|Applies to Product:||USM Appliance™||AlienVault OSSIM®|
AlienVault HIDS allows you to run integrity checking without agents installed on hosts, network devices, routers, firewalls, or switches. Agentless monitoring detects checksum changes in files or runs diffs to shows what exactly has changed.
Before enabling agentless monitoring, make sure you have done the following:
- Open the SSH daemon on your device listening on TCP port 22.
- Set up firewall rules to allow SSH traffic between USM Appliance and your device.
AlienVault HIDS runs checks periodically, communicating with monitored devices through TCP port 22 using the SSH protocol.
Enabling Agenless Monitoring
To enable agentless monitoring
- Navigate to Environment > Detection > Agentless.
- To add a new host you want to monitor, click New towards the right.
- Fill out the Agentless Data Configuration information on the left.
Fill out the Monitoring Entries Options information on the right, then click Add.
Monitoring entries options
Supported Arguments by Type
Integrity Check BSD Performs BSD-specific integrity checking on folders. List of folders to monitor. For example:
Integrity Check Linux Performs Linux-specific integrity checking on folders. List of folders to monitor. For example:
Generic Command Diff Runs a list of commands you specify and creates an event if output changes. List of commands whose output you want to compare. For example:
- ls -la /etc
- cat /etc/passwd
Cisco Config Check Checks device configuration using Cisco‑compatible commands. Leave it empty. Foundry Config Check Checks device configuration using Foundry-compatible commands. Leave it empty. ASA FWSMconfig Check Checks device configuration using Cisco ASA-compatible commands. Leave it empty. Frequency (Default) 86400 How often AlienVault HIDS runs the checks, in seconds. N/A Arguments /bin /etc/sbin
Arguments that correspond to the type of check you select.
See the Supported Arguments by Type column in this table.
Important: USM Appliance can only process one argument for every entry. If you need to run multiple commands, put them in separate entries. The added entries appear in Monitoring Entries Added.
To apply your changes immediately, click HIDS Control, and then Restart.
This starts the agentless service in the AlienVault HIDS.
Verifying the Agentless Deployment on USM Appliance
You can verify that you have successfully deployed the agentless monitoring in the following ways:
On Environment > Detection > Agentless, the status of the host displays a green check mark and the Agentless Status: displays Running.
On Environment > Detection > HIDS Control, make sure that you see "Agentless is running" in green.
On Environment > Detection > HIDS Control > HIDS Log, make sure that you see the periodic checks performed.
On Analysis > Security Events (SIEM), make sure that you see events coming from the monitored host or device.
AlienVault OSSIM Limitations: Both AlienVault OSSIM and the USM Appliance HIDS decoders are fully featured, with all of their information coming from the Plugin Feed Updates that USM Appliance and AlienVault OSSIM provide. However, AlienVault OSSIM lacks the depth of NIDS information that is provided to USM Appliance through the Threat Intelligence Updates.