Setelah profile environment CentOS 6.2 desktop selesai, tahap provisioning dan configuration management bermain, di testing environment. Instalasi selesai, puppet dijalankan, sekarang tinggal melihat log puppet, untuk melihat apakah puppet script kita berjalan dengan baik. Sewaktu pengecekan ossec semua tampak berjalan bagus, dari instalasi konfigurasi hingga generate keys untuk ossec agent, sudah sama dengan ossec server. Saatnya penulis melakukan testing terhadap osssec, belum sampai kepada testing yang detail, penulis mencoba bila seorang user salah memasukan password, ossec agent tidak memberi report.
[root@unixhat logs]# less ossec.log
2012/02/20 15:51:14 ossec-execd: INFO: Started (pid: 6766).
2012/02/20 15:51:14 ossec-agentd(1410): INFO: Reading authentication keys file.
2012/02/20 15:51:14 ossec-agentd: INFO: No previous counter available for 'unixhat'.
2012/02/20 15:51:14 ossec-agentd: INFO: Assigning counter for agent unixhat: '0:0'.
2012/02/20 15:51:14 ossec-agentd: INFO: Assigning sender counter: 0:9
2012/02/20 15:51:14 ossec-agentd: INFO: Started (pid: 6770).
2012/02/20 15:51:14 ossec-agentd: INFO: Server IP Address: 192.168.1.3
2012/02/20 15:51:14 ossec-agentd: INFO: Trying to connect to server (192.168.1.3:1514).
2012/02/20 15:51:14 ossec-agentd: INFO: Using IPv4 for: 192.168.1.3 .
2012/02/20 15:51:14 ossec-rootcheck: System audit file not configured.
2012/02/20 15:51:20 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'.
2012/02/20 15:51:20 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'.
2012/02/20 15:51:20 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'.
2012/02/20 15:51:20 ossec-logcollector: INFO: Started (pid: 6773).
2012/02/20 15:51:20 ossec-syscheckd: INFO: Started (pid: 6777).
2012/02/20 15:51:20 ossec-rootcheck: INFO: Started (pid: 6777).
2012/02/20 15:51:20 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2012/02/20 15:51:20 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2012/02/20 15:51:20 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'.
2012/02/20 15:51:20 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2012/02/20 15:51:20 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2012/02/20 15:51:20 ossec-syscheckd: INFO: Monitoring directory: '/usr/lib64'.
2012/02/20 15:51:20 ossec-syscheckd: INFO: Monitoring directory: '/usr/lib'.
2012/02/20 15:51:20 ossec-syscheckd: INFO: Monitoring directory: '/lib64'.
2012/02/20 15:51:20 ossec-syscheckd: INFO: Monitoring directory: '/lib'.
2012/02/20 15:51:20 ossec-syscheckd: INFO: Monitoring directory: '/usr/local/bin'.
2012/02/20 15:51:20 ossec-syscheckd: INFO: Monitoring directory: '/usr/local/sbin'.
2012/02/20 15:51:20 ossec-syscheckd: INFO: Monitoring directory: '/usr/local/lib64'.
2012/02/20 15:51:20 ossec-syscheckd: INFO: Monitoring directory: '/usr/local/lib'.
2012/02/20 15:51:35 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.1.3'.
2012/02/20 15:51:37 ossec-agentd: INFO: Trying to connect to server (192.168.1.3:1514).
2012/02/20 15:51:37 ossec-agentd: INFO: Using IPv4 for: 192.168.1.3 .
2012/02/20 15:51:58 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.1.3'.
2012/02/20 15:52:18 ossec-agentd: INFO: Trying to connect to server (192.168.1.3:1514).
2012/02/20 15:52:18 ossec-agentd: INFO: Using IPv4 for: 192.168.1.3 .
2012/02/20 15:52:39 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.1.3'.
2012/02/20 15:53:14 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2012/02/20 15:53:14 ossec-syscheckd: WARN: Process locked. Waiting for permission...
2012/02/20 15:53:17 ossec-agentd: INFO: Trying to connect to server (192.168.1.3:1514).
2012/02/20 15:53:17 ossec-agentd: INFO: Using IPv4 for: 192.168.1.3 .
2012/02/20 15:53:30 ossec-logcollector: WARN: Process locked. Waiting for permission...
2012/02/20 15:53:38 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.1.3'.
2012/02/20 15:54:34 ossec-agentd: INFO: Trying to connect to server (192.168.1.3:1514).
2012/02/20 15:54:34 ossec-agentd: INFO: Using IPv4 for: 192.168.1.3 .
2012/02/20 15:54:55 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.1.3'.
2012/02/20 15:56:09 ossec-agentd: INFO: Trying to connect to server (192.168.1.3:1514).
2012/02/20 15:56:09 ossec-agentd: INFO: Using IPv4 for: 192.168.1.3 .
2012/02/20 15:56:30 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.1.3'.
Mari kita teliti, pada baris-baris akhir terlihat jelas bahwa client sudah mencoba untuk melakukan koneksi dengan server,
2012/02/20 15:56:09 ossec-agentd: INFO: Trying to connect to server (192.168.1.3:1514).
2012/02/20 15:56:09 ossec-agentd: INFO: Using IPv4 for: 192.168.1.3 .
2012/02/20 15:56:30 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '192.168.1.3'.
tetapi apa yang terjadi, server tidak meresponnya. hmmm,,, tapi mengapa? mari kita lihat log keatas lagi, ada yang menaris bagi anda? sepertinya bagian ini menarik:
2012/02/20 15:51:14 ossec-agentd: INFO: No previous counter available for 'unixhat'.
2012/02/20 15:51:14 ossec-agentd: INFO: Assigning counter for agent unixhat: '0:0'.
2012/02/20 15:51:14 ossec-agentd: INFO: Assigning sender counter: 0:9
Mari kita cari tau apa yang dimaksud counter pada ossec, kita bongkar source code nya =D, setelah diteliti sepertinya jawabannya ada pada file src/os_crypto/shared/msgs.c, mari perhatikan baris-baris berikut:
void OS_StartCounter(keystore *keys)
{
int i;
char rids_file[OS_FLSIZE +1];
rids_file[OS_FLSIZE] = '\0';
debug1("%s: OS_StartCounter: keysize: %d", __local_name, keys->keysize);
/* Starting receiving counter */
for(i = 0; i<=keys->keysize; i++)
{
/* On i == keysize, we deal with the
* sender counter.
*/
if(i == keys->keysize)
{
snprintf(rids_file, OS_FLSIZE, "%s/%s",
RIDS_DIR,
SENDER_COUNTER);
}
else
{
snprintf(rids_file, OS_FLSIZE, "%s/%s",
RIDS_DIR,
keys->keyentries[i]->id);
}
keys->keyentries[i]->fp = fopen(rids_file, "r+");
/* If nothing is there, try to open as write only */
if(!keys->keyentries[i]->fp)
{
keys->keyentries[i]->fp = fopen(rids_file, "w");
if(!keys->keyentries[i]->fp)
{
int my_error = errno;
/* Just in case we run out of file descriptiors */
if((keys->keyentries[i -1]->fp) && (i > 10))
{
fclose(keys->keyentries[i -1]->fp);
if(keys->keyentries[i -2]->fp)
{
fclose(keys->keyentries[i -2]->fp);
}
}
merror("%s: Unable to open agent file. errno: %d",
__local_name, my_error);
ErrorExit(FOPEN_ERROR, __local_name, rids_file);
}
}
else
{
unsigned int g_c = 0, l_c = 0;
if(fscanf(keys->keyentries[i]->fp,"%u:%u", &g_c, &l_c) != 2)
{
if(i == keys->keysize)
{
verbose("%s: INFO: No previous sender counter.", __local_name);
}
else
{
verbose("%s: INFO: No previous counter available for '%s'.",
__local_name,
keys->keyentries[i]->name);
}
g_c = 0;
l_c = 0;
}
if(i == keys->keysize)
{
verbose("%s: INFO: Assigning sender counter: %d:%d",
__local_name, g_c, l_c);
global_count = g_c;
local_count = l_c;
}
else
{
verbose("%s: INFO: Assigning counter for agent %s: '%d:%d'.",
__local_name, keys->keyentries[i]->name, g_c, l_c);
keys->keyentries[i]->global = g_c;
keys->keyentries[i]->local = l_c;
}
}
}
debug2("%s: DEBUG: Stored counter.", __local_name);
/* Getting counter values */
if(_s_recv_flush == 0)
{
_s_recv_flush = getDefine_Int("remoted",
"recv_counter_flush",
10, 999999);
}
/* Average printout values */
if(_s_comp_print == 0)
{
_s_comp_print = getDefine_Int("remoted",
"comp_average_printout",
10, 999999);
}
_s_verify_counter = getDefine_Int("remoted", "verify_msg_id" , 0, 1);
}
Sudah mengerti sekarang? ternyata counter dalam ossec sebenarnya adalah teknik dimana untuk mencegah dari reply attack. Begini, yang ossec lakukan untuk mencegahnya adalah ossec server dan ossec agent melakukan perhitungan dari setiap pesan yang diterima maupun yang dikirim, di dalam folder ../ossec/queue/rids/, yuuu..
Alhamduillah kita tau root cause-nya. Sekarang yang kita lakukan adalah tinggal meresolve-nya, dengan cara mencari host-id di dalam folder dan men-delete counter file yang ada pada folder ../ossec/queue/rids/, di oseec server dan ossec agent, agar perhintungan pesan masuk dan keluar ossec untuk pencegahan replay attack, bisa cocok.
1. pertama kita delete file rids yang ada dalam folder /var/ossec/queue/rids/ pada ossec agent,
[root@unixhat ~]# ls -l /var/ossec/queue/rids/
total 8
-rw-r--r--. 1 ossec ossec 4 Feb 21 13:11 409030
-rw-r--r--. 1 ossec ossec 8 Feb 24 16:41 sender_counter
[root@unixhat ~]# rm 409030
2. Nah sekarang kita tau nomornya adalah 409030, sekarang mari kita ke ossec server dan delete file tersebut di dalam var/ossec/queue/rids/
[root@unixhat server ~]# rm /var/ossec/queue/rids/409030
3. restart ossec agent dan ossec server,
mari kita lihat log ossec agent kembali berikut adalah hasilnya:
2012/02/21 13:11:43 ossec-execd: INFO: Started (pid: 13004).
2012/02/21 13:11:43 ossec-agentd(1410): INFO: Reading authentication keys file.
2012/02/21 13:11:43 ossec-agentd: INFO: No previous counter available for 'unixhat'.
2012/02/21 13:11:43 ossec-agentd: INFO: Assigning counter for agent unixhat: '0:0'.
2012/02/21 13:11:43 ossec-agentd: INFO: Assigning sender counter: 4:439
2012/02/21 13:11:43 ossec-agentd: INFO: Started (pid: 13008).
2012/02/21 13:11:43 ossec-agentd: INFO: Server IP Address: 192.168.1.3
2012/02/21 13:11:43 ossec-agentd: INFO: Trying to connect to server (192.168.1.3:1514).
2012/02/21 13:11:43 ossec-agentd: INFO: Using IPv4 for: 192.168.1.3 .
2012/02/21 13:11:43 ossec-rootcheck: System audit file not configured.
2012/02/21 13:11:44 ossec-agentd(4102): INFO: Connected to the server (192.168.1.3:1514).
2012/02/21 13:11:49 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'.
2012/02/21 13:11:49 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'.
2012/02/21 13:11:49 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'.
2012/02/21 13:11:49 ossec-logcollector: INFO: Started (pid: 13012).
2012/02/21 13:11:49 ossec-syscheckd: INFO: Started (pid: 13016).
2012/02/21 13:11:49 ossec-rootcheck: INFO: Started (pid: 13016).
2012/02/21 13:11:49 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2012/02/21 13:11:49 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2012/02/21 13:11:49 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'.
2012/02/21 13:11:49 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2012/02/21 13:11:49 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2012/02/21 13:11:49 ossec-syscheckd: INFO: Monitoring directory: '/usr/lib64'.
2012/02/21 13:11:49 ossec-syscheckd: INFO: Monitoring directory: '/usr/lib'.
2012/02/21 13:11:49 ossec-syscheckd: INFO: Monitoring directory: '/lib64'.
2012/02/21 13:11:49 ossec-syscheckd: INFO: Monitoring directory: '/lib'.
2012/02/21 13:11:49 ossec-syscheckd: INFO: Monitoring directory: '/usr/local/bin'.
2012/02/21 13:11:49 ossec-syscheckd: INFO: Monitoring directory: '/usr/local/sbin'.
2012/02/21 13:11:49 ossec-syscheckd: INFO: Monitoring directory: '/usr/local/lib64'.
2012/02/21 13:11:49 ossec-syscheckd: INFO: Monitoring directory: '/usr/local/lib'.
2012/02/21 13:13:43 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2012/02/21 13:13:43 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
Perhatikan baris berikut:
2012/02/21 13:11:44 ossec-agentd(4102): INFO: Connected to the server (192.168.1.3:1514).
Alhamdulillah mengindikasikan bahwa ossec agent sudah terkoneksi pada ossec server. Silahkan mencobanya dengan false login.