Friday, August 7, 2015

How to monitor running processes with OSSEC

In this post I am going to explain what are the steps to use OSSEC agents to monitor system processes, and alert when an important one is not running. This method should work both for Windows and Unix like Operating Systems. In my lab I've deployed the agent on a Windows Server 2012.

1.-Accepting remote commands

First step is to configure the agent logcollector option to accept remote commands from the manager. That can be done editing "internal_options.conf" file (usually located at "C:\Program Files(x86)\ossec-agent\internal_options.conf") and setting the variable logcollector.remote_commands to 1.
# Logcollector - If it should accept remote commands from the manager
logcollector.remote_commands=1 
Once we have save this change, we just need to restart the agent for it to be applied.

2.- Specifying the command to list running processes

This is a configuration that can be done both at the agent or at the manager (using the shared directory). It only depends on how many agents you want this command to be used. In my case I decided to edit "/var/ossec/etc/shared/agent.conf" configuration file, and have these settings pushed to my windows agents.
<agent_config os="windows">
    <localfile>
        <log_format>full_command</log_format>
        <command>tasklist</command>
        <frequency>60</frequency>
    </localfile>
</agent_config> 
The command I used to list processes in Windows like Operating Systems is "tasklist". There are other options like using wmic, but this one looked good enough to me. For Unix systems you might want to use "ps".
On the other hand, notice that under log_format I choiced "full_command". This is because I want my OSSEC rules to be able to parse the whole command output, instead of parsing the output one line at a time.
At last, the frequency defines how often, in seconds, will this command be run. Feel free to adjust this setting to whatever makes more sense in your environment, keeping in mind the added load that can be generated in the system by running commands too often.

3.- Creating local rules

In this step we edit our "/var/ossec/rules/local_rules.xml" file to add rules that will trigger an alert if our critical process is not running. For the purpose of this example I will use "wordpad.exe" but, of course, it could be any other name.
<rule id="100050" level="7">
  <if_sid>530</if_sid>
  <match>^ossec: output: 'tasklist'</match>
  <description>Critical process not found.</description>
  <group>process_monitor,</group>
</rule>
<rule id="100051" level="0">
  <if_sid>100050</if_sid>
  <match>wordpad.exe</match>
  <description>Processes running as expected</description>
  <group>process_monitor,</group>
</rule>
The first rule (id "100050") will trigger a level "7" alert every time tasklist command is executed, unless (as defined in rule "100051") the output matches the string "wordpad.exe". If this is the case the alert level is set to "0", meaning that that no alert would be triggered.
Now we just need to save these changes and restart the manager for them to be applied. We can do that running "ossec-control restart" command.

4.- Testing our configuration

In order to test the configuration it is good to enable OSSEC "logall" option, so we can see the output of tasklist in archives.log everytime it is executed. See below an example (I cut some lines for brevity).
2015 Aug 07 18:38:03 (vpc-agent-windows) 10.0.0.124->tasklist ossec: output: 'tasklist':
Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
System Idle Process              0 Services                   0          4 K
System                           4 Services                   0        284 K
smss.exe                       328 Services                   0      1,060 K
csrss.exe                      484 Services                   0      3,584 K
...
...
...
notepad.exe                   1596 RDP-Tcp#37                 2     14,500 K
win32ui.exe                    828 RDP-Tcp#37                 2      6,088 K
ossec-agent.exe               3060 Services                   0      5,576 K
notepad.exe                   2276 RDP-Tcp#37                 2     12,076 K
wordpad.exe                    368 RDP-Tcp#37                 2     27,780 K
cmd.exe                        780 Services                   0      2,692 K
conhost.exe                   1304 Services                   0      3,044 K
tasklist.exe                  1692 Services                   0      5,668 K
And, once wordpad.exe process is stopped. An alert like this is triggered as expected. We can see it in "/var/ossec/logs/alerts/alerts.log" file.
** Alert 1438997816.32112781: mail  - local,syslog,process_monitor,
2015 Aug 07 18:36:56 (vpc-agent-windows) 10.0.0.124->tasklist
Rule: 100050 (level 7) -> 'Critical process not found.'
ossec: output: 'tasklist':
Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
System Idle Process              0 Services                   0          4 K
System                           4 Services                   0        284 K
smss.exe                       328 Services                   0      1,060 K
csrss.exe                      484 Services                   0      3,584 K
...
...
Of course, using email alert option and the above configuration, you can automatically be notified if one of your critical processes stopped running.
And that is all. I hope you enjoyed the tutorial and found it useful.