Latest release

v2.9.0

@atomicturtle atomicturtle released this Feb 9, 2017

Changelog

Release Maintainers

Dan Parriott
Scott R. Shinn (Atomicorp, Inc.)

Whats New

  • Alert Output support for JSON and ZeroMQ
  • Syscheck improvements
  • Report file deletion, even without realtime enabled
  • Report modifications made on directories
  • Corrects bug so that files created between the first and second scan are reported as new files
  • Corrects bug that made changes reverting a file to the state it was in when ossec started unreported
  • Avoids computing hashes multiple times to improve performance
  • Make the time between two syscheck wakeups configurable in internal_options
  • Add support for the “nodiff” option when using report_changes, sensitive files tagged with in ossec.conf will not have their contents included in an alert.
  • IPv6 support
  • Support to call an external mailer. This solves the problem of supporting encryption when sending mail alerts in OSSEC. The field can now be prepended with “/” to designate a local binary. Example: “/usr/sbin/sendmail -t”.
  • Slack notification support

New Rules / Decoders

  • PR #572: Rules/Decoders, Better Dropbear events detection
  • PR #602: Rules/Decoders, Add dropbear_rules and unbound_rules
  • PR #604: Rules/Decoders,sid 5300 incorrectly alerts on OS X
  • PR #607, Rules/Decoders, Update syslog_rules for OSX false positive
  • PR #611: Rules/Decoders, Sysmon decoder update, This should better support Windows 2003 R2.
  • PR #643, Rules/Decoders, update to IIS decoder
  • PR #654, Rules/Decoders, update to the vsftpd decoder
  • PR #668: Rules/Decoders, Fix for Cisco PIX decoder, ms-se_rules.xml, msauth_rules.xml
  • PR #721: Rules/Decoders, Update for sytemd rules to add support for new program_name, systemctl
  • PR #746: Rules/Decoders, Update to the apache decoders to handle Apache 2.4 events more gracefully
  • PR #755: Rules/Decoders, Update to ssh rules. Adds rules 5750-5753 to dedect client, protocol, and hostkey events
  • PR #762: Rules/Decoders, Update to ssh rules. Associates 5751 with 5700 instead of 1002
  • PR #763: Rules/Decoders, Add rules for OpenBSD smtpd
  • PR #774: Rules/Decoders, Add OpenBSD smtpd rules
  • PR #787: Rules/Decoders, Update to OpenBSD smtpd decoder to not conflict with postfix
  • PR #786: Rules/Decoders, SSH Rule improvements
  • PR #799: Rules/Decoders, Add rule for users not in sudoers
  • PR #803: Rules/Decoders, Add additional sshd decoders for ssh-pam & ssh invalid auth requests

General

  • PR #2, Output, Adds ZeroMQ and Json output support
  • PR #4, Authd, Bugfix for Openssl operations on non-blocking socket
  • PR #563: IPv6 support
  • PR #599, Allow for the log format in proftpd 1.3.5+
  • PR #610: Execd, Reduce system load caused by simultaneous active response processes during ossec stop. #610
  • PR #615: Adds support for Binding src IP to ‘local_ip’ config value in agentd. In mulihomed host environment we have a big problem with binding agent to correct ip. By default agentd used ip-addr of interface, from which sented ip-packets.
  • PR #617: Agentd, Add CLIENT to DEFINES for winagent target #617 Bugfix #595
  • PR #622: Fix for CVE-2015-3222
  • PR #631, Log failure when ossec fails to remove a PID file
  • PR #652, Syscheck, add support for the “-t” flag to display XML parsing errors in agent.conf on agents
  • PR #657: Syscheck, Allows scanning of directories with , in the name. Let directory check_something=”no” options to work. This means you can do instead of listing out all the ones you want to use.
  • PR #670: Syscheck, Bugfix for report_changes
  • PR #689: Maild, add support to call an external MTA to send alert emails. The smtp_server setting can now be written as “/usr/sbin/sendmail -t”
  • PR #690: Cleanup for building on OSX
  • PR #691: adds support for syslog messages that prepend the year, ie: “2015 Nov 13 ....”
  • PR #696: Bugfix for OpenBSD sendto() sockaddr length restrictions.
  • PR #699: Encompassing only complete statements with conditional directives.
  • PR #717: Active Response, add Slack (www.slack.com) notification support
  • PR #720: Fixes for the statfs error spam
  • PR #724: Authd, bugfix for issue #642, This brings ossec-authd into parity with whatever the MAX_AGENTS is set at build time
  • PR #726: Make syslog/cef consistent with json/splunk and add classification field to alerts.
  • PR #727: Maild, Add support for “email_reply_to”. This allows configuing the Reply-To: field in email alerts sent from ossec-maild
  • PR #740: Remoted, bugfix for issue #739, Ossec will now report the agent ID of the agent that tries to conect
  • PR #744: Syscheck, Bugfix for issue #42, corrects issue on windows that would produce an incorrect hash
  • PR #749: Windows, Changed Makefile to use Windows subsystem only wth UI manager
  • PR #750: Analysisd, Fixes glob() impelemtation bug, adds Hourly/Daily options to logcollector, improved dfalts to analysisd diff alerts.
  • PR #751: Add simple python rule updater script
  • PR #754: Install.sh, Bugfix for OpenBSD adduser support
  • PR #765: Syscheck, add “nodiff” support. Sensitive data may leak through the diff attached to alerts when some file changes. This pull request add a nodiff option, which allows to explicitely set files for which we never want to output a diff.
  • PR #768: Analysisd, Bugfix for Issue #767, increase of value for stats
  • PR #770: Database support, Postgres support updates
  • PR #781: Syscheck, Bugfix for Issue #780
  • PR #788: System Audit, Add PCI DSS tags to RHEL/CentOS/Cloudlinux auditing tests
  • PR #789: Install.sh, Use ls for file existance checks, for cross platform compatibility
  • PR #791: Syscheck, add /boot to default directories. Fix for Issue #675
  • PR #797: Rootcheck, Remove legacy rootcheck options
  • PR #798: System Audit, Add RHEL/CentOS/Cloudlinux 7 CIS benchmarks
  • PR #802: Database support, Allow for longer entries in the system informtaion column
  • PR #849 Format string security fix
  • PR #864 Fix ossec-logtest to chroot when testing check_diff rules
  • PR #870 Fix installer permissions on the etc/shared directory
  • PR #878 Fix version field to correctly report "2.9.0" instead of 2.8.3
  • PR #909 Bugfix for decoders.d/rules.d logtest
  • PR #920 Bugfixes for OS_IPFound, OS_IPFoundList, OS_IsValidIP
  • PR #923 Security fix for SQLi in al_data->location
  • PR #926 Rootcheck, updates or EL7
  • PR #945 Remove debug message
  • PR #986 - Prevent manage_agents from chrooting in bulk mode

Downloads

Pre-release

v2.9.0rc4

@atomicturtle atomicturtle released this Dec 20, 2016 · 281 commits to master since this release

Changelog

  • PR #986 - Prevent manage_agents from chrooting in bulk mode

Downloads

Pre-release

v2.9.0 RC3

@atomicturtle atomicturtle released this Sep 2, 2016 · 281 commits to master since this release

Changelog

  • PR #849 Format string security fix
  • PR #909 Bugfix for decoders.d/rules.d logtest
  • PR #920 Bugfixes for OS_IPFound, OS_IPFoundList, OS_IsValidIP
  • PR #923 Security fix for SQLi in al_data->location
  • PR #926 Rootcheck, updates or EL7
  • PR #945 Remove debug message

Downloads

Pre-release

v2.9.0 RC2

@atomicturtle atomicturtle released this Jun 30, 2016 · 281 commits to master since this release

Changelog

  • PR #864 Fix ossec-logtest to chroot when testing check_diff rules
  • PR #870 Fix installer permissions on the etc/shared directory
  • PR #878 Fix version field to correctly report "2.9.0" instead of 2.8.3

Downloads

Pre-release

v2.9.0 RC1

@atomicturtle atomicturtle released this Jun 17, 2016 · 281 commits to master since this release

Changelog

  • Fixed some memory leaks at analysisd
  • Fixed memory error on CDB lists management
  • Fixed bug at logcollector that inhibited alerts about file reduction
  • Fixed compilation issue at Win32
  • Fix for the mysql/postgres insert condition
  • ossec_rules_list script: Attached GPLv2 license
  • Fixed bug at logcollector that inhibited alerts about file reduction

Downloads

Pre-release

v2.9.0beta06

@atomicturtle atomicturtle released this May 9, 2016 · 281 commits to master since this release

tag 2.9.0beta06

Downloads

v2.9.0beta05

@atomicturtle atomicturtle released this Apr 22, 2016

Highlights in 2.9 beta05

  • Alert Output support for JSON and ZeroMQ
  • Syscheck improvements
    Report file deletion, even without realtime enabled
    Report modifications made on directories
    Corrects bug so that files created between the first and second scan are reported as new files
    Corrects bug that made changes reverting a file to the state it was in when ossec started unreported
    Avoids computing hashes multiple times to improve performance
    Make the time between two syscheck wakeups configurable in internal_options
    Add support for the “nodiff” option when using report_changes, sensitive files tagged with in ossec.conf will not have their contents included in an alert.
  • IPv6 support
  • Support to call an external mailer. This solves the problem of supporting encryption when sending mail alerts in OSSEC. The <smtp_server> field can now be prepended with “/” to designate a local binary. Example: “<smtp_server>/usr/sbin/sendmail -t</smtp_server>”.
  • Slack notification support

Changelog

Rules/Decoders

  • PR#572: Rules/Decoders, Better Dropbear events detection
  • PR#602: Rules/Decoders, Add dropbear_rules and unbound_rules
  • PR#604: Rules/Decoders,sid 5300 incorrectly alerts on OS X
  • PR#607, Rules/Decoders, Update syslog_rules for OSX false positive
  • PR#611: Rules/Decoders, Sysmon decoder update, This should better support Windows 2003 R2.
  • PR#643, Rules/Decoders, update to IIS decoder
  • PR#654, Rules/Decoders, update to the vsftpd decoder
  • PR#668: Rules/Decoders, Fix for Cisco PIX decoder, ms-se_rules.xml, msauth_rules.xml
  • PR#721: Rules/Decoders, Update for sytemd rules to add support for new program_name, systemctl
  • PR#746: Rules/Decoders, Update to the apache decoders to handle Apache 2.4 events more gracefully
  • PR#755: Rules/Decoders, Update to ssh rules. Adds rules 5750-5753 to dedect client, protocol, and hostkey events
  • PR#762: Rules/Decoders, Update to ssh rules. Associates 5751 with 5700 instead of 1002
  • PR#763: Rules/Decoders, Add rules for OpenBSD smtpd
  • PR#774: Rules/Decoders, Add OpenBSD smtpd rules
  • PR#787: Rules/Decoders, Update to OpenBSD smtpd decoder to not conflict with postfix
  • PR#786: Rules/Decoders, SSH Rule improvements
  • PR#799: Rules/Decoders, Add rule for users not in sudoers
  • PR#803: Rules/Decoders, Add additional sshd decoders for ssh-pam & ssh invalid auth requests

General

  • PR#2, Output, Adds ZeroMQ and Json output support
  • PR#4, Authd, Bugfix for Openssl operations on non-blocking socket
  • PR#563: IPv6 support
  • PR#599, Allow for the log format in proftpd 1.3.5+
  • PR#610: Execd, Reduce system load caused by simultaneous active response processes during ossec stop. #610
  • PR#615: Adds support for Binding src IP to ‘local_ip’ config value in agentd. In mulihomed host environment we have a big problem with binding agent to correct ip. By default agentd used ip-addr of interface, from which sented ip-packets.
  • PR#617: Agentd, Add CLIENT to DEFINES for winagent target #617 Bugfix #595
  • PR#622: Fix for CVE-2015-3222
  • PR#631, Log failure when ossec fails to remove a PID file
  • PR#652, Syscheck, add support for the “-t” flag to display XML parsing errors in agent.conf on agents
  • PR#657: Syscheck, Allows scanning of directories with , in the name. Let directory check_something=”no” options to work. This means you can do instead of listing out all the ones you want to use.
  • PR#670: Syscheck, Bugfix for report_changes
  • PR#689: Maild, add support to call an external MTA to send alert emails. The smtp_server setting can now be written as “/usr/sbin/sendmail -t”
  • PR#690: Cleanup for building on OSX
  • PR#691: adds support for syslog messages that prepend the year, ie: “2015 Nov 13 ....”
  • PR#696: Bugfix for OpenBSD sendto() sockaddr length restrictions.
  • PR#699: Encompassing only complete statements with conditional directives.
  • PR#717: Active Response, add Slack (www.slack.com) notification support
  • PR#720: Fixes for the statfs error spam
  • PR#724: Authd, bugfix for issue #642, This brings ossec-authd into parity with whatever the MAX_AGENTS is set at build time
  • PR#726: Make syslog/cef consistent with json/splunk and add classification field to alerts.
  • PR#727: Maild, Add support for “email_reply_to”. This allows configuing the Reply-To: field in email alerts sent from ossec-maild
  • PR#740: Remoted, bugfix for issue #739, Ossec will now report the agent ID of the agent that tries to conect
  • PR#744: Syscheck, Bugfix for issue #42, corrects issue on windows that would produce an incorrect hash
  • PR#749: Windows, Changed Makefile to use Windows subsystem only wth UI manager
  • PR#750: Analysisd, Fixes glob() impelemtation bug, adds Hourly/Daily options to logcollector, improved dfalts to analysisd diff alerts.
  • PR#751: Add simple python rule updater script
  • PR#754: Install.sh, Bugfix for OpenBSD adduser support
  • PR#765: Syscheck, add “nodiff” support. Sensitive data may leak through the diff attached to alerts when some file changes. This pull request add a nodiff option, which allows to explicitely set files for which we never want to output a diff.
  • PR#768: Analysisd, Bugfix for Issue #767, increase of value for stats
  • PR#770: Database support, Postgres support updates
  • PR#781: Syscheck, Bugfix for Issue #780
  • PR#788: System Audit, Add PCI DSS tags to RHEL/CentOS/Cloudlinux auditing tests
  • PR#789: Install.sh, Use ls for file existance checks, for cross platform compatibility
  • PR#791: Syscheck, add /boot to default directories. Fix for Issue #675
  • PR#797: Rootcheck, Remove legacy rootcheck options
  • PR#798: System Audit, Add RHEL/CentOS/Cloudlinux 7 CIS benchmarks
  • PR#802: Database support, Allow for longer entries in the system informtaion column

Downloads

v2.8.3

@atomicturtle atomicturtle released this Oct 19, 2015 · 1877 commits to master since this release

Signed with new GPG key

Changelog

  • Adds additional error messags for chmod, and mkstemp events
  • Bugfix: Fix off-by-one issues and tmp location in syscheckd
  • Bugfix: Windows build fixes
  • Bugfix: Windows event channel
  • Bugfix: Add the tmp dir to the win32 installer.
  • Bugfix: Fixing broken memory management in ossec alert decoder
  • Bugfix: Fix for hybrid mode

Downloads

Affected versions: 2.7 - 2.8.1

Beginning is OSSEC 2.7 (d88cf1c) a feature was added to syscheck, which
is the daemon that monitors file changes on a system, called
report_changes. This feature is only available on *NIX systems. It's
purpose is to help determine what about a file has changed. The logic to
do accomplish this is as follows which can be found in
src/syscheck/seechanges.c:

252 /* Run diff */
253 date_of_change = File_DateofChange(old_location);
254 snprintf(diff_cmd, 2048, "diff \"%s\" \"%s\" > \"%s/local/%s/diff.%d\" "
255     "2>/dev/null",
256     tmp_location, old_location,
257     DIFF_DIR_PATH, filename + 1, (int)date_of_change);
258 if (system(diff_cmd) != 256) {
259    merror("%s: ERROR: Unable to run diff for %s",
260           ARGV0,  filename);
261    return (NULL);
262 }

Above, on line 258, the system() call is used to shell out to the
system's diff command. The raw filename is passed in as an argument
which presents an attacker with the possibility to run arbitrary code.
Since the syscheck daemon runs as the root user so it can inspect any
file on the system for changes, any code run using this vulnerability
will also be run as the root user.

An example attack might be creating a file called foo-$(touch bar)
which should create another file bar.

Again, this vulnerability exists only on *NIX systems and is contingent
on the following criteria:

  1. A vulnerable version is in use.
  2. The OSSEC agent is configured to use syscheck to monitor the file
    system for changes.
  3. The list of directories monitored by syscheck includes those writable
    by underprivileged users.
  4. The report_changes option is enabled for any of those directories.

The fix for this is to create temporary trusted file names that symlink
back to the original files before calling system() and running the
system's diff command.

Downloads

Beta04 with more of the good stuff

@jrossi jrossi released this Apr 25, 2015

2.9.0-beta04

Merging master->stable

Downloads