LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-04-2010, 10:40 AM   #1
PlatinumX
Member
 
Registered: May 2008
Location: France
Distribution: Debian / Fedora / Gentoo
Posts: 178

Rep: Reputation: 15
Question OSSEC in agent / server mode


Hey all,

I would like to install OSSEC in agent / server mode on a LAN.
I will deploy agent on all PCs, and then the server is able to detect any modification in the filesystem where the agent is running.

However, I am wondering how much information is transfered between the agent and the server?

Does the agent compute SHA1 hash for every file and send it to the server?
Means 60 bits for a SHA1 hash, multiplied by the number of files?

Or the agent sends a shorter information to the server?

Thanks
 
Old 02-07-2010, 11:40 PM   #2
saifkhan123
Member
 
Registered: Apr 2009
Distribution: Red Hat/CentOS
Posts: 108

Rep: Reputation: 19
Ofcourse

If you enable all the checks on the server i.e. file integrity check,rootkit detection etc, than yes it sends much amount of data to the OSSEC Server i.e hash info about each file on the server,

Make selections of the files to be monitored and review the ossec.conf file accordingly, only put those directories under <directories></directories> in <syscheck> block which are most important,and put others in <ignore></ignore> tag, also change the frequency of integrity check as per ur needs, the default is set to 86400(24 hours). An example would be

The default configuration to monitor a Unix, Linux, or BSD operating system is:

Code:
<ossec_config>
<syscheck>
<frequency>86400</frequency>
<directories check_all=“yes”>/etc,/usr/bin,/usr/sbin</directories>
<directories check_all=“yes”>/bin,/sbin</directories>
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
</syscheck>
</ossec_config>
The options which you can use with <directories> tag are

Code:
Option                           Description
check_all          Perform all available integrity checks

check_sum          Use MD5/SHA1 to check the integrity of files

check_size         Check files for size changes


check_owner        Check files for ownership changes

check_group        Check files for group ownership changes

check_perm         Check files for permission changes
 
Old 04-29-2010, 03:54 AM   #3
PlatinumX
Member
 
Registered: May 2008
Location: France
Distribution: Debian / Fedora / Gentoo
Posts: 178

Original Poster
Rep: Reputation: 15
Thanks for information.
OSSEC seems to be a good candidate.

A last question: do you know if the onnection between agents and the manager are ciphered?

Tanks
 
Old 04-29-2010, 11:13 PM   #4
saifkhan123
Member
 
Registered: Apr 2009
Distribution: Red Hat/CentOS
Posts: 108

Rep: Reputation: 19
it is encrypted!!

Ofcourse dude, The OSSEC agents are connected to the server via an encrypted and secured connection that runs on UDP port 1514. The server and agents are encrypted (and authenticated) using a symmetric key that is defined on the server and then exported and copied to the agent.
When started, the agents connect and register to the server and send back alerts and log data in an encrypted format.
 
Old 05-06-2010, 10:12 AM   #5
PlatinumX
Member
 
Registered: May 2008
Location: France
Distribution: Debian / Fedora / Gentoo
Posts: 178

Original Poster
Rep: Reputation: 15
Smile

Thanks !
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] ssh-agent -> The agent has no identities. windstory Linux - Security 2 11-19-2008 06:45 PM
Error: Agent Configuration Agent (use Oracle with Linux) shipon_97 Linux - Enterprise 0 02-02-2007 12:11 AM
How to make our server linux become a DHCP Relay Agent? Khmer Linux - Networking 2 01-26-2006 12:02 AM
can't find ide.agent & block.agent for hotplug for 2.6 jg167 Linux - Newbie 1 06-23-2004 05:20 PM
Hotplug problems: RH 9, 2.6.6, PCMCIA-CS 3.2.7 (missing ide.agent & block.agent) jg167 Red Hat 1 06-23-2004 05:18 PM


All times are GMT -5. The time now is 06:42 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration