Re: [ossec-list] Creating Custom System_Audit Checks for Password Complexity

Thanks Pedro! I was actually able to get it working with the below. Pretty much what you have but in one line. [RHEL Password Complexity Configuration: Password Expiration is greater than 60 days] [any] [1] f:$login_defs -> r:^PASS_MAX_DAYS &&

Re: [ossec-list] Creating Custom System_Audit Checks for Password Complexity

Hi, I don't think you can use that kind of regular expressions in OSSEC, the regex engine being used by OSSEC is OSRegex (created specially for OSSEC), and it is limited in terms of complex regex patterns. Find more information about how can you use OSRegex:

Re: [ossec-list] opening up the permissions on the alerts.log file

Hi, You said there is "anything sensitive" but.. OSSEC process alerts coming from Endpoints and all the info is security relevant so.. someone can use alerts info (IP's, directories, files, hostnames) for malicious purposes. Beside that, I don't think changing readable attributes will suppose a

Re: [ossec-list] opening up the permissions on the alerts.log file

Why do you need it 'world readable' ? You just need to add the nagios user to the ossec group. On Mon, Jun 27, 2016 at 1:33 PM, Tahir Hafiz wrote: > The permissions on the alerts.log are thus: > -rw-r- 2 ossec ossec 13949 Jun 27 17:07 alerts.log > > > However, we need

[ossec-list] opening up the permissions on the alerts.log file

The permissions on the alerts.log are thus: -rw-r- 2 ossec ossec 13949 Jun 27 17:07 alerts.log However, we need our Nagios nrpe agent (nagios user) to be able to read the file and then alert depending on the level that we have set for it to parse and alert on. Can anyone think of any

[ossec-list] Creating Custom System_Audit Checks for Password Complexity

Hi, I'm working on creating a custom 'system_audit' check with 'rootcheck' and need a way to either match on a regex pattern or to match on 'greater than' or 'less than' operators. *This works for anything not matching '60':* $login_defs=/etc/login.defs; [RHEL Password Complexity

[ossec-list] internal_options.conf and ossec.conf performance tuning

We are looking at performance testing/tuning OSSEC. As many of you are aware there is a configuration option in OSSEC's internal_options.conf file for changing the following: syscheck.sleep=2 syscheck.sleep_after=15 I am wondering if anyone has modified these parameters and to what effect

[ossec-list] Re: OSSEC and offline logs

Hi Tahir, you need decoders and rules in order to analyse the logs with OSSEC. If you share your logs we can help you to do it. Here you will find a detailed guide about how to integrate OSSEC with ELK. Regards. On

[ossec-list] Re: Ossec Brute force block question

Hi, The field "location" in the configuration of Active Response means where the command will be executed: - local: on the agent that generated the event - server: on the OSSEC server - defined-agent: on a specific agent (when using this option, you need to set the agent_id to use)