Skip to content

Latest commit

 

History

History
107 lines (82 loc) · 7.92 KB

mitigations.md

File metadata and controls

107 lines (82 loc) · 7.92 KB

Mitigation Strategies Analysis for ossec/ossec-hids

Mitigation Strategy: Strong Agent Authentication and Authorization (OSSEC-Specific)

Description:

  1. Key Generation: Generate unique, strong (at least 256-bit) cryptographic keys for each OSSEC agent using OSSEC's manage_agents tool. This tool is part of the OSSEC distribution and ensures proper key format.
  2. Key Distribution: Use the manage_agents tool on the server to extract the key for each agent. Then, use the manage_agents tool on the agent to import the key. This is the OSSEC-recommended method.
  3. Server Configuration: Ensure the OSSEC server (ossec.conf) is configured to require authentication. Set use_source_ip="yes" (to restrict connections to known agent IPs) and use_password="yes" (to require key-based authentication) within the <authentication> section.
  4. Agent Configuration: Ensure each OSSEC agent (ossec.conf) has its unique key configured (automatically done by manage_agents) and the correct server IP address.
  5. Regular Key Rotation: Use a script that leverages manage_agents to automate key rotation. This script should:
    • Generate new keys.
    • Import the new keys on the agents.
    • Update the server's authorized keys.
    • Restart the OSSEC services (both agent and server).
  6. Agent ID Validation: Implement server-side checks (using custom OSSEC rules or external scripts called by OSSEC) to ensure agent IDs are unique and not easily spoofed. This might involve querying a database of registered agent IDs.

  • Threats Mitigated:

    • Rogue Agent Connection (Severity: Critical): Prevents unauthorized agents from connecting.
    • Agent Impersonation (Severity: Critical): Makes impersonation much harder.
    • Man-in-the-Middle (MITM) Attack (Severity: High): When combined with TLS (which OSSEC can use), strong authentication prevents MITM.

  • Impact:

    • Rogue Agent Connection: Risk reduced from Critical to Low.
    • Agent Impersonation: Risk reduced from Critical to Low.
    • MITM Attack: Risk reduced from High to Low (with TLS).

  • Currently Implemented:

    • Key-based authentication is enabled using manage_agents.
    • use_source_ip and use_password are set to "yes".

  • Missing Implementation:

    • Automated key rotation script is not implemented.
    • Agent ID validation (beyond basic OSSEC checks) is not implemented.

Mitigation Strategy: Agent Integrity Monitoring (OSSEC-Specific)

Description:

  1. Identify Critical Files: Create a list of critical OSSEC agent files and directories (e.g., /var/ossec/etc/ossec.conf, /var/ossec/bin/*, /var/ossec/agentless/* - adjust paths as needed).
  2. Server-Side FIM Configuration: On the OSSEC server, configure File Integrity Monitoring (FIM) within the server's ossec.conf. Use the <syscheck> section. Crucially, this configuration targets the agent files on the client machines.
  3. Baseline Creation: After configuring FIM, run the OSSEC agent on each monitored host (or use agent_control -r on the server) to create a baseline.
  4. Regular Scanning: Configure the <frequency> within <syscheck> to control how often the agent checks for file changes.
  5. Alerting: Ensure that the FIM rules on the server are configured to generate alerts with appropriate levels (e.g., high severity for changes to agent binaries).
  6. Whitelisting (Careful): Use the <ignore> directive within <syscheck> sparingly and precisely. Only whitelist files that are expected to change legitimately (e.g., during an authorized agent update). Document all whitelisted files.

  • Threats Mitigated:

    • Agent Tampering (Severity: Critical): Detects unauthorized modifications.
    • Malware Infection of Agent (Severity: Critical): Detects agent compromise.
    • Unauthorized Agent Configuration Changes (Severity: High): Detects configuration tampering.

  • Impact:

    • Agent Tampering: Risk reduced from Critical to Medium (detection).
    • Malware Infection of Agent: Risk reduced from Critical to Medium (detection).
    • Unauthorized Agent Configuration Changes: Risk reduced from High to Medium (detection).

  • Currently Implemented:

    • Basic FIM configuration on the server monitors a limited set of agent files.

  • Missing Implementation:

    • Comprehensive monitoring of all critical agent files is incomplete.
    • Automated baseline updates after legitimate agent updates are not implemented.
    • Careful and documented whitelisting is not fully implemented.

Mitigation Strategy: Rate Limiting and Resource Control (OSSEC-Specific)

Description:

  1. Agent Connection Limits: On the OSSEC server, use the <client_buffer> section in ossec.conf to limit the buffer size for agent data. This can help prevent a single compromised agent from flooding the server. Also, consider using the <limits> section to set hard limits on connections per source IP.
  2. Alert Frequency Limiting: Within the OSSEC server's ossec.conf, use the frequency and timeframe attributes within <rule> definitions. This is crucial for preventing alert fatigue and DoS via alert flooding. For example: <rule id="100001" level="7" frequency="10" timeframe="3600"> would only trigger alert 100001 a maximum of 10 times within a 3600-second (1 hour) window.
  3. Log Rotation (OSSEC's Logs): Configure OSSEC's own log rotation within ossec.conf using the <log_rotate> section. This prevents OSSEC's internal logs from consuming excessive disk space.

  • Threats Mitigated:

    • Denial of Service (DoS) (Severity: Medium): Limits the impact of flooding attacks.
    • Alert Flooding (Severity: Medium): Prevents alert storms.
    • Resource Exhaustion (Severity: Medium): Prevents OSSEC's own logs from filling the disk.

  • Impact:

    • Denial of Service (DoS): Risk reduced from Medium to Low.
    • Alert Flooding: Risk reduced from Medium to Low.
    • Resource Exhaustion: Risk reduced from Medium to Low.

  • Currently Implemented:

    • Basic OSSEC log rotation is configured.

  • Missing Implementation:

    • client_buffer and <limits> configurations are not optimized to prevent agent flooding.
    • frequency and timeframe attributes are not consistently used in all relevant rules.

Mitigation Strategy: Log Tampering Prevention (OSSEC-Specific)

Description:

  1. Near Real-time Forwarding: Optimize the logcollector settings in the agent's ossec.conf to minimize the delay between log generation and forwarding to the server. Reduce the flush_interval and ensure send_logs_on_startup is enabled.
  2. OSSEC's Internal Integrity Checks: OSSEC has built in checks. Ensure that <syscheck> is enabled and configured to monitor critical system logs. This is a core function of OSSEC.

  • Threats Mitigated:

    • Log Tampering (Severity: High): Reduces the window of opportunity for attackers to modify logs before OSSEC processes them.
    • Circumvention of OSSEC Monitoring (Severity: High): Makes it harder to bypass OSSEC by tampering with logs.

  • Impact:

    • Log Tampering: Risk reduced from High to Medium (reduced window of opportunity).
    • Circumvention of OSSEC Monitoring: Risk reduced from High to Medium.

  • Currently Implemented:

    • Standard OSSEC log forwarding is configured.
    • <syscheck> is enabled.

  • Missing Implementation:

    • logcollector settings are not fully optimized for near real-time forwarding.