Agentless Monitoring

Applies to Product: USM Appliance™ AlienVault OSSIM®

AlienVault HIDS allows you to run integrity checking without agents installed on hosts, network devices, routers, firewalls, or switches. Agentless monitoring detects checksum changes in files or runs diffs to shows what exactly has changed.

Prerequisites

Before enabling agentless monitoring, make sure you have done the following:

  • Open the SSH daemon on your device listening on TCP port 22.
  • Set up firewall rules to allow SSH traffic between USM Appliance and your device.

AlienVault HIDS runs checks periodically, communicating with monitored devices through TCP port 22 using the SSH protocol.

Enabling Agenless Monitoring

To enable agentless monitoring

  1. Go to Environment > Detection > Agentless.
  2. To add a new host you want to monitor, click New towards the right.
  3. Fill out the Agentless Data Configuration information on the left.
  4. Fill out the Monitoring Entries Options information on the right, then click Add.

    Monitoring entries options

    Fields

    Values

    Explanation

    Supported Arguments by Type

    Type

    Integrity Check BSD Performs BSD-specific integrity checking on folders. List of folders to monitor. For example:
    • /bin
    • /etc/sbin

     

    Integrity Check Linux Performs Linux-specific integrity checking on folders. List of folders to monitor. For example:
    • /bin
    • /etc/sbin

     

    Generic Command Diff Runs a list of commands you specify and creates an event if output changes. List of commands whose output you want to compare. For example:
    • ls -la /etc
    • cat /etc/passwd

     

    Cisco Config Check Checks device configuration using Cisco‑compatible commands. Leave it empty.

     

    Foundry Config Check Checks device configuration using Foundry-compatible commands. Leave it empty.

     

    ASA FWSMconfig Check Checks device configuration using Cisco ASA-compatible commands. Leave it empty.
    Frequency (Default) 86400 How often AlienVault HIDS runs the checks, in seconds. N/A
    Arguments /bin /etc/sbin

    Arguments that correspond to the type of check you select.

    See the Supported Arguments by Type column in this table.

    N/A

    Important: USM Appliance can only process one argument for every entry. If you need to run multiple commands, put them in separate entries. The added entries appear in Monitoring Entries Added.

  5. Click Update.

    Agentless page for HIDS.

  6. To apply your changes immediately, click HIDS Control, and then Restart.

    This starts the agentless service in the AlienVault HIDS.

Verifying the Agentless Deployment on USM Appliance

You can verify that you have successfully deployed the agentless monitoring in the following ways:

  • On Environment > Detection > Agentless, the status of the host displays a green check mark and the Agentless Status: displays Running.

    Agentless page with agentless status.

  • On Environment > Detection > HIDS Control, make sure that you see "Agentless is running" in green.

    HIDS Control page that shows Agentless is running.

  • On Environment > Detection > HIDS Control > HIDS Log, make sure that you see the periodic checks performed.

    HIDS Log page showing periodic checks.

  • On Analysis > Security Events (SIEM), make sure that you see events coming from the monitored host or device.

    SIEM page showing events from monitored hosts or device

    AlienVault OSSIM Limitations: Both AlienVault OSSIM and the USM Appliance HIDS decoders are fully featured, with all of their information coming from the Plugin Feed Updates that USM Appliance and AlienVault OSSIM provide. However, AlienVault OSSIM lacks the depth of NIDS information that is provided to USM Appliance through the Threat Intelligence Updates.