The CVE-2015-3222 vulnerability, which allows for root escalation via sys check has been fixed in OSSEC 2.8.2. Read more about it here – which allows for root escalation via sys check. 2.8.2 can be obtained on the OSSEC Downloads page. A new OSSEC virtual appliance is forthcoming.
I have updated the OSSEC Virtual Appliance to include OSSEC 2.8.1 and Elasticsearch-Logstash-Kibana (ELK) log management and the ElasticHQ system to handle ELK monitoring. It is a single gzipped OVA that can be easily imported into VirtualBox or any other virtualization system that supports OVA files.
Look for it in the Downloads section.
OSSEC CON 2014 was held in Cork Ireland this year to promote OSSEC in EMEA where we have many users. This year we had several members of the current OSSEC Team speak to our audience.
Jeremy Rossi, currently the OSSEC Development Manager, told us about some of the OSSEC open source history and shared the statistics on number of OSSEC contributions over the years. The good news is there are more lines of code and programmers contributing them than ever before. Jeremy did all the heavy lifting to move OSSEC over to Github which has really encouraged more people to work on it.
Santiago Gonzales joined us again this year reviewed his work using Cuckoo in conjunction with OSSEC to detect malware that shows up on Windows based systems.
New OSSEC Team member and author of Instant OSSEC Host-based Intrusion Detection System Brad Lhotsky talked to us about what he has done with OSSEC to help automate his security operations at Booking.com.
Barry O’Meara from AleinVault shared his experiences with using OSSEC with Amazon CloudTrail to provide intrusion detection for AWS instances.
I gave a talk on using Elasticsearch to manage OSSEC security alerts. I have posted all the slides from this and previous OSSEC conferences in the Documentation section of this site.
Finally, Cork was simply beautiful. The weather was great and the hotel accommodations at the Gresham-Metropole were superb. thanks again to our good friends at AlienVault for sponsoring OSSEC CON 2014. And thanks to all of our conference attendees.
Look for the conference next year to be held at one of the major Unix conferences – to be determined. Thanks to all who attended.
See you next year.
OSSEC 2.8.1 has been released to address the security issue identified by Jeff Petersen of Roka Security LLC. Full details of the issue can be found on the OSSEC Github repository – https://github.com/ossec/ossec-hids/releases/tag/2.8.1.
This correction will create the temp file for the hosts deny file in /var/ossec and will use mktemp where available to create NON-predictable temp file name. In cases where mktemp is not available we have written a BAD version of mktemp, but should be a little better then just process id.
In terms of features this release is the same as OSSEC 2.8. The OSSEC 2.8 Windows agent has not been updated.
OSSEC Commercial Support contracts will no longer be available directly from Trend Micro as of March 2014; however all existing agreements will continue to be fully supported until the end of their respective terms.
If you are still interested in OSSEC and requrie commercial support, Trend Micro is aware of some 3rd party vendors who may be able to provide some deployment assistance or post-sale support options. Please note that Trend Micro does not specifically endorse these vendors, but is merely providing this information as a convenience for users. Interested parties are advised to directly contact the vendor for more information on their specific capabilities or offerings around OSSEC.
While AlienVault does not offer stand-alone support options for OSSEC, it does offer OSSEC support through it’s commercial offering. OSSEC is one of many open source tools found in the AlienVault Unified Security Management (USM) platform which provides OSSEC users with an interface to manage and configure large agents deployments, customize rules, generate reports or dashboards and correlate incoming agents data. To learn more visit: http://www.alienvault.com/landing/ossec or contact us at firstname.lastname@example.org.
OSSEC Training Resources from the AlienVault Community:
- Advanced OSSEC Training Webcast
- Installing OSSEC agent in a Windows server
- Reading a log file with OSSEC agent
- Deploying OSSEC agents to Linux Hosts
AtomiCorp is the maker of Atomic Secured Linux – the complete security solution for Linux web servers which features OSSEC as one of its primary security tools. AtomiCorp has long been involved with the OSSEC Project and currently builds the OSSEC RPM packages for each release. If you are interested in the Atomic Secured Linux, AtomiCorp provides commericial support for the system You can find out more about Atomic Secured linux by contating AtomiCorp sales at email@example.com.
The OSSEC developers have been hard at work on version 2.8 and we have made Beta-1 packages available for testing. See the Downloads page. Helps us with the testing and fine tuning of this preliminary release.
The recently disclosed CVE-2014-0160 vulnerability – heartbleed read overrun – in OpenSSL may impact OSSEC installations where OSSEC was deployed with OpenSSL support, either when built from source or installed from RPMs. In particular this issue leaves ossec-authd open to attack.
The CVE-2014-0160 vulnerability has been fixed in OpenSSL 1.0.1g as described here – https://www.openssl.org/news/secadv_20140407.txt. OSSEC users are advised to replace their existing OpenSSL shared libraries with version 1.0.1.g which you can obtain as a source tarball on the OpenSSL website here http://www.openssl.org/source/. As of this writing it does not appear that yum repositories for CentOS 6.x have pushed this version of OpenSSL to the repository servers.
It is further advised that, until you patch your OpenSSL components, you do not leave ossec-authd running when it is not receiving requests from your OSSEC agents.
Our friends at AlienVault have created and now host Debian packages of OSSEC for Ubuntu Wheezy, Jessie and Sid. See the Downloads page for the links to the packages and AlienVault's respositories. Thanks to OSSEC Project team member Santiago Gonzalez for taking the time to create these packages and AlientVault for hosting them
And just a reminder, we have RPMs for all the major RedHat derived distros courtesy of our friends at Atomicorp and long time team member Scott Shinn.
OSSEC is moving from bitbucket to github, and in the process moving to a new method for accepting contributions. This is an exciting change that we feel will help push OSSEC forward in 2014 and further into the future.
The overall goals of the change are to allow OSSEC to be more dynamic, agile, and quicker to respond to the needs of the community.
This change will not be without issues or problems, but we aim to make it as seamless as possible. To do this we are committing to the following task to be completed 7 days from now:
- Port all code to github
- Port all Open Issues to github issues
- Port all Open Pull Requests to github Pull Requests
1) Porting code
This is currently done every 30 minutes (when hg-git does not break). We have set up and enabledgithib.com/ossec/ossec-hids
This will continue till to the cut over date of Feb 7th 2014.
2) Port all Open Issues
We will copy all open issues from Bitbucket to github. Due to the api avaiable, and reporting user and all comments on issues will show up as the user performing the migration. Test runs are being preformed togithib.com/jrossi/issue-migration-test
3) Port all Open Pull Requests
This process will be the hardest, and will be the hardest to detail, but we shall attempt it here.
Contact pull request author to request they move to github and resubmit using github. If no response is recevied before the following:
- Create github.com/ossec/bitbucket-pull-requests as a fork of github.com/ossec/ossec-hids/
- Export each Pull Request as a patch bb-gh-pull-request-##.patch
Import each patch into a branch named bb-gh-pull-request-##
- Apply correct author/email git infomation so no infomation is lost.
- Create a github pull request for each branch.
For authors who email addresses match between githib and bitbucket everything will show up as expected. Authors can also use github email settings to add second or third email address.
Once completed, each pull request will stand on its own and be reviewed for merging based on the Collective Code Construction Contract.