Final week I attended my first OSSEC convention. I first blogged about OSSEC in 2007, and wrote different posts about it within the following years.
OSSEC is a host-based intrusion detection and log evaluation system with correlation and lively response options. It’s cross-platform, such that I can run it on my Home windows and Linux techniques. The transferring pressure behind the convention was an organization native to me referred to as Atomicorp.
In short, I actually loved this one-day occasion. (I had deliberate to attend the workshop on the second day however my schedule didn’t cooperate.) The talks had been nearly uniformly glorious and informative. I even had an opportunity to speak jiu-jitsu with OSSEC creator Daniel Cid, who regardless of hurting his leg managed to journey throughout the nation to ship the keynote.
I might prefer to share a couple of highlights from my notes.
First, I had been frightened that OSSEC was in some methods useless. I noticed that the Safety Onion undertaking had changed OSSEC with a fork referred to as Wazuh, which I realized is seemingly pronounced “wazoo.” To my delight, I realized OSSEC is decidedly not useless, and that Wazuh has been struggling stability issues. OSSEC has loads of fascinating improvement forward of it, which you’ll monitor on their Github repo.
For instance, the event roadmap consists of eliminating Logstash from the pipeline utilized by many OSSEC customers. OSSEC would feed instantly into Elasticsearch. One speaker famous that Logstash has a 1.7 GB reminiscence footprint, which astounded me.
On a associated observe, the OSSEC workforce is planning to create a brand new Internet console, with a design purpose to have it run in an “AWS t2.micro” occasion. The workforce famous that occasion affords 2 GB reminiscence, which does not match what AWS says. Maybe they meant t2.micro and 1 GB reminiscence, or t2.small with 2 GB reminiscence. I believe they imply t2.micro with 1 GB RAM, as that’s the free tier. Both manner, I am excited to see this later in 2019.
Second, I assumed the presentation by safety personnel from USA At the moment supplied an fascinating perception. One design purpose they’d for monitoring their Google Cloud Platform (GCP) was to not set up OSSEC on each container or on Kubernetes employee nodes. A number of occasions in the course of the convention, audio system famous that the transient nature of cloud infrastructure is instantly antithetical to plain OSSEC utilization, whereby OSSEC is put in on servers with lengthy uptime and years of service. As an alternative, USA At the moment used OSSEC to observe HTTP logs from the GCP load balancer, logs from Google Kubernetes Engine, and monitored processes by watching output from successive kubectl invocations.
Third, a speaker from Pink Hat introduced my consideration to a side of containers that I had not thought-about. Docker and containers had made software program testing and deployment rather a lot simpler for everybody. Nevertheless, those that present containers have successfully turn into Linux distribution maintainers. In different phrases, who’s accountable when a safety or configuration vulnerability in a Linux part is found? Will the container maintainers be responsive?
One other speaker emphasised the distinction between “safety of the cloud,” supplied by cloud suppliers, and “safety within the cloud,” which is meant to be the client’s duty. This is sensible from a technical viewpoint, however I count on that in the long run this differentiation will not be tenable from a enterprise or authorized viewpoint.
Prospects usually are not going to have the talents or curiosity to safe their software program within the cloud, as they outsource ever extra technical expertise to the cloud suppliers and their infrastructure. I count on cloud suppliers to proceed to develop, purchase, and provide extra safety companies, and speed up their competitors on a “full safety surroundings.”
I look ahead to extra OSSEC improvement and future conferences.
wazuh,git ossec,ossec download,wazuh-kubernetes,wget https github com ossec ossec hids archive 3.1 0 tar gz