Re: [ossec-list] Database and File rules encrypted?
That's not something encryption is going to help you with. Thanks, -- Daniel B. Cid http://dcid.me On Thu, Mar 22, 2012 at 6:16 PM, Michel Henrique Aquino Santos michel@gmail.com wrote: Hi, an attacker can read the rules file and use any directory or file is not monitored to carry out the attack. Em 22-03-2012 18:04, Castle, Shane escreveu: Just what is this vulnerability, specifically? -- Att, Michel Henrique Aquino Santos Bacharelado em Ciência da Computação Universidade Federal de Lavras - UFLA Skype: michel_has Gtalk: michel.has michel@gmail.com Linux User # 496756 http://resolvidoslinux.blogspot.com/
Re: [ossec-list] Database and File rules encrypted?
If an attacker has gotten privileged access to the system there should be a log somewhere detailing this. Hopefully there's a rule for that log message... What do you mean by use a directory or file not monitored to carry out the attack? You mean monitored by syscheckd? As soon as they change something of consequence there should be a syscheckd alert triggered. And there should be alerts when the OSSEC processes are stopped, so that's another reason to investigate. Whenever possible, export logs to a hardened/remote host. Installing a local OSSEC instance should be a last resort. On Thu, Mar 22, 2012 at 5:52 PM, Michel Henrique Aquino Santos michel@gmail.com wrote: If an attacker managed to enter the machine and gain privileged access, it can read the configuration files if the OSSEC installed as local. Thus, you can use a directory or file not monitored to carry out the attack, or even modify the file rules. Em 22-03-2012 18:16, Nelson, James escreveu: The vast majority of log data is not encrypted to begin with, so how do you figure it’s a vulnerability? At most, transmission between agent and master could be considered vulnerable but you can set it up to use secure transmission which would be encrypted. James From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Michel Henrique Aquino Santos Sent: Thursday, March 22, 2012 3:54 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Database and File rules encrypted? Thanks for the reply. This is not good because it creates a vulnerability in the system. Att. Em 22-03-2012 17:33, dan (ddp) escreveu: Neither are encrypted in OSSEC. On Thu, Mar 22, 2012 at 4:22 PM, Michel Henrique Aquino Santos michel@gmail.com wrote: Hello, I'm doing an paper on university study (Federal University of Lavras - UFLA - www.ufla.br), comparing four tools for checking integrity of files (Tripwire, OSSEC, AIDE and Samhain). I need some information about the tool OSSEC. The generated database (snapshot) is encrypted? The rules file is encrypted? Sorry my english, I can not write correctly. I await response. Thank you! -- Att, Michel Henrique Aquino Santos Bacharelado em Ciência da Computação Universidade Federal de Lavras - UFLA Skype: michel_has Gtalk: michel.has michel@gmail.com Linux User # 496756 http://resolvidoslinux.blogspot.com/ -- Att, Michel Henrique Aquino Santos Bacharelado em Ciência da Computação Universidade Federal de Lavras - UFLA Skype: michel_has Gtalk: michel.has michel@gmail.com Linux User # 496756 http://resolvidoslinux.blogspot.com/ -- Att, Michel Henrique Aquino Santos Bacharelado em Ciência da Computação Universidade Federal de Lavras - UFLA Skype: michel_has Gtalk: michel.has michel@gmail.com Linux User # 496756 http://resolvidoslinux.blogspot.com/
Re: [ossec-list] Database and File rules encrypted?
Plus the files/filesystem would have to be decrypted to use. A privileged user would probably have access to that decrypted data. On Thu, Mar 22, 2012 at 5:58 PM, Castle, Shane scas...@bouldercounty.org wrote: If this happened then it's game over. Encrypting the files/filesystem will do no good if your system is compromised. Sorry, I don't buy it. Try again. -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Michel Henrique Aquino Santos Sent: Thursday, March 22, 2012 15:52 To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Database and File rules encrypted? If an attacker managed to enter the machine and gain privileged access, it can read the configuration files if the OSSEC installed as local. Thus, you can use a directory or file not monitored to carry out the attack, or even modify the file rules. Em 22-03-2012 18:16, Nelson, James escreveu: The vast majority of log data is not encrypted to begin with, so how do you figure it's a vulnerability? At most, transmission between agent and master could be considered vulnerable but you can set it up to use secure transmission which would be encrypted. James From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Michel Henrique Aquino Santos Sent: Thursday, March 22, 2012 3:54 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Database and File rules encrypted? Thanks for the reply. This is not good because it creates a vulnerability in the system. Att. Em 22-03-2012 17:33, dan (ddp) escreveu: Neither are encrypted in OSSEC. On Thu, Mar 22, 2012 at 4:22 PM, Michel Henrique Aquino Santos michel@gmail.com mailto:michel@gmail.com wrote: Hello, I'm doing an paper on university study (Federal University of Lavras - UFLA - www.ufla.br), comparing four tools for checking integrity of files (Tripwire, OSSEC, AIDE and Samhain). I need some information about the tool OSSEC. The generated database (snapshot) is encrypted? The rules file is encrypted? Sorry my english, I can not write correctly. I await response. Thank you! -- Att, Michel Henrique Aquino Santos Bacharelado em Ciência da Computação Universidade Federal de Lavras - UFLA Skype: michel_has Gtalk: michel.has michel@gmail.com Linux User # 496756 http://resolvidoslinux.blogspot.com/ -- Att, Michel Henrique Aquino Santos Bacharelado em Ciência da Computação Universidade Federal de Lavras - UFLA Skype: michel_has Gtalk: michel.has michel@gmail.com Linux User # 496756 http://resolvidoslinux.blogspot.com/ -- Att, Michel Henrique Aquino Santos Bacharelado em Ciência da Computação Universidade Federal de Lavras - UFLA Skype: michel_has Gtalk: michel.has michel@gmail.com Linux User # 496756 http://resolvidoslinux.blogspot.com/
[ossec-list] Database and File rules encrypted?
Hello, I'm doing an paper on university study (Federal University of Lavras - UFLA - www.ufla.br), comparing four tools for checking integrity of files (Tripwire, OSSEC, AIDE and Samhain). I need some information about the tool OSSEC. The generated database (snapshot) is encrypted? The rules file is encrypted? Sorry my english, I can not write correctly. I await response. Thank you! -- Att, *Michel Henrique Aquino Santos* Bacharelado em Ciência da Computação Universidade Federal de Lavras - UFLA Skype: michel_has Gtalk: michel.has michel@gmail.com Linux User # 496756 http://resolvidoslinux.blogspot.com/
Re: [ossec-list] Database and File rules encrypted?
Neither are encrypted in OSSEC. On Thu, Mar 22, 2012 at 4:22 PM, Michel Henrique Aquino Santos michel@gmail.com wrote: Hello, I'm doing an paper on university study (Federal University of Lavras - UFLA - www.ufla.br), comparing four tools for checking integrity of files (Tripwire, OSSEC, AIDE and Samhain). I need some information about the tool OSSEC. The generated database (snapshot) is encrypted? The rules file is encrypted? Sorry my english, I can not write correctly. I await response. Thank you! -- Att, Michel Henrique Aquino Santos Bacharelado em Ciência da Computação Universidade Federal de Lavras - UFLA Skype: michel_has Gtalk: michel.has michel@gmail.com Linux User # 496756 http://resolvidoslinux.blogspot.com/
Re: [ossec-list] Database and File rules encrypted?
Thanks for the reply. This is not good because it creates a vulnerability in the system. Att. Em 22-03-2012 17:33, dan (ddp) escreveu: Neither are encrypted in OSSEC. On Thu, Mar 22, 2012 at 4:22 PM, Michel Henrique Aquino Santos michel@gmail.com wrote: Hello, I'm doing an paper on university study (Federal University of Lavras - UFLA - www.ufla.br), comparing four tools for checking integrity of files (Tripwire, OSSEC, AIDE and Samhain). I need some information about the tool OSSEC. The generated database (snapshot) is encrypted? The rules file is encrypted? Sorry my english, I can not write correctly. I await response. Thank you! -- Att, Michel Henrique Aquino Santos Bacharelado em Ciência da Computação Universidade Federal de Lavras - UFLA Skype: michel_has Gtalk: michel.has michel@gmail.com Linux User # 496756 http://resolvidoslinux.blogspot.com/ -- Att, *Michel Henrique Aquino Santos* Bacharelado em Ciência da Computação Universidade Federal de Lavras - UFLA Skype: michel_has Gtalk: michel.has michel@gmail.com Linux User # 496756 http://resolvidoslinux.blogspot.com/
RE: [ossec-list] Database and File rules encrypted?
Just what is this vulnerability, specifically? -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Michel Henrique Aquino Santos Sent: Thursday, March 22, 2012 14:54 To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Database and File rules encrypted? Thanks for the reply. This is not good because it creates a vulnerability in the system. Att. Em 22-03-2012 17:33, dan (ddp) escreveu: Neither are encrypted in OSSEC. On Thu, Mar 22, 2012 at 4:22 PM, Michel Henrique Aquino Santos michel@gmail.com mailto:michel@gmail.com wrote: Hello, I'm doing an paper on university study (Federal University of Lavras - UFLA - www.ufla.br), comparing four tools for checking integrity of files (Tripwire, OSSEC, AIDE and Samhain). I need some information about the tool OSSEC. The generated database (snapshot) is encrypted? The rules file is encrypted? Sorry my english, I can not write correctly. I await response. Thank you! -- Att, Michel Henrique Aquino Santos Bacharelado em Ciência da Computação Universidade Federal de Lavras - UFLA Skype: michel_has Gtalk: michel.has michel@gmail.com Linux User # 496756 http://resolvidoslinux.blogspot.com/ -- Att, Michel Henrique Aquino Santos Bacharelado em Ciência da Computação Universidade Federal de Lavras - UFLA Skype: michel_has Gtalk: michel.has michel@gmail.com Linux User # 496756 http://resolvidoslinux.blogspot.com/
RE: [ossec-list] Database and File rules encrypted?
The vast majority of log data is not encrypted to begin with, so how do you figure it's a vulnerability? At most, transmission between agent and master could be considered vulnerable but you can set it up to use secure transmission which would be encrypted. James From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Michel Henrique Aquino Santos Sent: Thursday, March 22, 2012 3:54 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Database and File rules encrypted? Thanks for the reply. This is not good because it creates a vulnerability in the system. Att. Em 22-03-2012 17:33, dan (ddp) escreveu: Neither are encrypted in OSSEC. On Thu, Mar 22, 2012 at 4:22 PM, Michel Henrique Aquino Santos michel@gmail.com mailto:michel@gmail.com wrote: Hello, I'm doing an paper on university study (Federal University of Lavras - UFLA - www.ufla.br), comparing four tools for checking integrity of files (Tripwire, OSSEC, AIDE and Samhain). I need some information about the tool OSSEC. The generated database (snapshot) is encrypted? The rules file is encrypted? Sorry my english, I can not write correctly. I await response. Thank you! -- Att, Michel Henrique Aquino Santos Bacharelado em Ciência da Computação Universidade Federal de Lavras - UFLA Skype: michel_has Gtalk: michel.has michel@gmail.com Linux User # 496756 http://resolvidoslinux.blogspot.com/ -- Att, Michel Henrique Aquino Santos Bacharelado em Ciência da Computação Universidade Federal de Lavras - UFLA Skype: michel_has Gtalk: michel.has michel@gmail.com Linux User # 496756 http://resolvidoslinux.blogspot.com/
Re: [ossec-list] Database and File rules encrypted?
Hi, an attacker can read the rules file and use any directory or file is not monitored to carry out the attack. Em 22-03-2012 18:04, Castle, Shane escreveu: Just what is this vulnerability, specifically? -- Att, *Michel Henrique Aquino Santos* Bacharelado em Ciência da Computação Universidade Federal de Lavras - UFLA Skype: michel_has Gtalk: michel.has michel@gmail.com Linux User # 496756 http://resolvidoslinux.blogspot.com/
Re: [ossec-list] Database and File rules encrypted?
If an attacker managed to enter the machine and gain privileged access, it can read the configuration files if the OSSEC installed as local. Thus, you can use a directory or file not monitored to carry out the attack, or even modify the file rules. Em 22-03-2012 18:16, Nelson, James escreveu: The vast majority of log data is not encrypted to begin with, so how do you figure it's a vulnerability? At most, transmission between agent and master could be considered vulnerable but you can set it up to use secure transmission which would be encrypted. James *From:*ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] *On Behalf Of *Michel Henrique Aquino Santos *Sent:* Thursday, March 22, 2012 3:54 PM *To:* ossec-list@googlegroups.com *Subject:* Re: [ossec-list] Database and File rules encrypted? Thanks for the reply. This is not good because it creates a vulnerability in the system. Att. Em 22-03-2012 17:33, dan (ddp) escreveu: Neither are encrypted in OSSEC. On Thu, Mar 22, 2012 at 4:22 PM, Michel Henrique Aquino Santos michel@gmail.com mailto:michel@gmail.com wrote: Hello, I'm doing an paper on university study (Federal University of Lavras - UFLA - www.ufla.br http://www.ufla.br), comparing four tools for checking integrity of files (Tripwire, OSSEC, AIDE and Samhain). I need some information about the tool OSSEC. The generated database (snapshot) is encrypted? The rules file is encrypted? Sorry my english, I can not write correctly. I await response. Thank you! -- Att, Michel Henrique Aquino Santos Bacharelado em Ciência da Computação Universidade Federal de Lavras - UFLA Skype: michel_has Gtalk: michel.has michel@gmail.com mailto:michel@gmail.com Linux User # 496756 http://resolvidoslinux.blogspot.com/ -- Att, *Michel Henrique Aquino Santos* Bacharelado em Ciência da Computação Universidade Federal de Lavras - UFLA Skype: michel_has Gtalk: michel.has michel@gmail.com mailto:michel@gmail.com Linux User # 496756 http://resolvidoslinux.blogspot.com/ -- Att, *Michel Henrique Aquino Santos* Bacharelado em Ciência da Computação Universidade Federal de Lavras - UFLA Skype: michel_has Gtalk: michel.has michel@gmail.com Linux User # 496756 http://resolvidoslinux.blogspot.com/
RE: [ossec-list] Database and File rules encrypted?
If this happened then it's game over. Encrypting the files/filesystem will do no good if your system is compromised. Sorry, I don't buy it. Try again. -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Michel Henrique Aquino Santos Sent: Thursday, March 22, 2012 15:52 To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Database and File rules encrypted? If an attacker managed to enter the machine and gain privileged access, it can read the configuration files if the OSSEC installed as local. Thus, you can use a directory or file not monitored to carry out the attack, or even modify the file rules. Em 22-03-2012 18:16, Nelson, James escreveu: The vast majority of log data is not encrypted to begin with, so how do you figure it's a vulnerability? At most, transmission between agent and master could be considered vulnerable but you can set it up to use secure transmission which would be encrypted. James From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Michel Henrique Aquino Santos Sent: Thursday, March 22, 2012 3:54 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Database and File rules encrypted? Thanks for the reply. This is not good because it creates a vulnerability in the system. Att. Em 22-03-2012 17:33, dan (ddp) escreveu: Neither are encrypted in OSSEC. On Thu, Mar 22, 2012 at 4:22 PM, Michel Henrique Aquino Santos michel@gmail.com mailto:michel@gmail.com wrote: Hello, I'm doing an paper on university study (Federal University of Lavras - UFLA - www.ufla.br), comparing four tools for checking integrity of files (Tripwire, OSSEC, AIDE and Samhain). I need some information about the tool OSSEC. The generated database (snapshot) is encrypted? The rules file is encrypted? Sorry my english, I can not write correctly. I await response. Thank you! -- Att, Michel Henrique Aquino Santos Bacharelado em Ciência da Computação Universidade Federal de Lavras - UFLA Skype: michel_has Gtalk: michel.has michel@gmail.com Linux User # 496756 http://resolvidoslinux.blogspot.com/ -- Att, Michel Henrique Aquino Santos Bacharelado em Ciência da Computação Universidade Federal de Lavras - UFLA Skype: michel_has Gtalk: michel.has michel@gmail.com Linux User # 496756 http://resolvidoslinux.blogspot.com/ -- Att, Michel Henrique Aquino Santos Bacharelado em Ciência da Computação Universidade Federal de Lavras - UFLA Skype: michel_has Gtalk: michel.has michel@gmail.com Linux User # 496756 http://resolvidoslinux.blogspot.com/
