Tag Archive for 'Security'

OSSEC Upgrade 2.2

For those not in the know, OSSEC is an absolutely wonderful tool for monitoring the security of servers and systems. It includes automated responses, email alerting, and a fairly robust set of baseline rule. In addition, rules can be custom written like this set I did for TitanFTP.

Version 2.2 has been released recently. I suppose it is time to do the OSSEC upgrade. The 2.1 and 2.2 releases include a number of needed enhancements as follows:

1. Centralized configuration management.
2. Remote agent restart
3. Real time integrity checking
4. New Log Rules
5. WordPress Monitoring

I am mainly interested in items 1 through 3. I’ve had some issues with the integrity scan affecting performance during production hours so hopefully these changes will assist with that.

After installing the new version, I wanted to check out the impact that the integrity checks had on performance. I setup a test server and a test windows client.

From the Linux based ossec server:

root@prd-001-hids:/var/ossec/bin# ./agent_control

OSSEC HIDS agent_control: Control remote agents.
Available options:
-h          This help message.
-l          List available (active or not) agents.
-lc         List active agents.
-i <id>     Extracts information from an agent.
-R <id>     Restarts agent.
-r -a       Runs the integrity/rootkit checking on all agents now.
-r -u <id>  Runs the integrity/rootkit checking on one agent now.

-b <ip>     Blocks the specified ip address.
-f <ar>     Used with -b, specifies which response to run.
-L          List available active responses.
-s          Changes the output to CSV (comma delimited).
root@prd-001-hids:/var/ossec/bin# ./agent_control -r -a

OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on all agents.root@prd-001-hids:/var/ossec/bin#

I noted on the ossec client that there was a bit of a hit on performance during integrity scanning; however, it does not seem to be as bad as previous versions.

Terminal Services Dictionary on Ubuntu

apt-get remove rdesktop

apt-get install openssl libssl-dev libx11-dev

Get the source to version 1.50 from www.rdesktop.org

Get the patch http://www.foofus.net/jmk/rdesktop.html

tar -xzvf rdesktop-1.5.0.tar.gz

cd rdesktop1.50/
patch -p1 -i rdp-brute-force-r805.diff
make install

Brute-force attack using password file:

rdesktop -u administrator -p passwords.txt

OVAL – Windows Script – Database

Working on a way to periodically scan my systems for known security problems using the OVAL security definitions.

I downloaded the client and copy to my systems using something I have dubbed the Poor Man’s Systems Administration Kit (PSAM) and another job scheduling program called Visual Cron.

There are two scripts. One is ran locally on the system being scanned for security configuration weaknesses from the OVAL definitions. The other is a script to process the resulting html files generated by the ovaldi.exe program shipped with OVAL.

For the scripts to work, you will first need to setup a DSN within the script. The database behind the DSN  holds the results of the scans. Here is the code for the database / table on Microsoft SQL Server.

The first script is ran and dumps the results of the ovaldi scan into a common folder repository on a central server.

The next script is a vbscript and processes the directory that contains the output oval html files.

Please note, that the script needs to be ran using cscript.exe from \windows\syswow64 on 64 bit machines.  This took me almost a whole day to figure out! You’ll also need to setup the dsn using the odbccad.exe util from syswow64.

Here is the oval html output processing script.