LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

OSSEC for host-based intrusion detection

By Jake Edge
April 21, 2010

A free software entrant into the host-based intrusion detection system (HIDS) arena, OSSEC, released version 2.4 earlier this month, with a number of upgrades and bug fixes. OSSEC may not be as well-known as other free software HIDS, like Samhain, AIDE, Osiris, or Open Source Tripwire, but they are all trying to do a similar job: detect changes to a running system that may have been caused by malicious activity. The techniques used by HIDS varies considerably, from simply hashing file contents and comparing them periodically to more sophisticated log file and behavioral analysis.

Conceptually, a HIDS should monitor everything about the system's state, such that it can detect changes in behavior that stem from some kind of host intrusion. Unlike network intrusion detections systems, which look at the network traffic to try to detect intrusion attempts, HIDS will only see problems after the fact. It is, in some sense, a second line of defense that is generally deployed behind a NIDS, at least in those installations with high security needs.

Most HIDS implementations only bite off some portion of the job. The simplest look for changes to system files and binaries by using hashes of their contents. Taking that a step further, and storing the hashes of "important" files on a separate system or read-only media provides defense against an intrusion that targets the files which store the hashes. OSSEC takes that idea even further by moving most of the monitoring and analysis to separate, presumably strongly hardened systems.

The basic architecture is intended to be client-server, with a "manager" running on a central server and "agents" running on each of the systems to be monitored. The agent is a small program that runs with low privileges and forwards information to the manager. There is also a "logcollector" process that runs as root on a client, and does just what its name would imply. Configuration information is mostly stored by the manager with some being locally cached. For obvious reasons, that configuration cache is monitored and changes to it will cause an alert.

OSSEC can be run in standalone mode, where the analysis and gathering are on the same host. The manager can also gather information from various devices, such as routers, firewalls, and other IDS systems without using an agent. There are agentless solutions for some devices, while others can use remote syslog to send their log information to the manager system. OSSEC is cross-platform, running on most major Unix systems as well as various flavors of Windows.

There are four main features to OSSEC, starting with file integrity monitoring. For logs, the monitoring rules are fairly extensive, covering a wide range of free and proprietary applications like apache, asterisk, Cisco IOS, McAfee anti-virus, MySQL, PostgreSQL, and so on. Much of what OSSEC does with log files is similar to what logwatch or syslog-ng can do, but the analysis can be done site-wide, and actions can be performed based on what OSSEC finds. New rules can be added for additional services or site-specific logging using an XML rule syntax.

As would be expected, system administrators can be alerted by email if some class of problem is detected. In addition, OSSEC has the ability to perform "active responses" based on certain kinds of attacks. OSSEC comes with a handful of pre-defined responses for things like adding an IP address to /etc/hosts.deny or to various firewalls' deny lists. Adding additional active responses is done by creating an XML chunk that specifies what to run and another to describe when to run it.

The fourth main feature of OSSEC is rootkit detection that runs periodically on client systems. For Windows clients, there is an additional feature that checks the registry for changes, and alerts the administrator of any it finds.

OSSEC was originally written by Daniel Cid and released as free software in 2004. Since that time, the code has been acquired twice, most recently by Trend Micro, which offers commercial support for OSSEC. It is licensed under the GPLv3, and is available as a tarball (along with SHA1/MD5 hashes for verification) from the installation page.

As with any HIDS solution, it will require some tweaking for specific environments to reduce false-positives to a manageable level. OSSEC has a number of useful features and looks to be a solution that is growing in popularity. It would seem to be a good candidate for one or more distributions to pick up and configure for their specific needs, which would make it easier for their users to start monitoring with OSSEC. For anyone considering HIDS for security at their site, OSSEC is worth a look.

Comments (6 posted)

New vulnerabilities

apache-mod_auth_shadow: restriction bypass

Package(s):apache-mod_auth_shadow CVE #(s):CVE-2010-1151
Created:April 19, 2010 Updated:May 28, 2010
Description: From the Mandriva advisory:

A race condition was found in the way mod_auth_shadow used an external helper binary to validate user credentials (username / password pairs). A remote attacker could use this flaw to bypass intended access restrictions, resulting in ability to view and potentially alter resources, which should be otherwise protected by authentication

Alerts:
Fedora FEDORA-2010-6290 2010-04-09
Fedora FEDORA-2010-6359 2010-04-10
Fedora FEDORA-2010-6323 2010-04-10
Mandriva MDVSA-2010:081 2010-04-18

Comments (none posted)

clamav: denial of service

Package(s):clamav CVE #(s):CVE-2010-1311
Created:April 19, 2010 Updated:September 8, 2010
Description: From the Mandriva advisory:

The qtm_decompress function in libclamav/mspack.c in ClamAV before 0.96 allows remote attackers to cause a denial of service (memory corruption and application crash) via a crafted CAB archive that uses the Quantum (aka .Q) compression format. NOTE: some of these details are obtained from third party information.

Alerts:
Gentoo 201009-06 2010-09-07
Mandriva MDVSA-2010:082-1 2010-05-20
SuSE SUSE-SR:2010:010 2010-04-27
Pardus 2010-55 2010-04-20
Mandriva MDVSA-2010:082 2010-04-18

Comments (none posted)

gource: predictable temporary filename

Package(s):gource CVE #(s):
Created:April 20, 2010 Updated:April 21, 2010
Description: From the Red Hat bugzilla:

A Debian bug report notes that Gource creates its log file with a predictable name (/tmp/gource-$(UID).tmp), which a malicious user could use to overwrite arbitrary files via a symlink attack, with the privileges of the user running Gource.

Alerts:
Fedora FEDORA-2010-6766 2010-04-16

Comments (none posted)

irssi: multiple vulnerabilities

Package(s):irssi CVE #(s):CVE-2010-1155 CVE-2010-1156
Created:April 16, 2010 Updated:June 21, 2010
Description: From the Ubuntu advisory:

It was discovered that irssi did not perform certificate host validation when using SSL connections. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. (CVE-2010-1155)

Aurelien Delaitre discovered that irssi could be made to dereference a NULL pointer when a user left the channel. A remote attacker could cause a denial of service via application crash. (CVE-2010-1156)

Alerts:
Fedora FEDORA-2010-6618 2010-04-15
Fedora FEDORA-2010-6612 2010-04-15
Fedora FEDORA-2010-6629 2010-04-15
SuSE SUSE-SR:2010:011 2010-05-10
Slackware SSA:2010-116-01 2010-04-26
Ubuntu USN-929-2 2010-04-20
Mandriva MDVSA-2010:079 2010-04-17
Ubuntu USN-929-1 2010-04-16

Comments (none posted)

java: information disclosure

Package(s):java-1.6.0-sun CVE #(s):CVE-2010-0886 CVE-2010-0887
Created:April 20, 2010 Updated:July 21, 2010
Description: From the Oracle advisory:

This Security Alert addresses security issues CVE-2010-0886 and CVE-2010-0887, which are vulnerabilities in desktop Java running in web browsers only; these vulnerabilities are not present in Java running on servers or standalone Java desktop applications and do not impact any Oracle server based software. The desktop vulnerabilities are in the Java Deployment Toolkit and the new Java Plug-in that are included in various Oracle Java SE and Java for Business releases. They only affect Java when running in a 32-bit web browser. These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. For a successful exploit, a user running an affected release in their browser will need to visit a malicious web page that exploits this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.

Alerts:
Red Hat RHSA-2010:0356-02 2010-04-19
Red Hat RHSA-2010:0549-01 2010-07-21
Gentoo 201006-18 2010-06-04

Comments (none posted)

libnids: denial of service

Package(s):libnids CVE #(s):CVE-2010-0751
Created:April 20, 2010 Updated:April 21, 2010
Description: From the Pardus advisory:

The ip_evictor function in ip_fragment.c in libnids, as used in dsniff and possibly other products, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via crafted fragmented packets.

Alerts:
Pardus 2010-56 2010-04-20

Comments (none posted)

memcached: denial of service

Package(s):memcached CVE #(s):CVE-2010-1152
Created:April 20, 2010 Updated:June 14, 2010
Description: From the Pardus advisory:

memcached.c in memcached allows remote attackers to cause a denial of service (daemon hang or crash) via a long line that triggers excessive memory allocation.

Alerts:
SuSE SUSE-SR:2010:012 2010-05-25
SuSE SUSE-SR:2010:013 2010-06-14
Pardus 2010-52 2010-04-20

Comments (none posted)

scsi-target-utils: format string vulnerability

Package(s):scsi-target-utils CVE #(s):CVE-2010-0743
Created:April 20, 2010 Updated:January 23, 2012
Description: From the Red Hat advisory:

A format string flaw was found in scsi-target-utils' tgtd daemon. A remote attacker could trigger this flaw by sending a carefully-crafted Internet Storage Name Service (iSNS) request, causing the tgtd daemon to crash.

Alerts:
SUSE SUSE-SR:2010:017 2010-09-21
openSUSE openSUSE-SU-2010:0608-1 2010-09-14
openSUSE openSUSE-SU-2010:0604-1 2010-09-13
CentOS CESA-2010:0362 2010-05-28
Mandriva MDVSA-2010:131 2010-07-12
Debian DSA-2042-1 2010-05-05
Red Hat RHSA-2010:0362-01 2010-04-20
Gentoo 201201-06 2012-01-23

Comments (none posted)

sudo: arbitrary command execution

Package(s):sudo CVE #(s):CVE-2010-1163
Created:April 19, 2010 Updated:January 25, 2011
Description: From the Mandriva advisory:

The command matching functionality in sudo 1.6.8 through 1.7.2p5 does not properly handle when a file in the current working directory has the same name as a pseudo-command in the sudoers file and the PATH contains an entry for ., which allows local users to execute arbitrary commands via a Trojan horse executable, as demonstrated using sudoedit, a different vulnerability than CVE-2010-0426.

Alerts:
SUSE SUSE-SR:2011:002 2011-01-25
openSUSE openSUSE-SU-2011:0050-1 2011-01-19
rPath rPSA-2010-0075-1 2010-10-27
Gentoo 201006-09 2010-06-01
CentOS CESA-2010:0361 2010-05-28
Mandriva MDVSA-2010:078-1 2010-04-28
Ubuntu USN-928-1 2010-04-15
Slackware SSA:2010-110-01 2010-04-21
Red Hat RHSA-2010:0361-01 2010-04-20
Mandriva MDVSA-2010:078 2010-04-17

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds