security

In which he authors a book on OSSEC

7 minute read Published: 2013-08-04

In 2004, when I was starting a new job at the National Institute on Aging's Intramural Research Program I began evaluating products to meet FISMA requirements for file integrity monitoring. We already purchased a copy of Tripwire, but I was being driven mad by the volume of alerting from the system. I wanted something open source. I wanted something that would save me time, rather than waste 2 hours a day clicking through a GUI confirming file changes caused by system updates and daily operations.

At the time, I found two projects: Samhain and OSSEC-HIDS. Samhain is a great project that does one thing and does that one thing very well. However, I was buried in a mountain of FISMA compliance requirements and OSSEC offered more than file integrity monitoring; OSSEC offered a framework for distributed analysis of logs, file changes, and other anomalous events in the same open source project.

I now work at Booking.com and manage one of the world's largest distributions of OSSEC-HIDS. My team and I are active contributors to the OSSEC Community. After nearly a decade of experience deploying, managing, and extracting value from OSSEC, I was approached to write a book introducing new users to OSSEC. After 6 months of work, the book has been published!

Instant OSSEC Host-based Intrusion Detection

OSSEC HIDS Extension - Accumulator

5 minute read Published: 2012-11-26

If you haven't looked at OSSEC HIDS, here's the overview:

OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response.

It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows.

OSSEC is a great product, but I ran into an issue when attempting to fulfill a require for PCI-DSS which involved reviewing our LDAP logs. I knew OSSEC would make this simple. I started writing a rule and realized I had hit a significant roadblock. OpenLDAP logs events as they happen and only logs data relevant to that particular event. A connect event has the ports and IPs, and the bind event contains the username, but only the connection id is the same in the two events.

Using a ProxyCommand to Leap Frog Your Bastions

5 minute read Published: 2012-10-15

I do most of my work over SSH. Even when I'm working in my browser or pgAdminIII, I'm usually doing that over SSH tunnels. VPN Software has been around for quite some time and it's still mostly disappointing and usually run by the least competent group in any IT department. I developed a workflow using SSH from my laptop, either on the corporate network or at home, I can ssh /directly/ to the server I'm interested in working on.

In order to accomplish this, I have made some compromises. First off, if I'm SSH-ing from my home, I am /required/ to type the fully qualified domain names (FQDN) when workign remotely. I use the presence of the domain name to activate the proper leap frogging. I also decided to use ControlMaster's with SSH that can leave me with a terminal without a prompt when I forget which shell is my master. Overall, the pros outweigh the cons and I'm more productive because of it.

Statistics, Risk Analysis, and Misunderstandings

2 minute read Published: 2010-06-11

I married a Statistician, so this article sums the lectures I receive on a daily basis. Risk Management is statistical analysis, and I'm not sure how many folks in IT Security have Graduate level Stat exposure. So, the understanding of our statistical shortcomings is key. You need to read that entire article, twice.


find me: