Asset Management

Atomic Enterprise OSSEC (AEO) supports centralized Asset Managent for Agent and Agentless devices.

Overview

  • File Integrity Monitoring

  • Anti-Virus

  • Log Monitoring

  • Scheduled Tasks (Scanning, and Reporting)

1.0 File Integrity Monitoring (FIM)

FIM settings are configurable by host platform (Linux or Windows) and includes a default policy suitable for generic configurations

../../../_images/aeo-fim1.png

1.1 Global Settings

../../../_images/aeo-fim-global.png

1.1.1 Scan Schedule

Declare time and/or day of the week to run static scans. Generally this is used for environments that do not support real-time FIM

1.1.2 Auto-Ignore Frequently Modified

Automatically do not report changes to a file that changes 3 times in succession

1.1.3 Alert on new file creation

Alert when new files are added to the system

1.1.4 Scan on startup

Run a FIM scan when the agent starts

1.2 Watch

Note

Default Windows and Linux profiles are included

../../../_images/aeo-fim-watch.png

1.2.1 Path

Path of the file, or registry key to monitor.

Note

When declaring paths, always use unix style /. Example: C:/exampledirectory

1.2.2 Realtime

Enable realtime detection of changes.

Note

This is safe to enable even if the (legacy) environment does not support real-time detection

1.2.3 Report

Track changes to files made in the enviroment. ASCII file deltas are included in the alert. Files are maintained on the agent in a revisioned directory under /var/ossec/queue/diff or C:/Program Files (x86)/ossec-agent/queue/diff/

Note

This can increase disk space usage

1.2.4 Whodata

Include information on the user that made the change. This option is supported on all modern operating systems

1.2.5 Arch

(Windows Only) Used to limit registry settings to a specific architecture, i386 or x86_64. This option defaults to checking both

1.2.6 Regex restrict

Limit FIM to simple regular expressions. Example: .js$|.css$|.html$

^ -> To specify the beginning of the text.
$ -> To specify the end of the text.
| -> To create an "OR" between multiple patterns.

1.3 Ignore

../../../_images/aeo-fim-ignore.png

1.3.1 Path

Path or simple regular expression to ignore.

^ -> To specify the beginning of the text.
$ -> To specify the end of the text.
| -> To create an "OR" between multiple patterns.

Note

Globbing is not supported at this time

1.3.2 Is Regex

Toggle the field used in Path is a simple regular expression

2.0 Log File Monitoring

AEO can perform IDS monitoring of Log files, windows eventchannels, or processes.

../../../_images/aeo-log-watch.png

2.1 Path

Path to log file, or command to run. This value supports globbing on Linux, and can be combined with the IgnoreBin command to automatically exclude binary files when using the globbing option.

Note

When declaring paths, always use unix style /. Example: C:/exampledirectory

2.2 Format

Format of the log file type to use.

  • apache: Apache format logs

  • audit : Linux Audit logs

  • djb-multilog : Daniel J. Bernstein’s multilog output.

  • command: Used to run commands to generate log streams. Each line is treated as a separate event

    Note

    For security reasons, agents are configured to not accept commands from the server by default.This can be allowed in internal_options.conf

  • eventchannel: (Windows Only) used to declare a windows event channel combined with the Query option

  • eventlog: (Windows Only) legacy windows logging format on Windows XP, 2003 server, etc

  • full_command: Used to run commands to generate log streams. The full output is counted as a single event.

    Note

    For security reasons, agents are configured to not accept commands from the server by default.This can be allowed in internal_options.conf

  • iis: (Windows Only) Microsoft IIS web server

  • multiline: This format type is for log messages consisting of multiple lines. The number of lines used per message should be the same, and the number of lines should be specified

  • mysql_log: Mysql log format

  • nmapg: Nmap’s grepable log format.

  • postgresql_log: Postgresql’s log format

  • snort-fast: Snort’s fast text output format.

  • snort-full: Snort’s full text output format.

  • squid: Squid’s log format

  • syslog: syslog is used for plain text files with one log message per line. The log messages do not have to be in a syslog format.

2.3 Label

Used to add a custom json key->value in alerts.json for log events from this path or command.

2.4 Query

Eventchannel Only, Microsoft Windows eventlog format, using the EventApi. This should allow OSSEC to monitor both Windows eventlogs and the more recent Applications and Services logs.

2.5 Frequency

Used with command and full_command, Specifies the time in seconds between each check.

2.6 Ignore Bin

Used with Path globbing only, this restricts log parsing to ASCII only files.

2.7 Reconnect

Eventchannel only, specifies the time to wait before attempting to re-connect to the windows event channel

3.0 Scheduled Tasks: Malware Scan

The Atomic OSSEC task scheduler can be configured to automatically run scans, or generate reports globally, or at the group level.

Requires

  • Atomic OSSEC agent 4.4.3 and above

  • Clamav installation (available from the hub repo on RHEL/Centos/Rocky/AIX)

Step 1: Configure Scan

../../../_images/configure-scan1.png

4.0 Scheduled Tasks: Malware Report

For scans configured in section 3.0, PDF reports can be generated on a defined schedule.

Requires

  • Scans configured in section 3.0

Step 1: Configure report

../../../_images/configure-report1.png

Step 2: Download Report

Can be found under Reporting->Report History

../../../_images/download-report1.png