For Internet Facing and Private Data Systems. Functionality and Purpose

Transcription

1 For Internet Facing and Private Data Systems Functionality and Purpose 1

2 Audience Prerequisites Introductions why do you want to run OSSEC? Course Overview Section 1: Functionality and Purpose Section 2: Policies and Alerts 2

3 Section 1: Functionality and Purpose 3

4 Module 1: Getting Started Module 2: Configuration Module 3: Rules Module 4: Syscheck Module 5: Managing the Alerts Functionality and Purpose 4

5 Client-Server architecture Overview What is OSSEC? Installation OSSEC Server Agents talk to the server every 10 minutes, performs tasks, and sends results to server Install agent manually on system you re protecting Private Data System IIS Server OSSEC Clients Functionality and Purpose 5

6 Overview what is OSSEC? Log analysis File integrity checking Rootkit detection Time-based alerting OSSEC Web User Interface Other features beyond scope of today s training Active response Policy enforcement Functionality and Purpose 6

7 Understanding the installation types Local Training environment Server Agent Required software for OSX Xcode tools (large file size) Leopard create users prior to installation Startup script Functionality and Purpose 7

8 #!/bin/sh sudo dscl localhost -create /Local/Default/Groups/ossec sudo dscl localhost -createprop /Local/Default/Groups/ossec PrimaryGroupID 333 sudo dscl localhost -createprop /Local/Default/Groups/ossec RealName ossec Downloading the files sudo dscl localhost -createprop /Local/Default/Groups/ossec RecordName ossec sudo dscl localhost -createprop /Local/Default/Groups/ossec RecordType: dsrectypestandard:groups sudo dscl localhost -createprop /Local/Default/Groups/ossec Password "* sudo dscl localhost -create /Local/Default/Users/ossec sudo dscl localhost -createprop /Local/Default/Users/ossec RecordName ossec sudo dscl localhost -createprop /Local/Default/Users/ossec RealName "ossec acct sudo dscl localhost -createprop /Local/Default/Users/ossec NFSHomeDirectory /var/ossec sudo dscl localhost -createprop /Local/Default/Users/ossec UniqueID 334 sudo dscl localhost -createprop /Local/Default/Users/ossec PrimaryGroupID 333 Verify your download sudo dscl localhost -createprop /Local/Default/Users/ossec Password "* MD5 2.6 from sudo dscl localhost -create /Local/Default/Users/ossecm sudo dscl localhost -createprop /Local/Default/Users/ossecm RecordName ossecm sudo dscl localhost -createprop /Local/Default/Users/ossecm RealName "ossecm acct sudo dscl localhost -createprop /Local/Default/Users/ossecm NFSHomeDirectory /var/ossec king_security/md5_eternalstormssoftware.html sudo dscl localhost -createprop /Local/Default/Users/ossecm UniqueID 335 sudo dscl localhost -createprop /Local/Default/Users/ossecm PrimaryGroupID 333 sudo dscl localhost -createprop /Local/Default/Users/ossecm Password "* Prepare the System sudo dscl localhost -create /Local/Default/Users/ossecr sudo dscl localhost createprop /Local/Default/Users/ossecr RecordName ossecr sudo dscl localhost -createprop /Local/Default/Users/ossecr RealName "ossecr acct Install Xcode Tools Create users (Leopard) sudo dscl localhost -createprop /Local/Default/Users/ossecr NFSHomeDirectory /var/ossec sudo dscl localhost -createprop /Local/Default/Users/ossecr UniqueID 336 sudo dscl localhost -createprop /Local/Default/Users/ossecr PrimaryGroupID 333 sudo dscl localhost -createprop /Local/Default/Users/ossecr Password "*" Functionality and Purpose 8

9 Uncompress Press Select Use Do The Create Edit not default installation the Enter Local a enable.plist to installation integrity rootkit and file Continue active should extract /Library/LaunchDaemons/net.ossec.plist notification detection check response finish path.tar (/var/ossec) file. daemon without (y) (n) (y) error (y) to Run Input launch./install.sh your OSSEC script at address startup Choose Do not use English default installation smtp server (or the (use language another of server your where choice) you have an account such as spot.colorado.edu) Functionality and Purpose 9

10 Module 1: Getting Started Module 2: Configuration Module 3: Rules Module 4: Syscheck Module 5: Managing the Alerts Functionality and Purpose 10

11 Configuration options in ossec.conf Configuring logging and alerting Reading log files Configuring integrity checking Review Functionality and Purpose 11

12 ossec.conf Global _alerts Rules Syscheck Rootcheck Alerts Localfile Remote Command TODO: show example ossec.conf Active Response Advanced Options Functionality and Purpose 12

13 Granular Rootcheckoptions Syscheck Global Alerts Rules Options alerting options options Option Default Default Default Allowed values values Description _notification _to Include rootkit_files _alert_level Directories Syslog_rules.xml /etc,/usr/bin,/ /etc/shared/ro 7 None Any Yes Any level file directory filename valid with (from no the 1 with or rootkit to file 16) Minimum Enable Add Location Use this rules or recipient option of disable alert files where level to of be the add to read rootkit or send alerts alerting remove by the signatures analysis directories notifications. are server. stored be otkit_files.txt usr/sbin,/bin,/ address(es) rules files namesignatures in the XML They monitored must (they be inside must /var/ossec/rules be comma separated). and be on _to log_alert_level sbin1 None Any Any format level valid (from 1 to 16) Minimum eentry per recipient alert element. level of the to store alertsthe log messages. Level rootkit_trojans /etc/share/root None address(es) A Any file level with (severity) thetrojans Minimum Location of alerting where level the trojan to forward signatures the s are stored check_all Enabled kit_trojans.txt Yes signatures or no Attribute of the directories element. It specifies _from Group None Any group valid (category) The to do alert all source possible that must of integrity alerts match this checks group to be scanall global- No default Yes options used everywhere in the system. address or no Tells forwarded. rootcheck to scan the whole (may check_sum None Yes or no Attribute lead to some of the false directories positives). element. It specifies event_location None Any agent name, ip The alert must match this event location to be smtp_server None Any valid hostname to SMTP use server. the MD5 to check the integrity of the files. frequency _alerts-granular (10 address or log file of Time IP address (in seconds) Frequency forwarded. alerting that the rootcheck options. is going to be check_size None hours) Yes or no Attribute executed of (in the seconds). directories element. It specifies _maxperhour format 12 Full Any Full or number SMS from 1 Specifies the format maximum of the number of (full s for normal to check for size changes in the files. to be disabled no Yes rules- list of rules to 9999 or no Disables files to be sent s included. per or hour. the sms execution It for will reduced). store rootcheck the extra ones and check_owner None Yes or no Attribute send them of together the directories if this number element. is reached. It specifies do_not_delay Net set Set or not set Option to check to for send ownership the changes right away in the (no files. delay) stats do_not_group check_group syscheck- None 8Not set configuration Any Set Yes or level not (from set 0 to related Alerting Option Attribute to level of do to the not for directories the group events syscheck this generated element. (send -It by specifies by the itself). 16) statistical to check for analysis. group changes in the files. integrity check. logall check_perm None No Yes Yes or or no no Attribute States if we of should the directories store all the element. events It received. specifies memory_size 1024 Any size (from 16 to Sets to check the memory for permission size for changes the event in correlation. the files rootcheck-5096) configuration related to the rootcheck - ignore /etc/mtab Any file or directory List of files or directores to be ignored. rootkit detection. white_list frequency 7200 (2 None hours) Time Any IP (in address seconds) or Frequency List of IP addresses that the syscheck that should is going never to be be blocked network by executed the active (in seconds). response (one per element). alerts- and log alerting options. host_information auto_ignore yes 8 Yes Any or level no (from 0 to Specifies Alerting level if syscheck for the will events ignore generated files that by change the host 16) after change the monitor. third change alert_new_files prelude_output no No Yes or no Enables Specifies or if disables syscheckprelude should output. alert on new files created. Functionality and Purpose 13

14 Active-response Database Command Localfile Client output options Remote options Option <command> <active-response> Default Allowed values Description Location Option Muliple Default Any Allowed log file values Specify Description the location of the log to read Server-ip Hostname <name>the <disabled>completely name None (A-Za-Z0-9)</name> disables Any valid active IP address response Specifies IP address "yes"</disabled> the of IP the address database of the server analysis server. Log_format Connection <executable>the <command>the Muliple Secure name command of any Syslog, to command execute or snort-full, secure (A-Za-z0-9.-)</executable> already The Specify created</command> format the type of the of log connection being read. being If the enabled: Serverhostname Username None Any valid IP username address Specifies log has snort-fast, squid, iis, secure Username one entry or the syslog to hostname access the of database the analysis server. <expect>comma <location>location separated to execute list the of arguments command</location> (A-Za-z0-9)</expect> per line, use syslog. Port <timeout_allowed>yes/no</timeout_allowed> <agent_id>id Password 1514 None of an for agent secure (when Any eventlog, any port password using number nmapga defined or Password Specifies agent) the </agent_id> to access port to the listen database for events. Port localfile or 514 for options Any (from apache port 1 to number related 65535) to Specifies the log the port files to send to the be events monitored. (must be the </command> <level>the Database lower Nonelevel to execute Database it (0-9)</level> syslog (from 1 to name 65535) Database same to the name one to used store by the the alerts analysis server). Option <rules_id>comma Type None Description separated list of rules id (0-9)</rules_id> Mysql or postgresql Type of the database Allowed-ips <rules_group>comma remote- None separated configuration Any IP list address of groups or related (A-Za-z0-9)</rules_group> List of to IP addresses remote that connections. are allowed to send syslog Name Used to link the command network to the response. messages to the server (one per element). <timeout>time to block</timeout> </active-response> client- agent related options. Denied-ips None Any IP address or List of IP address that are not allowed to send Executable It must be a file with network exec permissions inside syslog /var/ossec/active-reponse/bin. messages to the server (one per You element). don t Option Description need to provide the whole path Local_ip None Any internal IP Local IP address to listen for connections. Expect Disabled The arguments this command is expecting (options are srcip and username) database_output- Disables active response address if set to yes Database output options. Timeout_allowed Command Location Specifies if this command supports timeout. Used to link the response to the command command- active-response configuration. Where the command should be executed. You have four options. Local: on the agent that generated the event active-response- Server: the OSSEC server active-response configuration. all: or everywhere Other server or agent configuration options Agent_id defined-agent: on a specific agent (set agent_id to use) The ID of the agent to execute the response Level Timeout The response will be executed on any event with this level or higher How long until the reverse command is executed (IP unblocked, for example) Functionality and Purpose 14

15 Alerting with Default address alert or log file level of IP address Default log alert level Configuring Granular Basic Alerts (Global) options alerting Options options Option Default Allowed values values Description _notification _alert_level _to 7 None Any Yes Any level or valid (from no 1 to 16) Minimum Enable or recipient disable alert level of the to send alerts alerting notifications. address(es) log_alert_level _to 1 None Any Any level valid (from 1 to 16) Minimum recipient alert level of the to store alertsthe log messages. Level None address(es) Any level (severity) Minimum alerting level to forward the s <ossec_config> Group None Any group (category) The alert that must match this group to be _from None Any valid source of alerts <global> < _alerts> forwarded. address event_location < _notification>yes</ _notification> < _to>ralphie@colorado.edu</ _to> None Any agent name, ip The alert must match this event location to be smtp_server None Any valid hostname SMTP forwarded. server. < _to>john@colorado.edu</ _to> <group>apache</group> format Full Full or SMS Specifies the format of the (full for normal _maxperhour < _to>pete@colorado.edu</ _to> </ _alerts> 12 Any number from 1 Specifies s or the sms maximum for reduced). number of s to be 9999 sent per hour. It will store the extra ones and do_not_delay < _to>jen@colorado.edu</ _to> Net set Set or not set Option send them to send together the if this right number away is reached. (no delay) <smtp_server>smtpserver.colorado.edu</smtp_server> < _alerts> < _from>ossec-dept@colorado.edu</ _from> < _to>kate@colorado@edu</ _to> < _maxperhour>20</ _maxperhour> <level>10</level> Basic </global> <format>sms</format> Granular </ossec_config> </ _alerts> </ossec_config> do_not_group Not set Set or not set Option to do not group this (send by itself). logall No Yes or no States if we should store all the events received. Example basic alert configuration Example granular alert configuration Functionality and Purpose 15

16 Default monitored log files TODO: show default monitored log files To monitor additional files, use the <localfile></localfile>tag. If you have an application that logs one log entry per line to a file, you can use the syslog log format within the<log_format></log_format> tag. This ensures that the file is properly handled by OSSEC. Functionality and Purpose 16

17 <ossec_config> <syscheck> <frequency>86400</frequency> <directories check_all= yes >/etc,/usr/bin,/usr/sbin</directories> <directories check_all= yes >/bin,/sbin</directories> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore> </syscheck> </ossec_config> The integrity checking configuration is separated into three main tags: <frequency>, <directories>, and <ignore> for all operating systems. Default integrity checking configuration Functionality and Purpose 17

18 Internal_options.conf These options are responsible for runtime configurations. Typically used to enable advanced debugging of OSSEC. Any errors within this file may cause OSSEC to not start It not properly configured. It is always good practice to back up your configuration files prior to making changes to them. Functionality and Purpose 18

19 Will you ever have to modify the internal_options.con file? Could the ossec.con file ever get corrupted? What will happen if the ossec.con file is corrupted? What type of information is ed to a person when an alert is triggered? Can you customize the information that is ed? Is the information in the OSSEC alert log encrypted? Functionality and Purpose 19

20 Module 1: Getting Started Module 2: Configuration Module 3: Rules Module 4: Syscheck Module 5: Managing the Alerts Functionality and Purpose 20

21 OSSEC Analysis Process Default OSSEC Rules Predecoding Events Decoding Events Understanding Rules Working with Real World Examples Local rules Functionality and Purpose 21

22 Event Pre-decoding Decoding Rule Matching Alerting Active Response Functionality and Purpose 22

23 /rules directory Over 600 rules upon installation TODO: show rule files Decoders create rules from multiple sources Functionality and Purpose 23

24 Apr :00:01 17:32:06 linux_serversyslogd: sshd[1025]: stopped Accepted [Time :53:55 UTC] [Facility auth] [Sender sshd] Extract static information from well-known Field password [PID 483] [Message for kch from error: PAM: Authentication Description port 1618 failure ssh2 for username from ] [Level 3] [UID -2] [GID -2] fields of an event. Hostname Field [Host mymac] Description Linux_server Program_name Hostname Field Syslogd example Description Linux_server Syslogd Log Program_name Hostname sshd example Stopped Mymac Sshd Log Time/date Program_name ASL sshd example Accepted 13:00:01, Sshd password Apr 13 from port 1618 Log Error: PAM: Authentication Time/date Apr failure 14 for 17:32:06 username from Time/date Dec 28, :53:55 Functionality and Purpose 24

25 TODO: show available decoder options table Extract nonstatic information from events IP address Usernames URLs Ports Available decoder options Functionality and Purpose 25

26 Value Description 00 Ignored - No action taken. Used to avoid false positives. These rules are scanned before all the others. They include events with no security relevance. 01 None - 02 System low priority notification - System notification or status messages. They have no security relevance. 03 Successful/Authorized events - They include successful login attempts, firewall allow events, etc. Atomic Rules 04 System low priority error - Errors related to bad configurations or unused devices/applications. They have no security relevance and are usually caused by default installations or software testing. Composite relevance. Rules Groups Severities and may have some security relevance. 05 User generated error - They include missed passwords, denied actions, etc. By itself they have no security 06 Low relevance attack - They indicate a worm or a virus that have no affect to the system (like code red for apache servers, etc). They also include frequent IDS events and frequent errors. 07 "Bad word" matching. They include words like "bad", "error", etc. These events are most of the time unclassified 08 First time seen - Include first time seen events. First time an IDS event is fired or the first time an user logged in. If you just started using OSSEC HIDS these messages will probably be frequent. After a while they should go away. It also includes security relevant actions (like the starting a sniffer). 09 Error from invalid source - Include attempts to login as an unknown user or from an invalid source. May have security relevance (specially if repeated). They also include errors regarding the "admin" (root) account. 10 Multiple user generated errors - They include multiple bad passwords, multiple failed logins, etc. They may indicate an attack or may just be that a user just forgot his credentials. 11 Integrity checking warning - They include messages regarding the modification of binaries or the presence of rootkits (by rootcheck). If you just modified your system configuration you should be fine regarding the "syscheck" messages. They may indicate a successful attack. Also included IDS events that will be ignored (high number of repetitions). 12 High importancy event - They include error or warning messages from the system, kernel, etc. They may indicate an attack against a specific application. 13 Unusual error (high importance) - Most of the times it matches a common attack pattern. 14 High importance security event. Most of the times done with correlation and it indicates an attack. 15 Severe attack - No chances of false positives. Immediate attention is necessary. Functionality and Purpose 26

27 Increasing the severity level of a rule Tuning rule frequency Ignoring rules Ignoring IP addresses Correlating multiple snort alerts Ignoring identity change events TODO: create real example files Functionality and Purpose 27

28 Where are rules stored on the filesystem? How does an event flow through OSSEC? What are the decoded fields that can be matched? What information can be extracted in the predecoding phase? Can usernames be decoded? How can OSSEC take logs from different log types and predecode them the same way? What is a nonstatic field? Where are decoders configured What tag is used to identify a decoder? Functionality and Purpose 28

29 What is the difference between Atomic and Composite rules? What rule IDs should be used for user created rules? How many rules can be used within a group? How can you increase the severity of a preexisting OSSEC rule? What information should you extract from an application log that OSSEC does not natively read? How can you hide alerts generated by noisy systems? Functionality and Purpose 29

30 Module 1: Getting Started Module 2: Configuration Module 3: Rules Module 4: Syscheck Module 5: Managing the Alerts Functionality and Purpose 30

31 Overview Understanding system integrity check (syscheck) Tuning syscheck Detecting rootkits and enforcing/monitoring policies Functionality and Purpose 31

32 OSSEC scans the system every few hours, or at an interval you specify, and stores the checksums of the monitored files. OSSEC looks for modifications to the checksums by comparing the newly stored checksums against the historical checksum values of the file. By default, OSSEC checks the /etc, /usr/bin, /usr/sbin, /bin, and /sbin directories on Mac OS X systems. Functionality and Purpose 32

33 Check Parameter The default Description syscheck directories: check_all /etc /usr/bin /usr/sbin /bin /sbin check_sum check_size check_owner check_group check_perm Perform all available integrity checks. Use MD5/SHA1 to check the integrity of files. Check files for changes in size. Check files for ownership changes. Check files for group ownership changes. Check files for permission changes. Queries are recursive and files with directories will also be checked <directories check_all= yes >/etc,/usr/bin,/usr/sbin</directories> Directory names are case-sensitive <directories check_all= yes >/bin,/sbin</directores> <frequency>21600</frequency> You may be interested in other directories Default: <syscheck> <ignore>/etc/mtab</ignore> </syscheck> Functionality and Purpose 33

34 Example Ignoring rule for Specific checking private Directories data file Example rule for checking private data file changes on the weekend: Syscheck may alert on directories or files that change legitimately Auto_ignore option <rule id= level= 10 > <if_group>syscheck</if_group> <match>for: /Users/admin/Documents</match> <regex>for: \S+.xls </regex> <description>important document changed.</description> </rule> Increasing the alert severity for important <rule id= level= 12 > files <if_sid>100614</if_sid> <weekday>weekend</weekday> <description>important document changed during the weekend.</description> </rule> Critical files that are not core operating system files (private data) Increasing the severity for changes after business hours or on the weekend Functionality and Purpose 34

35 Detecting application-level rootkits with signatures rootkit_files.txt rootkit_trojans.txt Detecting kernel-level rootkits by observing anomalies Functionality and Purpose 35

36 Read rootkit_files.txt Read rootkit_trojans.txt Scan /dev Scan directories in filesystem specified in <syscheck> Look for hidden processes Look for hidden ports Scan interfaces network interfaces for promisc mode Functionality and Purpose 36

37 Should you install OSSEC on a secure server? How does OSSEC verify the integrity of the files? Which directories are monitored by default? Why should you tune your syscheck configuration? What should you do if you want to ignore a particular alert? What would a rule look like for monitoring changes to a file containing sensitive data? How does OSSEC detect application-level rootkits? What about kernel-level rootkits Functionality and Purpose 37

38 Module 1: Getting Started Module 2: Configuration Module 3: Rules Module 4: Syscheck Module 5: Managing the Alerts Functionality and Purpose 38

39 OSSEC Web User Interface Functionality and Purpose 39