On Tue, Oct 16, 2018 at 2:58 PM 'Brandon Westover' via ossec-list <[email protected]> wrote: > > We have been testing OSSEC to specifically be used for FIM and have been > running into issues that worry about the stability/consistency of the > product. Before I go about utilizing alternative Open Source products, I was > hoping that the OSSEC gurus could assist me in tracking down why it is > behaving the way it is. > > Our Setup: > > Server - Ubuntu 14.04.5 LTS > Agents - Ubuntu 18.04.1 LTS; Windows 2012 R2 > > > > Here are the issues that we have encountered in order of importance: > > 1) Alerting seems to be inconsistent based on documentation. We have > configured /var/ossec/etc/ossec.conf to have: > > <syscheck> > <!-- Frequency that syscheck is executed -- default every 20 hours --> > <!-- changed default - blw <frequency>72000</frequency> --> > > <frequency>180</frequency>
The extremely low frequency will cause issues. Realtime is "turned off" during full scans. > <alert_new_files>yes</alert_new_files> > > <!-- Directories to check (perform all possible verifications) --> > <directories report_changes="yes" realtime="yes" > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories report_changes="yes" realtime="yes" > check_all="yes">/bin,/sbin,/boot,/test</directories> > > > It seems that this has more impact on the agents than their own /ossec.conf > file as I had the local agents file contain the /test and was > adding/modifying/deleting files while also having restarting OSSEC both from > agent and server and was getting no alerting for /test files. When I put it > on the server as shown above, I started to get *some* alerts but not for > everything as expected. The issue is that I would create a file, then I > would edit the file several times as well as delete it and I would only get > some of those messages. I then created another file and tried to simulate > again and for this one I got no messages. My expectation with this config is > that I should get alerted every time for new files, modifications, and > deletes and at most I should have to wait is 3 minutes (this is testing > currently just so i don't have to wait). > > I have also configured /var/ossec/rules/local_rules.xml to alert on new files > added: > > <rule id="554" level="7" overwrite="yes"> > <category>ossec</category> > <decoded_as>syscheck_new_entry</decoded_as> > <description>File added to the system.</description> > <group>syscheck,</group> > </rule> > > > The next 'issue' will also go into the agent.conf as that was how I wanted to > configure it but that doesnt' appear to take effect no matter what I do. > > If someone could help address to what should be the proper configuration > (both from client/server side and which files to achieve what I'm after I > would appreciate it). > > > > 2) We're trying to do Centralized Agent Configuration and from what I read on > numerous sites and from OSSEC itself > (https://www.ossec.net/docs/manual/agent/agent-configuration.html), it should > be as simple as configuring /var/ossec/etc/shared/agent.conf on the server > and then it should take effect for the agents. It doesn't matter what I seem > to do here, it does not seem to take effect as I expect for Linux vs Windows. > Has anyone got this to work for Ubuntu 14 and if so, can you help share > troubleshooting steps for this as it seems like it should be simple but when > it's just not working I'm kind of at a loss what to do. > This is extremely vague. > > 3) The last issue we got around by doing a different installation, but if I > take the downloads from OSSEC from here > https://github.com/ossec/ossec-hids/archive/3.0.0.tar.gz - it installs itself > incorrectly on Ubuntu as 2.9 (which is very far behind). I tried this on > almost all versions of Ubuntu as well as Amazon Linux and same issue. The > reason why it mattered to us was that when we went to add agents, they could > never connect - they always sat there at waiting for server response (even > though server already sees the connection and nothing was getting logged to > OSSEC log file). We spent a long time troubleshooting this and eventually > went the route of automatic install (previously our server did not have > internet connection purposely for testing so we had to download the package > and copy over) and after doing this - the version showed properly at 3.0 AND > the same agents started connecting. This isn't a huge issue for us at the > moment, but it is a bit confusing why this is happening so maybe someone can > explain that so we understand better. > The version wasn't properly updated in the source. It should be fixed in 3.1. I don't think this would cause an agent to not be able to connect though. > > Thanks in advance, > ~Brandon > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
