[ossec-list] Linux Centralized Config Not Working

Michael Starks Sat, 20 Mar 2010 14:23:50 -0700

Hello everyone,

I am trying to get centralized config working. It works on Windows but
not Linux. Below I have pasted the agent.conf contents on the manager,
as well as the ossec.conf and ossec.log of the agent. I have deleted the
agent.conf on the agent side just to make sure I have the most recent
one and restarted, but the Linux agent doesn't seem to be reading the
contents. Does this work for anyone?


#### agent ossec.log ####
2010/03/19 19:38:47 ossec-execd: INFO: Active response command not
present: '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using
it on this system.
2010/03/19 19:38:47 ossec-logcollector(1225): INFO: SIGNAL Received.
Exit Cleaning...
2010/03/19 19:38:47 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2010/03/19 19:38:47 ossec-agentd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2010/03/19 19:38:47 ossec-execd(1314): INFO: Shutdown received. Deleting
responses.
2010/03/19 19:38:47 ossec-execd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2010/03/19 19:38:47 ossec-execd: INFO: Started (pid: 2884).
2010/03/19 19:38:48 ossec-agentd(1410): INFO: Reading authentication
keys file.
2010/03/19 19:38:48 ossec-agentd: INFO: Assigning counter for agent
hostname:
'0:1109'.
2010/03/19 19:38:48 ossec-agentd: INFO: Assigning sender counter: 1:985
2010/03/19 19:38:48 ossec-agentd: INFO: Started (pid: 2888).
2010/03/19 19:38:48 ossec-agentd: INFO: Server IP Address: 1.2.3.4
2010/03/19 19:38:48 ossec-agentd: INFO: Trying to connect to server
(1.2.3.4:1514).
2010/03/19 19:38:48 ossec-logcollector(1905): INFO: No file configured
to monitor.
2010/03/19 19:38:48 ossec-syscheckd(1702): INFO: No directory provided
for syscheck to monitor.
2010/03/19 19:38:48 ossec-syscheckd: WARN: Syscheck disabled.
2010/03/19 19:38:48 ossec-rootcheck: System audit file not configured.
2010/03/19 19:38:49 ossec-agentd(4102): INFO: Connected to the server
(1.2.3.4:1514).
2010/03/19 19:38:52 ossec-syscheckd: INFO: Started (pid: 2896).
2010/03/19 19:38:52 ossec-rootcheck: INFO: Started (pid: 2896).
2010/03/19 19:38:54 ossec-logcollector: INFO: Started (pid: 2892).
2010/03/19 19:39:24 ossec-syscheckd: No directories to check.

#### agent ossec.conf ####

<ossec_config>
  <client>
    <server-ip>1.2.3.4</server-ip>
  </client>

  <active-response>
    <disabled>no</disabled>
  </active-response>

</ossec_config>

#### agent.conf ####
[r...@manager-name ossec]# cat etc/shared/agent.conf
<agent_config os="Windows">
  <localfile>
    <location>Application</location>
    <_format>eventlog</log_format>
  </localfile>

  <localfile>
    <location>Security</location>
    <log_format>eventlog</log_format>
  </localfile>

  <localfile>
    <location>System</location>
    <log_format>eventlog</log_format>
  </localfile>

   <!-- Syscheck - 2.3 default Integrity Checking config. (except for
disabled) -->
  <syscheck>

    <!-- Default frequency, every 20 hours. It doesn't need to be higher
      -  on most systems and one a day should be enough.
      -->
    <frequency>72000</frequency>

    <!-- By default it is disabled. In the Install you must choose
      -  to enable it.
      -->
    <disabled>no</disabled>

    <!-- Default files to be monitored - system32 only. -->
    <directories check_all="yes">%WINDIR%/win.ini</directories>
    <directories check_all="yes">%WINDIR%/system.ini</directories>
    <directories check_all="yes">C:\autoexec.bat</directories>
    <directories check_all="yes">C:\config.sys</directories>
    <directories check_all="yes"">C:\boot.ini</directories>
    <directories check_all="yes">%WINDIR
%/System32/CONFIG.NT</directories>
    <directories check_all="yes">%WINDIR
%/System32/AUTOEXEC.NT</directories>
    <directories check_all="yes">%WINDIR%/System32/at.exe</directories>
    <directories check_all="yes">%WINDIR
%/System32/attrib.exe</directories>
    <directories check_all="yes">%WINDIR
%/System32/cacls.exe</directories>
    <directories check_all="yes">%WINDIR
%/System32/debug.exe</directories>
    <directories check_all="yes">%WINDIR
%/System32/drwatson.exe</directories>
    <directories check_all="yes">%WINDIR
%/System32/drwtsn32.exe</directories>
    <directories check_all="yes">%WINDIR
%/System32/edlin.exe</directories>
    <directories check_all="yes">%WINDIR
%/System32/eventcreate.exe</directories>
    <directories check_all="yes">%WINDIR
%/System32/eventtriggers.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/ftp.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/net.exe</directories>
    <directories check_all="yes">%WINDIR
%/System32/net1.exe</directories>
    <directories check_all="yes">%WINDIR
%/System32/netsh.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/rcp.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/reg.exe</directories>
    <directories check_all="yes">%WINDIR%/regedit.exe</directories>
    <directories check_all="yes">%WINDIR
%/System32/regedt32.exe</directories>
    <directories check_all="yes">%WINDIR
%/System32/regsvr32.exe</directories>
    <directories check_all="yes">%WINDIR
%/System32/rexec.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/rsh.exe</directories>
    <directories check_all="yes">%WINDIR
%/System32/runas.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/sc.exe</directories>
    <directories check_all="yes">%WINDIR
%/System32/subst.exe</directories>
    <directories check_all="yes">%WINDIR
%/System32/telnet.exe</directories>
    <directories check_all="yes">%WINDIR
%/System32/tftp.exe</directories>
    <directories check_all="yes">%WINDIR
%/System32/tlntsvr.exe</directories>
    <directories check_all="yes">%WINDIR
%/System32/drivers/etc</directories>
    <directories check_all="yes" realtime="yes">C:\Documents and
Settings/All Users/Start Menu/Programs/Startup</directories>
    <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx
$</ignore>

    <!-- Windows files to ignore -->
    <ignore>C:\WINDOWS/System32/LogFiles</ignore>
    <ignore>C:\WINDOWS/Debug</ignore>
    <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
    <ignore>C:\WINDOWS/iis6.log</ignore>
    <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
    <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
    <ignore>C:\WINDOWS/Prefetch</ignore>
    <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
    <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
    <ignore>C:\WINDOWS/Temp</ignore>
    <ignore>C:\WINDOWS/system32/config</ignore>
    <ignore>C:\WINDOWS/system32/spool</ignore>
    <ignore>C:\WINDOWS/system32/CatRoot</ignore>

    <!-- Windows registry entries to monitor. -->
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes
\batfile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes
\cmdfile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes
\comfile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes
\exefile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes
\piffile</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes
\AllFilesystemObjects</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes
\Directory</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes
\Folder</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes
\Protocols</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software
\Policies</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Session Manager\KnownDLLs</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\SecurePipeServers\winreg</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunOnce</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunOnceEx</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\URL</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Windows</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Winlogon</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup
\Installed Components</windows_registry>

    <!-- Windows registry entries to ignore. -->
    <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy
\Secrets</registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account
\Users</registry_ignore>
    <registry_ignore type="sregex">\Enum$</registry_ignore>
  </syscheck>

  <!-- Rootcheck - Policy monitor config -->
  <rootcheck>
    <windows_audit>./shared/win_audit_rcl.txt</windows_audit>
    <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
    <windows_malware>./shared/win_malware_rcl.txt</windows_malware>
  </rootcheck>

</agent_config>

<agent_config os=”Linux”>

<syscheck>
    <!-- Frequency that syscheck is executed - default to every 22 hours
-->
    <frequency>79200</frequency>

    <!-- By default it is disabled. In the Install you must choose
      -  to enable it.
      -->
    <disabled>no</disabled>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/mnttab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>

  <rootcheck>

<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>

<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>

<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
  </rootcheck>

  <!-- Files to monitor (localfiles) -->

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/secure</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/maillog</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/cron</location>
  </localfile>

</agent_config>

To unsubscribe from this group, send email to 
ossec-list+unsubscribegooglegroups.com or reply to this email with the words 
"REMOVE ME" as the subject.

[ossec-list] Linux Centralized Config Not Working

Reply via email to