Getting started with agentless monitoring
Enable Agentless monitoring:
/var/ossec/bin/ossec-control enable agentless
Provide the SSH authentication to the host you want to access. For Cisco devices (PIX, routers, etc), you need to provide an additional parameter for the enable password. The same thing applies if you want to add support for “su”, it must be the additional parameter. In this example, I am adding a Linux box (example.net) and a PIX firewall (pix.fw.local):
/var/ossec/agentless/register_host.sh add email@example.com mypass1* Host firstname.lastname@example.org added. /var/ossec/agentless/register_host.sh add email@example.com pixpass enablepass* Host firstname.lastname@example.org added. /var/ossec/agentless/register_host.sh list* Available hosts: email@example.com firstname.lastname@example.org
register_host.sh is a shell script, special characters may need to be escaped to not be interpreted by the shell. If you want to use public key authentication instead of passwords, you need to provide NOPASS as the password and create the public key:
sudo -u ossec ssh-keygen
It will create the public keys inside /var/ossec/.ssh . After that, just scp the public key to the remote box and your password less connection should work.
Once agentless is enabled, and agentless devices are added, configure OSSEC to monitor the devices
Access your ossec.conf file:
Modify the ossec.conf after <syscheck></syscheck> stanza to add agentless monitoring as exampled below:
<agentless> <type>ssh_integrity_check_linux</type> <frequency>36000</frequency> <host>email@example.com</host> <state>periodic</state> States listed below <arguments>/bin /etc/ /sbin</arguments> directories to monitor </agentless>
ssh_integrity_check_bsd- give a list of directories in the configuration and OSSEC will do the integrity checking of them on the remote box
ssh_integrity_check_linux- give a list of directories in the configuration and OSSEC will do the integrity checking of them on the remote box
ssh_generic_diff- give a set of commands to run on the remote box and OSSEC will alert when the output of them changes
ssh_pixconfig_diff- will alert when a Cisco PIX/router configuration changes
periodic_diff- Scripts output data to the OSSEC agentless process that will then be compared to past runs and if there are differences an OSSEC alert will be generated.
periodic- Scripts output controlled messages to the OSSEC agentless process that will then be processed accordingly.
Restart ossec-hids to apply changes
systemctl restart ossec-hids*
Example of an alert that may be generated by ssh_generic_diff:
*OSSEC HIDS Notification.* *2008 Dec 12 01:58:30* *Received From: (ssh_generic_diff) firstname.lastname@example.org->agentless* *Rule: 555 fired (level 7) -> "Integrity checksum for agentless device changed."* *Portion of the log(s):* *ossec: agentless: Change detected:* *35c35* *< -rw-r-r- 1 root wheel 34 Dec 10 03:55 hosts.deny* *--* *> -rw-r-r- 1 root wheel 34 Dec 11 18:23 hosts.deny* *-END OF NOTIFICATION*