping OSSEC alerts to Splunk and use Splunk rules to consolidate chatty alerts.
- One attendee stated that the <do_not_group> configuration option for putting multiple alerts in one email does not seem to work as expected (to be verified).
- Suggestion to tie rule alert levels with business risk factor for different assets, so non-critical assets do not trigger email notifications.
- Suggestions to tie alert levels with different group characteristics. For example, admin group vs. normal groups.
Making agent deployment easier – Key exchange
- Before 'authd' was available, deploying lots of OSSEC agents was very time consuming.
- 'authd' works on Linux, but some users experienced problems on Windows although there were successful cases too. Suggest documenting the success stories of 'authd'.
- Still, agent key management is a barrier to entry
- Making Windows Agent MSI build can allow the leverage of Active Directory group policy for Windows agent deployment
- RedHat RPMs, Debs, etc. are good too.
- Example: some experience showed Puppet was good for Unix systems.
- Example: OCS-ng was also used in at least one deployment.
- It should "just work".
Decoupling Rule and Decoder Updates
- Current OSSEC rules are coupled with OSSEC releases. By decoupling them it will allow faster response to current and emerging threats with faster rule fixes.
WUI – Web User Interface
- WUI 0.3 has some incompatibilities with OSSEC 2.6, which makes it hard to use.
- IP address and Date field got mixed up.
- WUI reporting can be enhanced to become more useful.
- Viewing alerts is currently via text display only. It would be nice to have CSV output option.
Web site – www.ossec.net
- The web site has been restructured with a new look and better navigation. Please report any broken links or missing information.
- The Wiki feature on the old web site has been discontinued due to extensive spam trouble. Important content will be reproduced as static pages at user's request.
Suggestions to provide/link to tutorial type of information such as:
- A live demo OSSEC server, ideally with agents in virtual machines
- Tutorial video on YouTube (any volunteers?)
- Re-visit the Virtual Machine image effort which may contain OSSEC manager , WUI and even some 3rd party tools preinstalled.
Interface with 3rd party tools
- e.g., Snort –> OSSEC –> Splunk
- e.g., OSSEC –> ELSA
- e.g., Hadoop log –> OSSEC (feasible?)
- Suggestion on syslog output enhancement – adding File Integrity checksum to alert output so it can be used for lookups (refer to : http://www.ossec.net/doc/manual/rules-decoders/rule-lists.html and http://cr.yp.to/cdb.html)
That's it folks! The first OSSEC Symposium is successfully concluded! Now, let’s get busy!
JB Cheng – 7/16/2012
Michael Starks – 7/17/2012
Vic Hargrave – 7/17/2012