On Wed, Nov 20, 2013 at 9:30 AM, Michiel van Es <[email protected]> wrote: > Hello, > > i have some basic questions about OSSEC server <-> agent model: > > - is it correct that the agents ossec.conf can be as small as: > <ossec_config> > <client> > <server-hostname>OSSEC-SERVERNAME</server-hostname> > </client> > </ossec_config> > > - I push all checks on the server via /var/ossec/etc/shared/agent.conf (the > file being synched) ? >
Most things work just fine in the agent.conf. > - If I want to run the netstat command on all nodes via the > shared/agent.conf on the server that I have to do the following: > > 1) change the agent.conf to include: > <localfile> > <log_format>full_command</log_format> > <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command> > </localfile> > 2) change the /var/ossec/etc/internal_options.conf on all agents that > include: > logcollector.remote_commands=1 > 3) restart the server and then all agents ossec ? > Seems correct. > Option 2) seems to cause an extra security risk (like Nagios NRPE): if the > ossec server is compromised all servers can be reached or can be used to > execute command remotely via the ossec server, is that correct? > Correct, and I believe this is why remote commands are disabled by default. > Thanks for clearing things up :) > > Michiel > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
