Upload
wremes
View
1.978
Download
3
Tags:
Embed Size (px)
DESCRIPTION
These are the slides of my presentation at the ISSA Brussels-European Chapter about OSSEC and Log Management standards and principles.
Citation preview
OSSECLog and event management the
open source way ...
Introduction
• Me (thx 4 the nice intro, maltego me)
• Bull (not the bovine kind ...)
• Eurotrash information security podcast
• Brucon, Excaliburcon, FOSDEM, ...
Agenda
• Logging 101 (what, how, why, ...)
• OSSEC technical overview
• break
• OSSEC installation and configuration
• OSSEC rules
• OSSEC event management
Logging : what ?
• Users
• Systems
• Network
• Databases
• Applications
• .....
Logging: from ?
Firewalls, VPN, IDS/IPS, routers, switches, ...
Servers, workstations, virtualisation, UPS, ...
anti-malware, applications, databases, ...
Logging : Why ?
• System Monitoring (performance, management, troubleshooting, ...)
• Compliance (regulatory, audit, internal policy, ...)
• Incident Handling, Forensics, ...
CompliancePCI DSS
6.4. Follow change control procedures for all changes to system components
10. Track and monitor all access to network resources and cardholder data.
12. Maintain a policy that addresses information security for all employees and contractors
The Problem
• There is NO standard !!
• There is NO guidance !!
• There is NO Consitency !!
Babel be thy name
We need to agree upon...
• Format What does a log message look like ?
• Content What do we put in a log message ?
• Transport How do we send it ?
• Guidelines How do we approach logging ? (ex. NIST 800-92)
It’s time for a standard !
not Syslog
• RFC 3164 (08/2001) : BSD Syslog Protocol
• It uses UDP
• It’s a garbage bin
• it’s a non-standard standard
Syslog Hell !
•Jun 11 03:06:38 (none) login[3432] : ROOT LOGIN on `tty1`
• Jan 19 22:52:56 LT1 gdm-session-worker[1659]: pam_unix(gdm:session): session opened for user wim by (uid=0)
• Jan 4 09:38:10 LT1 su[3510]: pam_unix(su:session): session opened for user root by wim(uid=1000)
Syslog Hell !!
•<57> Jan 10 12:10:34:%SEC_LOGIN-5-LOGIN_SUCCESS:Login Success [user:frodo] [Source:192.168.10.254] [localport:23] at ...
• <13> Jan 18 10:15:45 2009 680 Security SYSTEM User Failure Audit ENTERPRISE ...
Can I continue ?•Jan 19 20:12:56 LT1 mycrappyapp
[3526]: I’m the awesome programmer behind this crappy app and since you asked me to log something I’ve chosen to use syslog to dump all this meaningless events in here so you will still have to call and pay me to get the bugs that I left in there because I was surfing the internet instead of working for you solved. Eat that! And BTW, my app crashed for no apparent reason. kthxbai !
I promise to stop
•Feb 24 15:10:24 server transact[5402]: user geoff transferred 500 dollars using credit card # XXX
• Apr 1 10:14:28 server MEDIC [6420]: user kathy logged in to module patient using password selma1970
Then what ?• IDMF (by IETF)
• XML based
• Complex
• Not widely adopted
• Academic
• WELF (by Webtrends)
• Proprietary
• didn’t scale
NEXT !
• CBE (by IBM)
• also XML based
• IBM didn’t even use it !
The future ?
Event Taxonomy
Standard terminology
Log Syntax
Consistent data elements and format
Log Transport
Standard communications mechanisms
Log Recommendations
Suggested events to log
OSSEC
Definition
OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time
alerting and active response.
SIEM (commercial)
Key Facts
• 2005
• Daniel Cid
• Third Brigade
• TrendMicro
Install Modes• Local
• Single Client
• Windows, AIX, Solaris, HP-UX, Linux
• Server
• Central Logging Point (250 clients/server)
• AIX,Solaris,HP-UX,Linux
• Client
• Reports to server
• Windows,AIX,Solaris,HP-UX,Linux
Architecture
Architecture
syslog syslog
virtualisation
Architecture
virtualisation virtualisation
SIEM
OSSEC Components
logcollector
Agent
ossec-analysisd
Server
ossec-maild ossec-execd
zlib compressedblowfish encryptedUDP 1514
Time
For a break
ossec-analysisd
Predecoding
Decoding
Analysis
Predecoding
• Feb 24 10:12:23 beijing appdaemon:stopped
time/date : Feb 24 10:12:23 Hostname : beijing Program_name :appdaemon Log : stopped
Predecoding
• Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10
time/date : Feb 25 12:00:47 Hostname : beijing Program_name :appdaemon Log : user john logged on from 10.10.10.10
Decoding
• Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10
time/date : Feb 25 12:00:47 Hostname : beijing Program_name :appdaemon Log : user john logged on from 10.10.10.10srcip : 10.10.10.10user : john
Analysis
<rule id=666 level=”0”><decoded_as>appdaemon</decoded_as><description>appdaemon rule</description>
</rule><rule id=”766” level=”5”>
<if_sid>666</if_sid><match>^logged on</match><description>succesful logon</description>
</rule>
Analysis<rule id=866 level=”7”>
<if_sid>766</if_sid> <hostname>^beijing</hostname> <srcip>!192.168.10.0/24</srcip> <description>unauthorized logon!</description>
</rule> <rule id=”966” level=”13”>
<if_sid>766</if_sid> <hostname>^shanghai</hostname> <user>!john</user> <description>unauthorised logon !</description>
</rule>
Analysis
666
766
866
966
Analysis<rule id=1066 level=”7”>
<if_sid>666</if_sid> <match>^login failed</hostname> <description>failed login !</description>
</rule> <rule id=”1166” level=”9” frequency=”10” timeframe=”100”>
<if_matched_sid>1066</if_matched_sid> <same_source_ip /> <description>Probable Brute Force !</description>
</rule>
Analysis666
766
866
966
1066
1166
ossec.conf<command>
<name>host-deny</name> <executable>host-deny.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed>
</command>
<active-response> <command>command2</command><location>local</location> <rules_id>1166</rules_id> <timeout>600</timeout>
</active-response>
ossec.confsyscheck
<syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>79200</frequency>
<!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore> <ignore>/etc/hosts.deny</ignore>...</syscheck>
<rootcheck> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit></rootcheck>
ossec.confrootcheck
<alerts> <log_alert_level>1</log_alert_level></alerts>
ossec.confvaria
<localfile> <log_format>syslog</log_format> <location>/var/log/secure.log</location></localfile><ossec_config>
<ossec_config> <!-- rules global entry --> <rules> <include>rules_config.xml</include> <include>pam_rules.xml</include> <include>sshd_rules.xml</include> <include>telnetd_rules.xml</include>...</ossec_config>
Management
/var/ossec/bin/ossec-control stop|start|restart
manage_agents(server) manage agent keys(client) import key
Managementagent_control -lc
agent_control -i [id]
agent_control -R [id]
agent_control -r -a
agent_control -r -i [id]
Management
syscheckcontrol -lcsyscheckcontrol -i [id]syscheckcontrol -i [id] -f [file]
Centralized Management
/var/ossec/etc/shared/agent.confdistributed to all agentsspecify config per client idspecify config per OSpushed by serversame syntax as ossec.conf
Deploy
Monitor
Analyze
Customize
rolling out
Thank you [email protected]+32 495 58 59 12
http://www.twitter.com/[email protected](itunes)
http://www.ossec.nethttp://www.slideshare.net/anton_chuvakin