download issue 24 here - Help Net Security
download issue 24 here - Help Net Security
download issue 24 here - Help Net Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
How can you learn about your environment<br />
and how to protect it in a cost-effective manner,<br />
enable your organization to respond to<br />
incidents when they happen, and satisfy auditors?<br />
In my opinion, OSSEC is a good answer<br />
to that question.<br />
I found out about OSSEC while I was searching<br />
the web for log management advice. Back<br />
in those days, we had to do a lot of things by<br />
ourselves. Apparently Daniel Cid had been<br />
encountering the same problems I was, because<br />
he decided to do something about it.<br />
He developed OSSEC, and released it as<br />
open source - which it still is today.<br />
You may notice that the rules are defined in<br />
.xml files. It is incredibly easy to create your<br />
own rules or modify existing rules to fit your<br />
requirements. As long as you are somewhat<br />
familiar with regular expressions - for xml and<br />
the application youʼre creating rules for - t<strong>here</strong><br />
is basically no limit to what you can do with<br />
OSSEC.<br />
The OSSEC architecture<br />
In this article, I'm assuming a client/server installation,<br />
since all but one daemon are present<br />
in both the client/server and the standalone<br />
installation. OSSEC is designed to run<br />
Interpret any log, on/from any system<br />
OSSECʼs current version is 2.3 and the client<br />
runs on Windows, Linux, AIX, Solaris and HP/<br />
UX. The server runs on Linux, AIX, Solaris<br />
and HP/UX. Additionally, OSSEC can even<br />
monitor systems on which you cannot install<br />
the software for whichever reason.<br />
The built-in rule base is pretty impressive.<br />
Alongside log rules for open source solutions<br />
like Apache, MySQL, sendmail and squid,<br />
t<strong>here</strong> is also an impressive amount of rules for<br />
commercial solutions such as several AV engines,<br />
firewalls, networking products and MS<br />
Exchange.<br />
several daemons, all assigned limited and<br />
specific tasks. All but one are running on<br />
chroot. Letʼs introduce them:<br />
Analysisd runs on chroot as the user ossec<br />
and does all the analysis. In a standalone installation<br />
this process obviously runs on the<br />
client, but in the client/server setup it runs<br />
only on the server. The direct benefit is that<br />
the resource-intensive analysis of events is<br />
executed by the server, which is usually dedicated<br />
to doing just that. This leaves the resources<br />
craved by your application untouched.<br />
www.insecuremag.com 58