Scripts for managing OSSEC deployments

OSSEC is an excellent product, but like most products, there are ways to improve them or get a little bit more out of them. Below is a list of scripts I have written that will help simplify the deployment of OSSEC and its agents as a standalone product. Most of this is automated with the Alienvault USM/OSSIM products, but these products provide an all-in-one solution. I do not find these to be a suitable approach for all/any situations but may be extremely suitable if you only need to tick off a box on audit and regulatory requirements for little $$. My approach is to identify best of breed and best product for the business based on business needs and requirements. OSSEC provides an extremely good HIDS, yet it does lack a few "enterprise" features, these scripts attempt to address some of these issues.

Registering Windows OSSEC agents remotely

These two came about due to the lack of support/build for authd on Windows systems. Authd allows for ossec agents to register with the OSSEC server without having to manually provide the agent key on the agent. populate-machine-key.pl
#!/usr/bin/perl -w
use strict;
use warnings;

my @lines = qx|/var/ossec/bin/manage_agents -l|;

foreach my $l ( @lines ) {
    chomp($l);

    my @ll = split(/ /, $l, 8);

    next if not defined $ll[4];
    next if $ll[4] !~ /,/;

    $ll[4] =~ s/,//g;
    $ll[6] =~ s/,//g;

    my @k = qx|/var/ossec/bin/manage_agents -e $ll[4]|;
    chomp($k[2]);
    print "$ll[6],$k[2]n";
}
psexec-commands.pl
#!/usr/bin/perl -w
use warnings;
use strict;

my $psexec = 'C:pstoolspsexec.exe';

my %machines;

my $manage_agents = 'C:Program Files (x86)ossec-agentmanage_agents.exe';
my $manage_flags = "-i";

$#ARGV == 0 or die "Usage: $0 filen";

open(FILE, $ARGV[0]) or die "Could not open %ARGV[0]: $!n";

while(<FILE>) {
  chomp;
  my ($m, $k) = split(/,/, $_, 2);

  print $psexec;
  print " \$m ";
  print ""$manage_agents" ";
  print ""$manage_flags $k"";
  print "n";
};
close(FILE);

Alert on agents with different shared/agent.conf

ossec-config-check.pl
#!/usr/bin/perl -w
use strict;
use warnings;

my $ac = "/var/ossec/bin/agent_control";

# get the agent config checksum
my $agentsum = (split(/ /, qx(md5sum /var/ossec/etc/shared/agent.conf), 2))[0];
chomp($agentsum);
# get the agent list
my @agents = qx($ac -lcs);

my $i = 0;
foreach my $a (@agents) {
 chomp($a);
 my $id = (split(/,/, $a))[0];
 my $machine = (split(/,/, $a))[1];
 $machine = "" if not defined $machine;

 qx($ac -R $id) if defined $id;

 if( defined $id and $id ne "na") {
 next if $id eq '000';
 my $junk = qx($ac -R $id);
# sleep(15);
 my $details = qx($ac -i $id);
 # restart the agents for shits and giggles... hopefully next checkin all will be good
 qx($ac -R $id);
 my $cd = (split(/n/, $details))[8];
 $cd =~ s/s+/ /g;

 my $idsum = (split(/ /, $cd))[7];
 if(not defined $idsum or (defined $idsum and ($idsum ne $agentsum))) {
 print "Current checksum of shared/agent.conf: $agentsumnnNon-compliant hosts below:n" if $i == 0;
 $i = 1;
 defined $idsum ? print "$id:$machine - $idsumn" : print "$id:$machine - n";
 }
 }
}

The rest...

The rest of the work to do sits around setting up rules based on your environment and perhaps making all alerts searchable. I've done this by using Logstash, Apache Solr, and LucidWorks Banana. The hardest part here was setting up logstash.conf with all of the log format variations for both OSSEC alerts.log and archive.log (if you log everything, useful for forensics). I didn't use Elasticsearch because I couldn't get the same performance as Solr on the exact same machine - ES simply could not keep up with the messages whereas Solr has no problems. My todo list consists of:
  1. Monitoring machine logins and alert when shared accounts are used (e.g. root)
  2. Integrate with real-time anti-virus/ant-malware software and alert/correlate events.
  3. Create a script to report disconnected machines:
    1. Parse output of './agent_control -l | grep -i Disco | sed 's/,//g' | awk '{ print "./agent_control -i", $2}' | sh'
    2. This gives full agent details, including "Last keep alive" which would be useful in a report.
    3. Perhaps make this an OSSEC internal alert.
  4. Use OSSEC to alert on machines (Linux?) missing critical updates.
    1. Useful where centralised patch management is missing













If you're interested in further details, contact me.