{"id":1276,"date":"2012-07-22T13:43:56","date_gmt":"2012-07-22T12:43:56","guid":{"rendered":"http:\/\/kudzia.eu\/b\/?p=1276"},"modified":"2012-10-06T17:07:21","modified_gmt":"2012-10-06T16:07:21","slug":"agentless-monitoring-of-linux-servers-from-ossec","status":"publish","type":"post","link":"https:\/\/kudzia.eu\/b\/2012\/07\/agentless-monitoring-of-linux-servers-from-ossec\/","title":{"rendered":"agentless monitoring of linux servers from ossec"},"content":{"rendered":"<p>we&#8217;ve been poking around <a href=\"http:\/\/www.ossec.net\/\">ossec<\/a> for a while. it&#8217;s nice and all but&#8230; i never liked the idea of opening additional ports on the production server or letting it &#8216;call home&#8217; with alerts to the central monitoring machine. i prefer &#8216;polling&#8217; model where central server communicates with monitoring nodes. ideally all should be done via ssh to avoid opening additional ports. ideally there should be no need to install additional software on the monitored machines. with ossec&#8217;s agent-less mode and a bit of custom scripts it&#8217;s actually possible.<br \/>\n<!--more--><br \/>\n<b>disclaimer &#8211; [pseudo]security measures described below can be circumvented. proper file system integrity check should be done offline otherwise you risk not detecting threats that modify running kernel to hide own existence and file system modifications.<\/b><\/p>\n<p>ossec provides <a href=\"http:\/\/www.ossec.net\/doc\/manual\/agent\/agentless-scripts.html#agentless-script-ssh-integrity-check-linux\">this script<\/a> as a simple example of agent-less monitoring of a linux server file system; a good starting point but the script:<\/p>\n<ul>\n<li>does not provide ability to filter out some files or directories from the check. for instance i&#8217;d like to inspect \/etc\/ except \/etc\/lvm\/* and \/etc\/mtab &#8211; since those two change every time i make lvm-level-snapshot. that happens during every nightly backup. way too many warnings.<\/li>\n<li>occasionally times out on a high latency\/low bandwidth connection between europe and asia. i did not manage to find actual cause of the problem although i suspect <a href=\"http:\/\/expect.sourceforge.net\/\">expect<\/a>. replacing expect-based remote execution mechanism with ssh resolved the intermittent problems when script was receiving &#8216;cut-in-half&#8217; responses.<\/li>\n<\/ul>\n<p>so here&#8217;s mine improved version of the ossec agent-less script for monitoring remote linux servers via ssh. it should be saved in the ~ossec\/agentless\/ssh_integrity_check_linux2<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n#!\/bin\/bash\r\nfunction handle {\r\n        echo  &quot;ERROR: an error has occured&quot;\r\n        exit 1\r\n}\r\n\r\nset -e\r\ntrap handle ERR\r\n\r\nif &#x5B; &quot;$1&quot; == &quot;test&quot; ] &amp;&amp; &#x5B; &quot;$2&quot; == &quot;test&quot; ] ; then\r\n        exit 0\r\nfi\r\n\r\necho &quot;INFO: Starting.&quot;\r\necho &quot;STORE: now&quot;\r\n\r\nparams='\r\n echo &quot;INFO: starting file system checks&quot;;\r\n echo &quot;----- starting file system checks -----&quot;;\r\n IFS=$'&quot;'&quot;'\\n'&quot;'&quot;';\r\n for i in `find '$2' -type f| egrep -v &quot;'$3'&quot;` ; do\r\n        echo -n `md5sum &quot;$i&quot;| cut -d &quot; &quot; -f 1`;\r\n        echo -n `sha1sum &quot;$i&quot;| cut -d &quot; &quot; -f 1`;\r\n        stat --printf &quot;%s:%a:%u:%g&quot; &quot;$i&quot;;\r\n        echo &quot;$i&quot; ;\r\n done;\r\n'\r\nssh $1 $params\r\necho &quot;INFO: Finished.&quot;\r\nexit 0\r\n<\/pre>\n<p>this script will calculate and report back to the ossec server checksums, permissions and sizes of files in the selected directories, it&#8217;ll also exclude specified file system branches from the check. to make ossec monitor selected host with this script [and notify about any changes in the remote file system] add in the ossec.conf:<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n  &lt;agentless&gt;\r\n    &lt;type&gt;ssh_integrity_check_linux2&lt;\/type&gt;\r\n    &lt;frequency&gt;1800&lt;\/frequency&gt;\r\n    &lt;host&gt;root@someHost&lt;\/host&gt;\r\n    &lt;state&gt;periodic_diff&lt;\/state&gt;\r\n    &lt;!-- arguments passed to the script. \r\n     * first - implicit, passed by ossec: root@someHost\r\n     * second - set of paths that should be monitored. all together enclosed in quotes.\r\n     * third - regular expression telling which files\/directories should be excluded. leave empty &quot;&quot; if all should be included.\r\n     --&gt;\r\n    &lt;arguments&gt;&quot;\/etc\/ \/boot \/bin \/sbin \/usr\/sbin \/usr\/local\/bin \/usr\/bin&quot; &quot;\/etc\/lvm|\/etc\/mtab&quot;&lt;\/arguments&gt;\r\n  &lt;\/agentless&gt;\r\n<\/pre>\n<p>you&#8217;ll need to configure the ssh public\/private key authentication so that ossec&#8217;s user can log-in as root@someHost using its private key.<\/p>\n<p>you can extend that script and add monitoring of change of the output from some other checks &#8211; for instance just after <i>done;<\/i> you can add:<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n echo &quot;INFO: lsmod&quot;;\r\n echo &quot;----- lsmod -----&quot;;\r\n lsmod|sort|grep -v dm_snapshot|awk &quot;{print \\$1\\&quot; \\&quot;\\$2}&quot;;\r\n echo &quot;INFO: debsums&quot;;\r\n echo &quot;----- debsums -----&quot;;\r\n debsums -s 2&gt;&amp;1|grep -v &quot;missing file \/usr\/share\/doc\/&quot;;\r\n # rkhunter, unhide and other tools might follow\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>we&#8217;ve been poking around ossec for a while. it&#8217;s nice and all but&#8230; i never liked the idea of opening additional ports on the production server or letting it &#8216;call home&#8217; with alerts to the central monitoring machine. i prefer &#8216;polling&#8217; model where central server communicates with monitoring nodes. ideally all should be done via [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17],"tags":[61],"class_list":["post-1276","post","type-post","status-publish","format-standard","hentry","category-tech","tag-ossec"],"_links":{"self":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/1276","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/comments?post=1276"}],"version-history":[{"count":13,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/1276\/revisions"}],"predecessor-version":[{"id":1462,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/1276\/revisions\/1462"}],"wp:attachment":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/media?parent=1276"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/categories?post=1276"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/tags?post=1276"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}