On 10/19/2010 06:20 PM, Jefferson, Shawn wrote:
They're the lucky ones then. :) I can't say enough good things about Bigfix.
I discovered a Trojan on one of my machines today (not a rootkit, so it wasn't
really hiding), and used Bigfix to verify that it was not on any of the other
2000 or so machines in about 10 minutes. Mostly I used it for security tasks
now, but I grew up with it on the Systems Administration side, from about
version 5 onward.
That's pretty cool. I haven't really played with it but the one BigFix
guy I know is also a big fan. Whatever the question, he usually replies
with, "there's a fixlet for that." :)
You note in your blog that you'll also try to do a write-up on how to use
batch files and psexec. I have done some work in this area but haven't
polished anything up. Perhaps we can collaborate?
Sure. I wasn't thinking of anything fancy, something like this:
- read a list of computer names from a text file
- copy the installer
- launch a silent install via psexec
- extract the client key from the client.keys file that you get off the ossec
server
- copy it to the ossec client
- copy a customized ossec.conf to the client
- use "sc" to start the ossec agent remotely.
That's almost exactly what my script does, with the exception that I
compile in the custom ossec.conf. But your approach is a bit more
portable and flexible.
There's also someone else I did a bit of work with (he did most of it) who
I am pretty sure is planning on a 2WoO post of his method.
At the end of the week, we should have have 3 or 4 methods for Windows
agent deployment. We should correlate and document them on the wiki at
least. Ultimately, until we have key exchange, it would be nice to have a
completely free script (probably batch, but maybe something with Samba?) we
can continuously improve and support officially.
Sounds great, I'm interested to see other approaches! Especially around the
security implications of the client.keys. Secure, automated key exchange would
be very nice in ossec.
Usually, when I think about the key security and distribution problem, I
end up circling back to the same place. I don't know of a good way to
solve it without using something like asymmetric keys which set up a
symmetric key (SSL), but OSSEC won't be able to do that until it
supports TCP.
On the other hand, how many companies even encrypt their logs? I have to
be pragmatic at some point since there is a job to get done and the risk
of a temporary client.keys file on a read-only share may be acceptable.
You could mitigate this somewhat by assigning a random name to the file.
That way, the attacker would have to guess at the file name if they
can't do a directory listing.
Then there is the risk of clear-text transmission. Windows could sign
and secure the SMB traffic, although that is generally an all-or-nothing
proposition, so other apps may break.
--
Michael Starks
[I] Immutable Security
http://www.immutablesecurity.com
