Ossec for IPFire

Help on building IPFire & Feature Requests
ummeegge
Community Developer
Community Developer
Posts: 4715
Joined: October 9th, 2010, 10:00 am

Re: Ossec for IPFire

Post by ummeegge » December 17th, 2018, 2:48 pm

Hi dnl,
dnl wrote:
December 17th, 2018, 10:36 am
It is possible for me to pull the Wazuh agent component from your installer(s) and run only that on IPFire?
An agent always needs a master so yes it is possible to install an Wazuh agent but you would need also somewhere a master (hybrid installation is also possible).
dnl wrote:
December 17th, 2018, 10:36 am
I like the idea of Wazuh, but running all those components (as well most IPFire features and ntopng) would use a lot of resources/power and open a very large attack surface on a router (even if all the services are isolated from the network, I still have to trust a lot more sources of software on my router).
Wazuh needed in my testings much more resources then OSSEC especially on master side with an ELK stack. ELK is not available from my side for IPFire.
Both components are products which do have the focus on network but also host based security HIDS and are OpenSource so the code is available to read for everyone. I know this might not be the best argument since you might not have the time to read through all the lines of code to check for potential expolits or unwanted data collection but how sure are you with IPSec, SSH, OpenVPN, Squid, ... in that manner ? In the last years i haven´t heard something about serious security problems causing OSSEC (mainly) and Wazuh (which i currently do not use).

Another one might be that some bigger companies which probably have the resources/capabilities to research the code of projects like this one but uses it also --> https://aws.amazon.com/de/blogs/securit ... instances/ --> https://image.slidesharecdn.com/nebulat ... 1463033772 , Netflix, Apple and some others comes to mind --> https://www.atomicorp.com/ossec-people- ... cast-ep-7/ gives me a kind of little better trust of functionality but also better code reviews and further project development but who can be sure for 100% security at the internet in general ?

IPFire do provides everything which is needed to run OSSEC, there is no need to trust "a lot more sources" except OSSECs source itself. Wazuh comes also with 3rd party extensions if wanted which might in my humble opinion interesting for big environments (policy specific obligations) and/or interest/proficiency to handle also the big data thing (ELK Stack). <-- I think this is nice to investigate for the interested ones how much is meanwhile possible also for the small budget but big companies should also be perfectly fine with a good configured OSSEC installation in, again, my humble opinion.

Sorry for the long text :) .

If you are interested in this topic, i would recommend to RTFM :) and testing OSSEC first since it delivers also the core functionality for Wazuh but do needs also less system resources as Wazuh and is less complex.

Best,

UE
Image
Image
Image

dnl
Posts: 334
Joined: June 28th, 2013, 11:03 am

Re: Ossec for IPFire

Post by dnl » December 20th, 2018, 8:26 am

Hello ummeegge,

I'm sorry that I was not clear. You have not understood what I meant.

I'm after an agent package for Wazuh for IPFire as I intend to run a master elsewhere. Is that something you have packaged?

Also running *any* software is a risk. I have no concerns about Wazuh or the components that it is made of, I'm just saying that it's best to run as little software as possible on a security-sensitive system like a router (especially when that software does not have to run on the router).

Thanks again!
Image

ummeegge
Community Developer
Community Developer
Posts: 4715
Joined: October 9th, 2010, 10:00 am

Re: Ossec for IPFire

Post by ummeegge » December 21st, 2018, 5:12 am

Hi dnl,
dnl wrote:
December 20th, 2018, 8:26 am
I'm after an agent package for Wazuh for IPFire as I intend to run a master elsewhere. Is that something you have packaged?
yes an agent package is provided.

Did an update to Wazuh 3.7.2 now but it is currently not up. I will build new versions only for 64bit, have dropped 32bit versions. If you want to test it on a 32bit platform i would wait until you´ve donwloaded the old one. If you use 64bit i would update then to the actual version before (OSSEC is already updated to the latest), so if you don´t mind, just inform me.

Best,

UE
Image
Image
Image

dnl
Posts: 334
Joined: June 28th, 2013, 11:03 am

Re: Ossec for IPFire

Post by dnl » December 22nd, 2018, 4:20 am

ummeegge wrote:
December 21st, 2018, 5:12 am
yes an agent package is provided.

Did an update to Wazuh 3.7.2 now but it is currently not up. I will build new versions only for 64bit, have dropped 32bit versions.
Thank you. I don't use 32bit Linux any longer.
Image

ummeegge
Community Developer
Community Developer
Posts: 4715
Joined: October 9th, 2010, 10:00 am

Re: Ossec for IPFire

Post by ummeegge » December 22nd, 2018, 7:26 am

Update to OSSEC-3.1.0 and Wazuh-3.7.2 is up. 32bit versions are no longer supported but the OSSEC installation do provides now ARM platforms (testings and feedback in there might be nice).

Best,

UE
Image
Image
Image

Post Reply