On Wed, Dec 4, 2013 at 4:32 AM, Michiel van Es <[email protected]> wrote: > > > > 2013/12/3 dan (ddp) <[email protected]> > >> On Tue, Dec 3, 2013 at 10:37 AM, Michiel van Es <[email protected]> >> wrote: >> > >> > >> > Op woensdag 20 november 2013 19:24:01 UTC+1 schreef dan (ddpbsd): >> >> >> >> On Wed, Nov 20, 2013 at 9:30 AM, Michiel van Es <[email protected]> >> >> wrote: >> >> > Hello, >> >> > >> >> > i have some basic questions about OSSEC server <-> agent model: >> >> > >> >> > - is it correct that the agents ossec.conf can be as small as: >> >> > <ossec_config> >> >> > <client> >> >> > <server-hostname>OSSEC-SERVERNAME</server-hostname> >> >> > </client> >> >> > </ossec_config> >> >> > >> >> > - I push all checks on the server via >> >> > /var/ossec/etc/shared/agent.conf >> >> > (the >> >> > file being synched) ? >> >> > >> >> >> >> Most things work just fine in the agent.conf. >> >> >> >> > - If I want to run the netstat command on all nodes via the >> >> > shared/agent.conf on the server that I have to do the following: >> >> > >> >> > 1) change the agent.conf to include: >> >> > <localfile> >> >> > <log_format>full_command</log_format> >> >> > <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | >> >> > sort</command> >> >> > </localfile> >> >> > 2) change the /var/ossec/etc/internal_options.conf on all agents that >> >> > include: >> >> > logcollector.remote_commands=1 >> >> > 3) restart the server and then all agents ossec ? >> >> > >> >> >> >> Seems correct. >> >> >> >> >> >> > Option 2) seems to cause an extra security risk (like Nagios NRPE): >> >> > if >> >> > the >> >> > ossec server is compromised all servers can be reached or can be used >> >> > to >> >> > execute command remotely via the ossec server, is that correct? >> >> > >> >> >> >> Correct, and I believe this is why remote commands are disabled by >> >> default. >> > >> > >> > Do you know if there is another way of accomplishing the netstat -tan >> > diff >> > on all agents without the need to enable the remote commands on all >> > agents? >> > Specify it in the ossec.conf on all agents? >> > >> >> Yes, that configuration belongs in the ossec.conf of the agent. >> >> > I only have: >> > >> > <ossec_config> >> > <client> >> > <server-hostname>OSSEC-SERVERNAME</server-hostname> >> > </client> >> > </ossec_config> >> > >> > What should I need to add the netstat command? >> > Only add the following to the ossec.conf for the agents : >> > >> > <localfile> >> > <log_format>full_command</log_format> >> > <command>netstat -tan |grep LISTEN|grep -v 127.0.0.1</command> >> > </localfile> >> > >> > and can I specify how often this needs to run on the agents? (I want to >> > randomise the time it should run). >> > >> >> Yes, frequency. > > > Ok, would this be sufficient to make it work on the agents? > > <ossec_config> > <client> > <server-hostname>OSSEC-SERVER</server-hostname> > </client> > > <localfile> > <!-- Frequency that syscheck is executed - default to every 22 hours > --> > <frequency>7200</frequency> > <log_format>full_command</log_format> > <command>netstat -tan |grep LISTEN|grep -v 127.0.0.1</command> > </localfile> > </ossec_config> >
I haven't tested it, but that looks to be correct. I also like to add an <alias> to my entries to make it easier to create rules. > Or does the <localfile> stanza need to be used with a <syscheck> or > <rootcheck> block? > localfile definitions are not for syscheck or rootcheck. Take a look at your agent.conf, you probably have an example there. >> >> >> > Michiel >> > >> >> >> >> >> >> > Thanks for clearing things up :) >> >> > >> >> > Michiel >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/t1x6fL7lUV4/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> >> For more options, visit https://groups.google.com/groups/opt_out. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
