Hello,
i have some basic questions about OSSEC server <-> agent model:
- is it correct that the agents ossec.conf can be as small as:
<ossec_config>
<client>
<server-hostname>OSSEC-SERVERNAME</server-hostname>
</client>
</ossec_config>
- I push all checks on the server via /var/ossec/etc/shared/agent.conf (the
file being synched) ?
- If I want to run the netstat command on all nodes via the
shared/agent.conf on the server that I have to do the following:
1) change the agent.conf to include:
<localfile>
<log_format>full_command</log_format>
<command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>
</localfile>
2) change the /var/ossec/etc/internal_options.conf on all agents that
include:
logcollector.remote_commands=1
3) restart the server and then all agents ossec ?
Option 2) seems to cause an extra security risk (like Nagios NRPE): if the
ossec server is compromised all servers can be reached or can be used to
execute command remotely via the ossec server, is that correct?
Thanks for clearing things up :)
Michiel
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
