Buenas tardes.
He instalado OSSEC, y me ha gustado realmente cómo funciona. Pero no he sabido lograr que se me muestre información de los agentes en la página principal. Me está mandando muy buena información de un agente que tengo declarado como prueba, me llegan correos relacionados con la actividad de ese agente, pero no logro que se vea información en la página, así que me pierdo lo demás (estadísticas, por ejemplo).La interfaz web la tengo de adorno... ;-) El fichero de información que trae el instalador no me da demasiadas explicaciones en relación con esto (por decirlo amablemente). ¿Hay alguien que lo tenga funcionando y me pueda decir si necesito declarar algo especial, sea en el servidor o en el agente? TIA, Fumero Incluyo el fichero de configuración del servidor. <ossec_config> <global> <email_notification>yes</email_notification> <email_to>albe...@ettpartagas.co.cu</email_to> <smtp_server>desarrollo.ettpartagas.co.cu.</smtp_server> <email_from>oss...@desarrollo</email_from> </global> <syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>79200</frequency> <!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore> <ignore>/etc/hosts.deny</ignore> <ignore>/etc/mail/statistics</ignore> <ignore>/etc/random-seed</ignore> <ignore>/etc/adjtime</ignore> <ignore>/etc/httpd/logs</ignore> <ignore>/etc/utmpx</ignore> <ignore>/etc/wtmpx</ignore> <ignore>/etc/cups/certs</ignore> <ignore>/etc/dumpdates</ignore> <ignore>/etc/svc/volatile</ignore> <!-- Windows files to ignore --> <ignore>C:\WINDOWS/System32/LogFiles</ignore> <ignore>C:\WINDOWS/Debug</ignore> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> <ignore>C:\WINDOWS/iis6.log</ignore> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> <ignore>C:\WINDOWS/Prefetch</ignore> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> <ignore>C:\WINDOWS/SoftwareDistribution</ignore> <ignore>C:\WINDOWS/Temp</ignore> <ignore>C:\WINDOWS/system32/config</ignore> <ignore>C:\WINDOWS/system32/spool</ignore> <ignore>C:\WINDOWS/system32/CatRoot</ignore> </syscheck> <rootcheck> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> </rootcheck> <global> <white_list>127.0.0.1</white_list> <white_list>^localhost.localdomain$</white_list> <white_list>192.168.0.10</white_list> </global> <remote> <connection>syslog</connection> </remote> <remote> <connection>secure</connection> </remote> <alerts> <log_alert_level>1</log_alert_level> <email_alert_level>7</email_alert_level> </alerts> <command> <name>host-deny</name> <executable>host-deny.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <command> <name>firewall-drop</name> <executable>firewall-drop.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <command> <name>disable-account</name> <executable>disable-account.sh</executable> <expect>user</expect> <timeout_allowed>yes</timeout_allowed> </command> <command> <name>restart-ossec</name> <executable>restart-ossec.sh</executable> <expect></expect> </command> <command> <name>route-null</name> <executable>route-null.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <!-- Active Response Config --> <active-response> <!-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) >= 6. - The IP is going to be blocked for 600 seconds. --> <command>host-deny</command> <location>local</location> <level>6</level> <timeout>600</timeout> </active-response> <active-response> <!-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). --> <command>firewall-drop</command> <location>local</location> <level>6</level> <timeout>600</timeout> </active-response> <!-- Files to monitor (localfiles) --> <localfile> <log_format>syslog</log_format> <location>/var/log/messages</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/auth.log</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/syslog</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/mail.info</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/dpkg.log</location> </localfile> <localfile> <log_format>apache</log_format> <location>/var/log/apache2/error.log</location> </localfile> <localfile> <log_format>apache</log_format> <location>/var/log/apache2/access.log</location> </localfile> </ossec_config> <ossec_config> <!-- rules global entry --> </ossec_config> <!-- rules global entry --> <ossec_config> <!-- rules global entry --> <rules> <include>rules_config.xml</include> <include>pam_rules.xml</include> <include>sshd_rules.xml</include> <include>telnetd_rules.xml</include> <include>syslog_rules.xml</include> <include>arpwatch_rules.xml</include> <include>symantec-av_rules.xml</include> <include>symantec-ws_rules.xml</include> <include>pix_rules.xml</include> <include>named_rules.xml</include> <include>smbd_rules.xml</include> <include>vsftpd_rules.xml</include> <include>pure-ftpd_rules.xml</include> <include>proftpd_rules.xml</include> <include>ms_ftpd_rules.xml</include> <include>ftpd_rules.xml</include> <include>hordeimp_rules.xml</include> <include>roundcube_rules.xml</include> <include>wordpress_rules.xml</include> <include>cimserver_rules.xml</include> <include>vpopmail_rules.xml</include> <include>vmpop3d_rules.xml</include> <include>courier_rules.xml</include> <include>web_rules.xml</include> <include>apache_rules.xml</include> <include>nginx_rules.xml</include> <include>php_rules.xml</include> <include>mysql_rules.xml</include> <include>postgresql_rules.xml</include> <include>ids_rules.xml</include> <include>squid_rules.xml</include> <include>firewall_rules.xml</include> <include>cisco-ios_rules.xml</include> <include>netscreenfw_rules.xml</include> <include>sonicwall_rules.xml</include> <include>postfix_rules.xml</include> <include>sendmail_rules.xml</include> <include>imapd_rules.xml</include> <include>mailscanner_rules.xml</include> <include>dovecot_rules.xml</include> <include>ms-exchange_rules.xml</include> <include>racoon_rules.xml</include> <include>vpn_concentrator_rules.xml</include> <include>spamd_rules.xml</include> <include>msauth_rules.xml</include> <include>mcafee_av_rules.xml</include> <include>trend-osce_rules.xml</include> <include>ms-se_rules.xml</include> <!-- <include>policy_rules.xml</include> --> <include>zeus_rules.xml</include> <include>solaris_bsm_rules.xml</include> <include>vmware_rules.xml</include> <include>ms_dhcp_rules.xml</include> <include>asterisk_rules.xml</include> <include>ossec_rules.xml</include> <include>attack_rules.xml</include> <include>local_rules.xml</include> </rules> </ossec_config> <!-- rules global entry --> -- MSc. Alberto García Fumero Usuario Linux 97 318 Las autoridades sanitarias advierten: El uso prolongado de Windows puede provocar dependencia -- Este mensaje ha sido analizado por MailScanner en Partagas en busca de virus y otros contenidos peligrosos, y se considera que est� limpio.
______________________________________________________________________ Lista de correos del Grupo de Usuarios de Tecnologías Libres de Cuba. Gutl-l@jovenclub.cu https://listas.jovenclub.cu/cgi-bin/mailman/listinfo/gutl-l