from:"Sam Gardner"

Re: [ossec-list] Enable only syscheckd for FIM

2017-03-03 Thread Sam Gardner

basically various tasks required by OSSEC. I'd be wary of disabling 
> that one. 
>
> execd is safe to remove. 
>
> I think if someone only wants FIM capabilities and an extremely 
> minimal footprint, OSSEC may not be the package for them. Projects 
> like Aide are great at what they do without the fluff. 
> But that kind of decision is very project/requirement specific, so 
> don't consider this a professional opinion. :-) 
>
> > On Thu, Mar 2, 2017 at 4:44 PM, dan (ddp) <ddp...@gmail.com 
> > wrote: 
> >> 
> >> On Thu, Mar 2, 2017 at 2:33 PM, Sam Gardner <lwne...@gmail.com 
> > wrote: 
> >> > Hi All - 
> >> > 
> >> > I'd like to run only the syscheck subsystem in order to provide FIM. 
> >> > 
> >> > I don't see anything in the docs that immediately appears to do what 
> I 
> >> > want 
> >> > - is there any way to run syscheckd in "standalone" mode or only 
> >> > alongside 
> >> > analysisd? 
> >> > 
> >> 
> >> Remove the localfile configurations. Disable active response. Disable 
> >> rootcheck (if that's not something you want). 
> >> 
> >> > Thanks, 
> >> > Sam Gardner 
> >> > 
> >> > -- 
> >> > 
> >> > --- 
> >> > You received this message because you are subscribed to the Google 
> >> > Groups 
> >> > "ossec-list" group. 
> >> > To unsubscribe from this group and stop receiving emails from it, 
> send 
> >> > an 
> >> > email to ossec-list+...@googlegroups.com . 
> >> > For more options, visit https://groups.google.com/d/optout. 
> >> 
> >> -- 
> >> 
> >> --- 
> >> You received this message because you are subscribed to the Google 
> Groups 
> >> "ossec-list" group. 
> >> To unsubscribe from this group and stop receiving emails from it, send 
> an 
> >> email to ossec-list+...@googlegroups.com . 
> >> For more options, visit https://groups.google.com/d/optout. 
> > 
> > 
> > 
> > 
> > -- 
> > Noilson Caio Teixeira de Araújo 
> > https://ncaio.wordpress.com 
> > https://br.linkedin.com/in/ncaio 
> > https://twitter.com/noilsoncaio 
> > https://jammer4.wordpress.com/ 
> > http://8bit.academy 
> > 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Enable only syscheckd for FIM

2017-03-06 Thread Sam Gardner

Once I turned on "alert_new_files" I started getting alerts - things appear 
to be working now.

Is there any way to completely disable the logcollector daemon? We have 
another process that does that job so no need to have that bit running - 
removing the "" section doesn't seem to do the trick.

On Saturday, March 4, 2017 at 12:12:49 PM UTC-6, dan (ddpbsd) wrote:
>
> On Fri, Mar 3, 2017 at 5:29 PM, Sam Gardner <lwne...@gmail.com 
> > wrote: 
> > Thanks for the info - I'd like to explore what I can actually do with 
> OSSEC 
> > and do my due diligence before exploring other options. 
> > 
> > I've spun up the following conf file and am running ossec-analysisd and 
> > ossec-syscheckd only - they seem to be healthy, but I'm not getting any 
> > thing in /var/ossec/logs/alerts when I fiddle with stuff in /usr/bin. 
> > 
> > Any idea what might be going on? As far as I can tell syscheckd is 
> > configured to realtime monitor /usr/bin (and inotify works on this 
> system), 
> > so my understanding is that I should be getting _something_ logged 
> somewhere 
> > - am I fundamentally misunderstanding something? 
> >  
> >
> > no 
> >
> > 
> >
> > rules_config.xml 
> > ossec_rules.xml 
> >
> > 
> >
> > 72000 
> > 
> >  > check_all="yes">/usr/bin,/usr/sbin 
> > 
> >  
> > /etc/mtab 
> > /etc/hosts.deny 
> > /etc/mail/statistics 
> > /etc/random-seed 
> > /etc/adjtime 
> > /etc/httpd/logs 
> > 
> >  
> > /etc/ssl/private.key 
> >
> > 
> >
> > yes 
> >
> > 
> >
> > yes 
> >
> > 
> >
> > 1 
> > 7 
> >
> > 
> >
> >
> > yes 
> >
> >  
> > 
> > Analysisd and syscheckd appear to start up just fine: 
> > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Starting ... 
> > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Found user/group ... 
> > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Active response initialized 
> ... 
> > 2017/03/03 22:06:26 adding rule: rules_config.xml 
> > 2017/03/03 22:06:26 adding rule: ossec_rules.xml 
> > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: Read configuration ... 
> > 2017/03/03 22:06:26 ossec-analysisd: Initializing PF decoder.. 
> > 2017/03/03 22:06:26 ossec-analysisd: Initializing SonicWall decoder.. 
> > 2017/03/03 22:06:26 ossec-analysisd: Initializing SymantecWS decoder.. 
> > 2017/03/03 22:06:26 ossec-analysisd: Initializing OSSECAlert decoder. 
> > 2017/03/03 22:06:26 ossec-analysisd: Initializing OSSECAlert decoder. 
> > 2017/03/03 22:06:26 ossec-analysisd: INFO: Reading local decoder file. 
> > 2017/03/03 22:06:26 ossec-analysisd: INFO: Reading rules file: 
> > 'rules_config.xml' 
> > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: read xml for rule. 
> > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: XML Variables applied. 
> > 2017/03/03 22:06:26 ossec-analysisd: INFO: Reading rules file: 
> > 'ossec_rules.xml' 
> > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: read xml for rule. 
> > 2017/03/03 22:06:26 ossec-analysisd: DEBUG: XML Variables applied. 
> > 2017/03/03 22:06:26 0 : rule:1, level 0, timeout: 0 
> > 2017/03/03 22:06:26 1 : rule:600, level 0, timeout: 0 
> > 2017/03/03 22:06:26 2 : rule:601, level 3, timeout: 0 
> > 2017/03/03 22:06:26 2 : rule:602, level 3, timeout: 0 
> > 2017/03/03 22:06:26 2 : rule:603, level 3, timeout: 0 
> > 2017/03/03 22:06:26 2 : rule:604, level 3, timeout: 0 
> > 2017/03/03 22:06:26 2 : rule:605, level 3, timeout: 0 
> > 2017/03/03 22:06:26 2 : rule:606, level 3, timeout: 0 
> > 2017/03/03 22:06:26 0 : rule:2, level 0, timeout: 0 
> > 2017/03/03 22:06:26 0 : rule:3, level 0, timeout: 0 
> > 2017/03/03 22:06:26 0 : rule:4, level 0, timeout: 0 
> > 2017/03/03 22:06:26 0 : rule:5, level 0, timeout: 0 
> > 2017/03/03 22:06:26 0 : rule:6, level 0, timeout: 0 
> > 2017/03/03 22:06:26 0 : rule:7, level 0, timeout: 0 
> > 2017/03/03 22:06:26 1 : rule:500, level 0, timeout: 0 
> > 2017/03/03 22:06:26 2 : rule:530, level 0, timeout: 0 
> > 2017/03/03 22:06:26 3 : rule:531, level 7, timeout: 7200 
> > 2017/03/03 22:06:26 4 : rule:532, level 0, timeout: 0 
> > 2017/03/03 22:06:26 3 : rule:533, level 7, timeout: 0 
> > 2017/03/03 22:06:26 3 : rule:534, level 1, timeout: 0 
> > 2017/03/03 22:06:26 3 : rule:535, level 1, timeout: 0 
> > 2017/03/03 22:06:26 2 : rule:593, level

[ossec-list] Enable only syscheckd for FIM

2017-03-02 Thread Sam Gardner

Hi All -

I'd like to run only the syscheck subsystem in order to provide FIM.

I don't see anything in the docs that immediately appears to do what I want 
- is there any way to run syscheckd in "standalone" mode or only alongside 
analysisd?

Thanks,
Sam Gardner

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Enable only syscheckd for FIM

Re: [ossec-list] Enable only syscheckd for FIM

[ossec-list] Enable only syscheckd for FIM

3 matches

Site Navigation

Mail list logo

Footer information