From OSSEC Wiki
Contents |
Understanding the Windows policy Monitoring on OSSEC
- by Daniel Cid
The Windows policy monitor allows you to verify that all your systems conform to a set of policies regarding
configuration settings and applications usage. They are configured centrally on the ossec server
and pushed down to the agents.
With the Windows policy monitoring, you can get alerts like the following (detecting Skype and Yahoo):
2007 Jul 22 17:42:57 Rule Id: 514 level: 2 Location: (winhome) 192.168.2.190->rootcheck Windows application monitor event. -- Application Found: Chat/IM - Yahoo.
2007 Jul 22 17:42:57 Rule Id: 514 level: 2 Location: (winhome) 192.168.2.190->rootcheck Windows application monitor event. -- Application Found: Chat/IM/VoIP - Skype.
And compliance alerts like the following:
2007 Jul 23 13:44:54 Rule Id: 512 level: 3 Location: (winhome) 192.168.2.190->rootcheck Windows Audit event. -- Windows Audit: Null sessions allowed.
2007 Jul 23 13:44:54 Rule Id: 512 level: 3 Location: (winhome) 192.168.2.190->rootcheck Windows Audit event. -- Windows Audit: LM authentication allowed (weak passwords).
The Windows policy monitoring is composed of three files at the /var/ossec/etc/shared directory:
- win_applications_rcl.txt
- win_audit_rcl.txt
- win_malware_rcl.txt
Whenever you modify any of them, your changes are going to be pushed to all your agents.
Receiving Audit and Application alerts via Email
By default, both the policy auditing and application checks are logged as level "3", so you will not
receive any e-mail alerts with the original configuration.
If you wish to receive e-mail alerts for any (or both of the two) types of events, you need to create
local rules with a higher severity or with the "alert_by_email" option set.
More information on local rules here.
Example1: Sending e-mail for every Audit event
Add to your local_rules.xml the following:
<rule id="512" level="9" overwrite="yes">
<if_sid>510</if_sid>
<match>^Windows Audit</match>
<description>Windows Audit event.</description>
<group>rootcheck,</group>
</rule>
Example2: Sending e-mail for every application found
Add to your local_rules.xml the following:
<rule id="514" level="2" overwrite="yes">
<if_sid>510</if_sid>
<match>^Application Found</match>
<options>alert_by_email</options>
<description>Windows application monitor event.</description>
<group>rootcheck,</group>
</rule>
Listing Applications per Agent
OSSEC will generate an entry at the rootcheck directory for every application that it is configured to
look for and it found on the agent.
To list all the ones found, go to /var/ossec/queue/rootcheck and look at the file that has the
agent name you are interested.
For example, to look at all applications found at the "winhome" agent, do:
# cd /var/ossec/queue/rootcheck # cat *winhome* |grep "Application Found" !1185284872!1185209094 Application Found: Chat/IM/VoIP - Skype. !1185284872!1185209094 Application Found: Chat/IM - Yahoo. !1185284872!1185209094 Application Found: Chat/IM - MSN. Reference: http://www.msn.com .
To look at all agents with "Chat" applications, do:
# cd /var/ossec/queue/rootcheck # grep "Application Found" * | grep Chat (win64-1) 192.168.2.0->rootcheck:!1185305126!1185148006 Application Found: Chat/IM - MSN. Reference: http://www.msn.com . (winhome) 192.168.2.190->rootcheck:!1185284872!1185209094 Application Found: Chat/IM/VoIP - Skype. (winhome) 192.168.2.190->rootcheck:!1185284872!1185209094 Application Found: Chat/IM - Yahoo. (winhome) 192.168.2.190->rootcheck:!1185284872!1185209094 Application Found: Chat/IM - MSN. Reference: http://www.msn.com .
Format of policy files
These files have a very simple format. They always start with:
#[Entry name] [any or all] [reference] # type:<entry name>; # # Type can be: # - f (for file or directory) # - r (registry entry) # - p (process running) # # Additional values: # For the registry , use "->" to look for a specific entry and another # "->" to look for the value. # For files, use "->" to look for a specific value in the file. # # Values can be preceeded by: =: (for equal) - default # r: (for ossec regexes) # >: (for strcmp greater) # <: (for strcmp lower) # Multiple patterns can be specified by using " && " between them. # (All of them must match for it to return true).
What does that mean? The first line is always the information about the check you are doing.
It can be the application name or the audit check. It is followed by the conditional "any" or "all",
meaning if any or all the next entries must match and sometimes followed by a reference.
Look at the examples below to understand it better.
Skype Example
Learning with examples is always easy.
In plain English, it means: If I find any of these entries, alert as if Skype is installed.
[Chat/IM/VoIP - Skype] [any] [] f:\Program Files\Skype\Phone; f:\Documents and Settings\All Users\Documents\My Skype Pictures; f:\Documents and Settings\Skype; f:\Documents and Settings\All Users\Start Menu\Programs\Skype; r:HKLM\SOFTWARE\Skype; r:HKEY_LOCAL_MACHINE\Software\Policies\Skype; p:Skype.exe;
Auditing - Null sessions Example
In this second example (in the win_audit file), we generate a policy information if
the following registry entry has a valud of zero.
[Null sessions allowed] [any] [] r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 0;
Writting new Application or Audit Signatures
Before you write any new signature, you must first understand its format, so go up and take a look at it.
Once you understand it, you can easily expand the official signatures released with ossec to fit your
environment needs.
Example One - Making sure a process is running
For example, let's say that in your company everyone must have the process SecurityMyComp.exe running
and have the directory C:\SecApp present. If you add the following rule to win_audit_rcl.txt you
will be able to receive alerts whenever it is not happening:
[Policy Violation - SecurityMyComp not running] [any] [] p:!SecurityMyComp.exe; [Policy Violation - SecApp Dir not present] [any] [] f:!\SecApp;