CentOS 7.x Configure Windows agent
<yambe:breadcrumb self="Configure Windows agent">CentOS_7.x_OSSEC|OSSEC</yambe:breadcrumb>
CentOS 7.x Configure Windows agent
Monitor a file or path for changes
To monitor a file or path for changes use:
- Open ossec config file using windows agent.
- OSSEC client -> View -> View Config
- For monitoring a file in D drive, please enter below line under syschek section in config file.
- <directories check_all="yes" realtime="yes">D:/folder1\file.txt</directories>
- Please note that forward slash (/) after D: is intentional and correct. If you specify path as D:\ with backslash then it wont work.
- Restart agent after changing the configuration
Configure OSSEC to monitor installed software using reg command
To configure OSSEC on Windows to monitor installed software use following agent configuration:
- Open OSSEC windows agent configuration file and enter below code under config section
- <localfile>
- <log_format>full_command</log_format>
- <command>reg query HKCU\Software</command>
- <frequency>3600</frequency>
- <alias>Installed-Programs-1</alias>
- </localfile>
- <localfile>
- <log_format>full_command</log_format>
- <command>reg query HKLM\Software</command>
- <frequency>3600</frequency>
- <alias>Installed-Programs-2</alias>
- </localfile>
- <localfile>
- <log_format>full_command</log_format>
- <command>reg query HKLM\Software\Wow6432Node</command>
- <frequency>3600</frequency>
- <alias>Installed-Programs-3</alias>
- </localfile>
- <localfile>
-
- Here 3600 is frequency of checking in seconds.
Generate events on OSSEC for installed software using custom rules
Once Windows OSSEC agent is configured to send list of installed software to OSSEC server, on server we can generate alerts if the list changes, with the following local rules:
- Create local rules in '/var/ossec/rules/local_rules.xml' for generating installed software email/alerts
- <rule id="100009" level="12">
- <if_sid>530</if_sid>
- <match>Installed-Programs-1</match>
- <description>Software's installed on Windows machine</description>
- <check_diff />
- </rule>
- <rule id="100010" level="12">
- <if_sid>530</if_sid>
- <match>Installed-Programs-2</match>
- <description>Software's installed on Windows machine</description>
- <check_diff />
- </rule>
- <rule id="100011" level="12">
- <if_sid>530</if_sid>
- <match>Installed-Programs-3</match>
- <description>Software's installed on Windows machine</description>
- <check_diff />
- </rule>
- <rule id="100009" level="12">
-
- Here 530 is predefined windows alert in /var/ossec/rules/msauth_rules.xml
Configure OSSEC to monitor installed software using Power Shell ability to read Windows registry
To configure OSSEC agent to monitor list of installed software using power shell's ability to read Windows registry use:
- Open OSSEC windows agent configuration file and enter below code under config section
- <localfile>
- <log_format>full_command</log_format>
- <command>powershell.exe -Command "Get-ItemProperty -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName"</command>
- <frequency>60</frequency>
- <alias>Installed-Programs-4</alias>
- </localfile>
- <localfile>
- <log_format>full_command</log_format>
- <command>powershell.exe -Command "Get-ItemProperty HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName"</command>
- <frequency>60</frequency>
- <alias>Installed-Programs-5</alias>
- </localfile>
Please note that for some reason although the above powershell commands give correct output while they are executed in powershell. The same commands are not working when used with OSSEC. In case of OSSEC both the commands are generating same output. Workaround for this is not figured out yet.
Generate events on OSSEC for installed software using custom rules
To generate alerts for powershell related software list, we can write custom OSSEC rules as follows:
- Create local rules in '/var/ossec/rules/local_rules.xml' for generating installed software email/alerts
- <rule id="100012" level="12">
- <if_sid>530</if_sid>
- <match>Installed-Programs-4</match>
- <description>Software's installed on Windows machine</description>
- <check_diff />
- </rule>
- <rule id="100013" level="12">
- <if_sid>530</if_sid>
- <match>Installed-Programs-5</match>
- <description>Software's installed on Windows machine</description>
- <check_diff />
- </rule>
Monitor USB device using command prompt
To monitor USB devices initial connection using OSSEC use:
- Open OSSEC windows agent configuration file and enter below code under config section
- <localfile>
- <log_format>full_command</log_format>
- <command>reg query HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command>
- <frequency>3600</frequency>
- <alias>New-USBDevice-found-1</alias>
- </localfile>
-
- Here 3600 is frequency of checking in seconds.
Generate events on OSSEC for installed software using custom rules
To generate OSSEC event whenever a new USB device is connected for very first time use:
- Create local rules in '/var/ossec/rules/local_rules.xml' for generating email/alerts for new USB device
- <rule id="100014" level="12">
- <if_sid>530</if_sid>
- <match>New-USBDevice-found-1</match>
- <description>New USB device detected-1</description>
- <check_diff />
- </rule>
-
- Here 530 is predefined windows alert in /var/ossec/rules/msauth_rules.xml
Note that since registry entries will not get removed after removing USB, there will not be any new alerts for subsequent connection/disconnection of same USB device till corresponding registry entries are deleted. But this has advantage that even if device is connected for a very short duration when OSSEC scan is not running, the connection will get detected during next periodic scan (Eg 3600 seconds in above example)
Moniter USB device connected using Power Shell
To moniter USB device connected at present (during OSSEC scan run) using powershell use:
- Open OSSEC windows agent configuration file and enter below code under config section
- <localfile>
- <log_format>full_command</log_format>
- <command>powershell.exe -command "Get-WmiObject win32_diskdrive | Where { $_.InterfaceType -eq 'USB' }"</command>
- <frequency>3600</frequency>
- <alias>New-USBDevice-found-2</alias>
- </localfile>
-
- Here 3600 is frequency of checking in seconds.
Note that this monitors devices which are connected at time of scanning. If a device is connected and disconnected between two OSSEC device checks then this configuration check will not be able to detect corresponding USB usage.
Generate events on OSSEC for installed software using custom rules
- Create local rules in '/var/ossec/rules/local_rules.xml' for generating email/alerts for change in list of connected USB devices since last scan:
- <rule id="100015" level="12">
- <if_sid>530</if_sid>
- <match>New-USBDevice-found</match>
- <description>New USB device detected-2</description>
- <check_diff />
- </rule>
-
- Here 530 is predefined windows alert in /var/ossec/rules/msauth_rules.xml
Steps contributed by Pavan Ponamala
<yambe:breadcrumb self="Configure Windows agent">CentOS_7.x_OSSEC|OSSEC</yambe:breadcrumb>