Technical Support for OSSEC

Let the experts get the work done

Wazuh’s technical team provides best service and has extremely valuable knowledge for anything you may need. Having members of the OSSEC development team and others expert engineers we firmly believed we can succeed any task. You can also get consulting hours for the tailored service that suits your needs.
Ask Wazuh

Commercial Support

WAZUH provides maintenance and support for your OSSEC installation, which includes:

  • Support for agent deployment with Puppet, CFEngine, Chef and Salt.
  • Bug fixes for OSSEC mainstream code.
  • Bug fixes for installers (RPMs, Deb packages, Windows).
  • Patches for software vulnerabilities.
  • Custom rules/decoders formatting.
  • Configuration and tuning support.
  • Health check every 3 months (done remotely by one of our engineers).

Deployment and configuration

OSSEC architecture requires agents installed in the monitored systems. These agents are used to collect and forward data messages, monitor files for integrity and check for rootkit or trojan files.

On the other side, the HIDS server component receives data from the agents and processes it to detect intrusions, software misuse, weak security configurations and suspicious files or processes. As well, the server component is the one in charge of triggering active responses when an alert is detected.

WAZUH deploys and configures OSSEC to run smoothly and secure your systems.

Components tuning

Tuning of HIDS modules is critical to improve, and increase, detection capabilities and to eliminate false positives. The tuning process involves the creation of custom decoders, rules and signatures to adapt OSSEC detection capabilities to specific use cases.

This service includes multiple tasks, listed below, which affect different type of OSSEC components.

OSSEC server component is in charge of processing data messages coming from deployed agents. Received messages are pre-decoded to extract basic information like the hostname and program name of the system and application generating the message.

Once pre-decoded, messages are inspected by decoders, which will analyze events generated by an application, extracting further information like usernames, URLs, status, IDs, etc.

WAZUH tunes decoders and rules, adapting those to use cases and to avoid false positives.

CDB, constant database, lookups are done from within the rules and run by ossec-analysisd process. All fields can be inspected for different type of use cases, mostly related to white listing or reputation.

White lists help reduce the number of false positives, for example identifying users that are authorized to run “sudo” command. As well CDBs can be used to alert when certain field is detected on a log message. This can be useful, for example, to trigger alerts only when certain hosts are involved.

WAZUH checks existing CDBs, improving and amending detection rules where those are utilized. New databases can also be implemented to expand detection capabilities.

File system integrity checking is performed by comparing MD5/SHA1 checksums to identify changes. The HIDS agents scan the system periodically sending the checksums to the server component, where those are compared with historical data. Tuning file integrity monitoring configuration to ignore files that are supposed to change often, reduces the number of false positives generated.

WAZUH tunes the configuration to confirm critical system files and binaries are properly monitored. In order to improve OSSEC Syscheck monitoring capabilities, WAZUH will take the following actions, among others:

Integrating OSSEC with Inotify kernel module for real-time alerting when critical files are modified.
Configuring “reports diffs” feature to keep track of changes in clear text files.

OSSEC HIDS server pushes configuration files for rootkits and trojans detection to the agents. These files contain application-level signatures that need to be updated and properly maintained to be effective. As well, OSSEC Rootcheck process can detect anomalies to identify kernel-level rootkits looking, for example, for hidden files, processes or ports.

WAZUH adjusts existing signatures and rules, for anomalies detection, to improve rootkits and trojan detection capabilities, and eliminate false positives.

These rules are used to identify weak security configurations. Use cases of configuration checking rules are:

Permitted SSH empty passwords or root login.
User account with empty password.
Unecessary Linux services enabled.
LDAP VIP server not included in configuration file.
The objective of tuning these rules is to amend and implement new policy enforcement and monitoring rules, increasing the system visibility over existing configurations.

Active response module is a simple framework for running a script or program within the context of an alert. It is used to trigger automatic actions to, for example:

Call a firewall script to block a specific connection based on the source IP.
Restart an OSSEC agent when a configuration file is modified.
Responses can be automatically triggered both at the server and the agent sides and the benefits of enabling it are clear but also risky if not configured properly. That is why, WAZUH review existing configurations and only will implement safe responses.

Health-check

WAZUH identifies performance and configuration issues affecting your deployed solution. This process involves OSSEC, server and agent components, analysis of configurations and communications, as well as an overall system health-check.

The performance analysis measures the health of monitoring OSSEC server, extracting the number of agents connected per server, log messages processed per hour, alerts triggered per hour, and other system metrics, like CPU/Memory usage, hard disk space and bandwidth usage.

In regards to the server, WAZUH will review all existing OSSEC configuration settings to confirm it is correct and doesn’t cause performance issues. This health-check task includes the analysis of the following items:

  • Pre-decoders, decoders and rules configuration.
  • CDB lists used for white listing and reputation.
  • File integrity and rootkits databases.
  • Agents shared configuration settings.
  • Collected events queue size.
  • Alerts retention settings.
  • Active response module configuration.

Training

Wazuh has designed a Standard Course for those who wants a hands-on technical experience to learn from the basics of OSSEC to an advanced level. Get to know faster what OSSEC can do and how to get the most out of it.

For those who are looking for a “knowledge transfer” after any of the services above or need to learn more within an specific area, Wazuh works together with the customer to design the right course that covers user’s needs. From a quick “get started” and “how to” to a more in depth hands-on experience.