We often get customers that prefer to use OSSEC as an endpoint detection, FIM agent. Regardless of what SIEM is in place, a lot of them have OSSEC integration. Alienvault in particular also has the ability to fully integrate and control OSSEC agents. Regardless if you are using OSSEC on a SIEM, standalone, or another method – the biggest pain for mass deployment in an organization is the ability to automatically provision agents. The way OSSEC works is by first installing OSSEC as a server, then deploying the agents. The agents require a key from the server in order to pair appropriately to the server to transmit logs.
This becomes problematic in large organizations, especially in Windows environments. There were half baked solutions solely for Linux, but nothing that we found for Windows. We decided to fix that problem. Introducing Auto-OSSEC – a way to completely automatic the installation process for OSSEC for large deployments. The way it works is by creating an AES protocol that listens on port 9654 (ports can be changed). There is a server script that runs on the OSSEC server itself. Would highly suggest putting this into an initial startup script and using something like watchdog to ensure that the process is always running.
Once the server is listening on port 9654, on the endpoint machines, you install OSSEC normally (can be done through a traditional MSI silent install). Then call the auto_ossec.py or auto_ossec.exe with the server IP address that has the auto_server.py running. Example:
You have a server on 192.168.5.10
You install OSSEC on endpointA.
You now need to run: auto_ossec.exe 192.168.179.10
Output from the server which automatically pairs (this is whats seen on interactive on server side):
Client connected with (‘192.168.170.165’, 50662)
[*] Provisioned new key for hostname: STRONGHOLD-WIN8 with IP of: 192.168.170.165
[*] Sending new key to 192.168.170.165: 8zlUouJ7yVOvt06Er8yx1zTchy5VQklfovu4SXW3GX7X8gH5tPIZ1104wvleQoZmJ9Hod++ByQtgNSLrQV7Z7rsRZLhCS9hFxPwRTZu6JC80EUXJ4yuTqFPHf9L2QuDjelP0yUvFFExf0xm7czlmDVH6/VKRdms1nL8+mwC9S81aZ0IOGpZuIMbIwiyeVxyBpctCk0Qd5CHoVZaKpAWTtA==
Pairing complete. Terminating connection to client.
Auto-OSSEC works for both Linux and for Windows – it is also compatible with AlienVault, standalone OSSEC installs, and more.
Once this runs, it will automatically generate a new certificate on the server, automatically pair the two, install the certificate and restart the OSSEC servers for immediate communications.
This can all be automated through mass deployment scripts used by enterprises for example through SCCM or through other automation methods.
We are open sourcing auto-ossec and can be found at our github page here:
Auto-OSSEC was written by Dave Kennedy – Founder and CTO at BDS.