On Tue, Dec 3, 2013 at 10:37 AM, Michiel van Es <[email protected]> wrote: > > > Op woensdag 20 november 2013 19:24:01 UTC+1 schreef dan (ddpbsd): >> >> On Wed, Nov 20, 2013 at 9:30 AM, Michiel van Es <[email protected]> >> wrote: >> > Hello, >> > >> > i have some basic questions about OSSEC server <-> agent model: >> > >> > - is it correct that the agents ossec.conf can be as small as: >> > <ossec_config> >> > <client> >> > <server-hostname>OSSEC-SERVERNAME</server-hostname> >> > </client> >> > </ossec_config> >> > >> > - I push all checks on the server via /var/ossec/etc/shared/agent.conf >> > (the >> > file being synched) ? >> > >> >> Most things work just fine in the agent.conf. >> >> > - If I want to run the netstat command on all nodes via the >> > shared/agent.conf on the server that I have to do the following: >> > >> > 1) change the agent.conf to include: >> > <localfile> >> > <log_format>full_command</log_format> >> > <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | >> > sort</command> >> > </localfile> >> > 2) change the /var/ossec/etc/internal_options.conf on all agents that >> > include: >> > logcollector.remote_commands=1 >> > 3) restart the server and then all agents ossec ? >> > >> >> Seems correct. >> >> >> > Option 2) seems to cause an extra security risk (like Nagios NRPE): if >> > the >> > ossec server is compromised all servers can be reached or can be used to >> > execute command remotely via the ossec server, is that correct? >> > >> >> Correct, and I believe this is why remote commands are disabled by >> default. > > > Do you know if there is another way of accomplishing the netstat -tan diff > on all agents without the need to enable the remote commands on all agents? > Specify it in the ossec.conf on all agents? >
Yes, that configuration belongs in the ossec.conf of the agent. > I only have: > > <ossec_config> > <client> > <server-hostname>OSSEC-SERVERNAME</server-hostname> > </client> > </ossec_config> > > What should I need to add the netstat command? > Only add the following to the ossec.conf for the agents : > > <localfile> > <log_format>full_command</log_format> > <command>netstat -tan |grep LISTEN|grep -v 127.0.0.1</command> > </localfile> > > and can I specify how often this needs to run on the agents? (I want to > randomise the time it should run). > Yes, frequency. > Michiel > >> >> >> > Thanks for clearing things up :) >> > >> > Michiel >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
