Agentless

Getting started with agentless monitoring

  1. Enable Agentless monitoring:

/var/ossec/bin/ossec-control enable agentless

  1. Provide the SSH authentication to the host you want to access. For Cisco devices (PIX, routers, etc), you need to provide an additional parameter for the enable password. The same thing applies if you want to add support for “su”, it must be the additional parameter. In this example, I am adding a Linux box (example.net) and a PIX firewall (pix.fw.local):

/var/ossec/agentless/register_host.sh add root@example.net mypass1*
Host root@example.netl added.

/var/ossec/agentless/register_host.sh add pix@pix.fw.local pixpass enablepass*
Host pix@pix.fw.local added.

/var/ossec/agentless/register_host.sh list*
Available hosts:

pix@pix.fw.local
root@example.net

Note

register_host.sh is a shell script, special characters may need to be escaped to not be interpreted by the shell. If you want to use public key authentication instead of passwords, you need to provide NOPASS as the password and create the public key:

sudo -u ossec ssh-keygen

It will create the public keys inside /var/ossec/.ssh . After that, just scp the public key to the remote box and your password less connection should work.

Configuring agentless

Once agentless is enabled, and agentless devices are added, configure OSSEC to monitor the devices

  1. Access your ossec.conf file:

vim /var/ossec/etc/ossec.conf

  1. Modify the ossec.conf after <syscheck></syscheck> stanza to add agentless monitoring as exampled below:

<agentless>
  <type>ssh_integrity_check_linux</type>
  <frequency>36000</frequency>
  <host>root@example.net</host>
  <state>periodic</state> States listed below
  <arguments>/bin /etc/ /sbin</arguments> directories to monitor
</agentless>

Agentless Types:

ssh_integrity_check_bsd- give a list of directories in the configuration and OSSEC will do the integrity checking of them on the remote box

ssh_integrity_check_linux- give a list of directories in the configuration and OSSEC will do the integrity checking of them on the remote box

ssh_generic_diff- give a set of commands to run on the remote box and OSSEC will alert when the output of them changes

ssh_pixconfig_diff- will alert when a Cisco PIX/router configuration changes

States:

periodic_diff- Scripts output data to the OSSEC agentless process that will then be compared to past runs and if there are differences an OSSEC alert will be generated.

periodic- Scripts output controlled messages to the OSSEC agentless process that will then be processed accordingly.

  1. Restart ossec-hids to apply changes

systemctl restart ossec-hids*

Example of an alert that may be generated by ssh_generic_diff:

*OSSEC HIDS Notification.*
*2008 Dec 12 01:58:30*
*Received From: (ssh_generic_diff) root@example.net->agentless*
*Rule: 555 fired (level 7) -> "Integrity checksum for agentless device changed."*
*Portion of the log(s):*
*ossec: agentless: Change detected:*
*35c35*
*< -rw-r-r- 1 root wheel 34 Dec 10 03:55 hosts.deny*
*--*
*> -rw-r-r- 1 root wheel 34 Dec 11 18:23 hosts.deny*
*-END OF NOTIFICATION*