On Fri, Mar 3, 2017 at 7:17 AM, Noilson Caio <caiog...@gmail.com> wrote: > @dan - is there problems if Mr. @Gardner deactivate "ossec-monitord, > ossec-logcollector, ossec-analysisd and ossec-execd" in ossec-control > startup script ? maybe he asking for that. i did try this in the past but i > remember that ossec-syscheckd log showed "queue not accessible erro", i > guess =] >
Yes, there will be issues. ossec-analysisd does the analysis, including checking the syscheck hashes. I've been thinking about pushing the syscheck hash checking to its own daemon, but haven't done any actual work on it. It's basically in the "shower thoughts" stage. I can't remember off hand whether syscheckd communicates with logcollector or some other daemon, but that one is probably necessary. You can find out easily by killing logcollector and seeing if syscheck complains. ossec-monitord does stuff. What stuff? I can't remember off hand, but basically various tasks required by OSSEC. I'd be wary of disabling that one. execd is safe to remove. I think if someone only wants FIM capabilities and an extremely minimal footprint, OSSEC may not be the package for them. Projects like Aide are great at what they do without the fluff. But that kind of decision is very project/requirement specific, so don't consider this a professional opinion. :-) > On Thu, Mar 2, 2017 at 4:44 PM, dan (ddp) <ddp...@gmail.com> wrote: >> >> On Thu, Mar 2, 2017 at 2:33 PM, Sam Gardner <lwnex...@gmail.com> wrote: >> > Hi All - >> > >> > I'd like to run only the syscheck subsystem in order to provide FIM. >> > >> > I don't see anything in the docs that immediately appears to do what I >> > want >> > - is there any way to run syscheckd in "standalone" mode or only >> > alongside >> > analysisd? >> > >> >> Remove the localfile configurations. Disable active response. Disable >> rootcheck (if that's not something you want). >> >> > Thanks, >> > Sam Gardner >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+unsubscr...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > > > > > -- > Noilson Caio Teixeira de Araújo > https://ncaio.wordpress.com > https://br.linkedin.com/in/ncaio > https://twitter.com/noilsoncaio > https://jammer4.wordpress.com/ > http://8bit.academy > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.