How it works

Connection

First of all, agentless monitoring must be enabled:

/var/ossec/bin/ossec-control enable agentless

In order to connect the manager to the device using SSH authentication, the following script should be used: register_host.sh, which is located in: /var/ossec/agentless/ This script has two options: list and add.

Using the list option will list all hosts already included.

/var/ossec/agentless/register_host.sh list

Using the add option will specify a new device to be added to the manager. NOPASS may be entered as the password to use public key authentication rather than using a password. For Cisco devices, such as routers or firewalls, enablepass should be used to specify the enable password.

/var/ossec/agentless/register_host.sh add root@example_address.com example_password [enablepass]

Public key authentication can be used with the following command:

sudo -u ossec ssh-keygen

Once created, the public key must be copied into the remote device.

Monitoring

After devices have been added to the list, the manager must be configured to monitor them. To view additional configuration options for the ossec.conf file, please refer to agentless.

The four types of agentless checks.

BSD Integrity Check

For BSD systems, set the type as ssh_integrity_check_bsd as referenced below. A space-separated list of directories may be referenced in the configuration section using the arguments tag. Using this configuration, Wazuh will do an integrity check on the remote box.

<agentless>
  <type>ssh_integrity_check_bsd</type>
  <frequency>20000</frequency>
  <host>root@test.com</host>
  <state>periodic</state>
  <arguments>/bin /var/</arguments>
</agentless>

Linux Integrity Check

For Linux systems, set the type as ssh_integrity_check_linux as referenced below. A space-separated list of directories may be referenced in the configuration section using the arguments tag. Using this configuration, Wazuh will do an integrity check on the remote box.

<agentless>
  <type>ssh_integrity_check_linux</type>
  <frequency>36000</frequency>
  <host>root@test.com</host>
  <state>periodic</state>
  <arguments>/bin /etc/ /sbin</arguments>
</agentless>

Generic Diff

A set of commands can also be configured to run on a remote device. Wazuh will alert you if the output of those commands changes. In order to use this option, set type as ssh_generic_diff, as shown below.

<agentless>
  <type>ssh_generic_diff</type>
  <frequency>20000</frequency>
  <host>root@test.com</host>
  <state>periodic_diff</state>
  <arguments>ls -la /etc; cat /etc/passwd</arguments>
</agentless>

Note

To use su in a command as an argument, use_su must be set before the hostname. In the previous example, this would appear as: <host>use_su root@example_address.com</host>

Pix config

This option will alert if a Cisco PIX/router configuration changes. Set the type to ssh_pixconfig_diff, as shown below.

<agentless>
  <type>ssh_pixconfig_diff</type>
  <frequency>36000</frequency>
  <host>pix@pix.fw.local</host>
  <state>periodic_diff</state>
</agentless>

Checking the setup

Finally, the expect package must be present on the manager for this feature to work.

When the expect package is present and Wazuh is restarted, the following is shown in the /var/ossec/logs/ossec.log file:

ossec-agentlessd: INFO: Test passed for 'ssh_integrity_check_linux'.

When Wazuh has connected to the remote device, the following will be shown in the same log file:

ossec-agentlessd: INFO: ssh_integrity_check_linux: root@example_adress.com: Starting.
ossec-agentlessd: INFO: ssh_integrity_check_linux: root@example_adress.com: Finished.

Alert

Once configured as above, Wazuh alerts will be triggered when changes occur within the directories, configuration or outputs based on the above examples:

Examples of alerts are as follows:

Integrity check BSD/Linux example alert:

** Alert 1486811998.93230: - ossec,syscheck,pci_dss_11.5,
2017 Feb 11 03:19:58 ubuntu->(ssh_integrity_check_linux) root@192.168.1.3->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
Integrity checksum changed for: '/etc/.hidden'
Size changed from '0' to '10'
Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e'
New md5sum is : 'cc7bd56aba1122d0d5f9c7ef7f96de23'
Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709'
New sha1sum is : 'b570fbdf7d6ad1d1e95ef57b74877926e2cdf196'

File: /etc/.hidden
Old size: 0
New size: 10
New permissions:   1204
New user: 0
New group: 0
Old MD5: d41d8cd98f00b204e9800998ecf8427e
New MD5: cc7bd56aba1122d0d5f9c7ef7f96de23
Old SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
New SHA1: b570fbdf7d6ad1d1e95ef57b74877926e2cdf196

Generic Diff example alert:

** Alert 1486811190.88243: - ossec,syscheck,agentless,pci_dss_11.5,pci_dss_10.6.1,
2017 Feb 11 03:06:30 ubuntu->(ssh_generic_diff) root@192.168.1.3->agentless
Rule: 555 (level 7) -> 'Integrity checksum for agentless device changed.'
ossec: agentless: Change detected:
3c3
< drwxr-xr-x. 77 root root    8192 Feb 27 10:44 .
---
> drwxr-xr-x. 77 root root    8192 Feb 27 10:47 .
176a177
> -rw-r--r--.  1 root root       0 Feb 27 10:47 test