How it works¶
First of all, agentless monitoring must be enabled:
# /var/ossec/bin/ossec-control enable agentless
In order to connect the manager to the device using SSH authentication, the following script should be used:
register_host.sh, which is located in:
/var/ossec/agentless/ This script has two options:
list option will list all hosts already included.
# /var/ossec/agentless/register_host.sh list
add option will specify a new device to be added to the manager.
NOPASS may be entered as the password to use public key authentication rather than using a password. For Cisco devices, such as routers or firewalls,
enablepass should be used to specify the enable password.
# /var/ossec/agentless/register_host.sh add root@example_address.com example_password [enablepass]
Public key authentication can be used with the following command:
# sudo -u ossec ssh-keygen
Once created, the public key must be copied into the remote device.
After devices have been added to the list, the manager must be configured to monitor them. To view additional configuration options for the
ossec.conf file, please refer to agentless.
The four types of agentless checks.
BSD Integrity Check¶
For BSD systems, set the
ssh_integrity_check_bsd as referenced below. A space-separated list of directories may be referenced in the configuration section using the arguments tag. Using this configuration, Wazuh will do an integrity check on the remote box.
<agentless> <type>ssh_integrity_check_bsd</type> <frequency>20000</frequency> <host>firstname.lastname@example.org</host> <state>periodic</state> <arguments>/bin /var/</arguments> </agentless>
Linux Integrity Check¶
For Linux systems, set the
ssh_integrity_check_linux as referenced below. A space-separated list of directories may be referenced in the configuration section using the arguments tag. Using this configuration, Wazuh will do an integrity check on the remote box.
<agentless> <type>ssh_integrity_check_linux</type> <frequency>36000</frequency> <host>email@example.com</host> <state>periodic</state> <arguments>/bin /etc/ /sbin</arguments> </agentless>
A set of commands can also be configured to run on a remote device. Wazuh will alert you if the output of those commands changes. In order to use this option, set
ssh_generic_diff, as shown below.
<agentless> <type>ssh_generic_diff</type> <frequency>20000</frequency> <host>firstname.lastname@example.org</host> <state>periodic_diff</state> <arguments>ls -la /etc; cat /etc/passwd</arguments> </agentless>
su in a command as an argument,
use_su must be set before the hostname. In the previous example, this would appear as:
This option will alert if a Cisco PIX/router configuration changes. Set the
ssh_pixconfig_diff, as shown below.
<agentless> <type>ssh_pixconfig_diff</type> <frequency>36000</frequency> <host>email@example.com</host> <state>periodic_diff</state> </agentless>
Checking the setup¶
expect package must be present on the manager for this feature to work.
expect package is present and Wazuh is restarted, the following is shown in the
ossec-agentlessd: INFO: Test passed for 'ssh_integrity_check_linux'.
When Wazuh has connected to the remote device, the following will be shown in the same log file:
ossec-agentlessd: INFO: ssh_integrity_check_linux: root@example_adress.com: Starting. ossec-agentlessd: INFO: ssh_integrity_check_linux: root@example_adress.com: Finished.
Once configured as above, Wazuh alerts will be triggered when changes occur within the directories, configuration or outputs based on the above examples:
Examples of alerts are as follows:
Integrity check BSD/Linux example alert:
** Alert 1486811998.93230: - ossec,syscheck,pci_dss_11.5, 2017 Feb 11 03:19:58 ubuntu->(ssh_integrity_check_linux) firstname.lastname@example.org->syscheck Rule: 550 (level 7) -> 'Integrity checksum changed.' Integrity checksum changed for: '/etc/.hidden' Size changed from '0' to '10' Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e' New md5sum is : 'cc7bd56aba1122d0d5f9c7ef7f96de23' Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709' New sha1sum is : 'b570fbdf7d6ad1d1e95ef57b74877926e2cdf196' File: /etc/.hidden Old size: 0 New size: 10 New permissions: 1204 New user: 0 New group: 0 Old MD5: d41d8cd98f00b204e9800998ecf8427e New MD5: cc7bd56aba1122d0d5f9c7ef7f96de23 Old SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 New SHA1: b570fbdf7d6ad1d1e95ef57b74877926e2cdf196
Generic Diff example alert:
** Alert 1486811190.88243: - ossec,syscheck,agentless,pci_dss_11.5,pci_dss_10.6.1, 2017 Feb 11 03:06:30 ubuntu->(ssh_generic_diff) email@example.com->agentless Rule: 555 (level 7) -> 'Integrity checksum for agentless device changed.' ossec: agentless: Change detected: 3c3 < drwxr-xr-x. 77 root root 8192 Feb 27 10:44 . --- > drwxr-xr-x. 77 root root 8192 Feb 27 10:47 . 176a177 > -rw-r--r--. 1 root root 0 Feb 27 10:47 test