Hi Barry, about the Kibana interface, you can use the CIS Dashboards or if you need to filter for CIS related alerts you can enter on Discover tab search box:
_exists_:rule.CIS There is also a pre-created search, you can load it on Discover tab on the right side, click on open search and select "CIS: Last Alerts". <https://lh3.googleusercontent.com/-Oh80OzOm9RQ/VtB_6bd0jJI/AAAAAAAAACU/XuMJ-cywibI/s1600/2016-02-26%2B17_38_56-CIS_%2BLast%2BAlerts%2B-%2BDiscover%2B-%2BKibana.png> Regarding to the clients/agents question, all the rootchecks files are placed on OSSEC Manager */var/ossec/etc/shared* folder, OSSEC pushes all the rootchecks files into the agents, you can check same folder at agent host and you will find the same files. Now all the rootchecks are on agent host, still you *need to activate* them on agent ossec.conf file, by default OSSEC agents just have these rootchecks activated: Unix <rootcheck> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt </rootkit_trojans> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> </rootcheck> Windows <rootcheck> <windows_audit>./shared/win_audit_rcl.txt</windows_audit> <windows_apps>./shared/win_applications_rcl.txt</windows_apps> <windows_malware>./shared/win_malware_rcl.txt</windows_malware> </rootcheck> Activate new rootchecks by adding for example, *<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>* on ossec.conf file. By the way, using: /var/ossec/bin/rootcheck_control -i AGENTID You can check outstanding rootcheck events. Regards, Pedro S. On Friday, February 26, 2016 at 4:40:08 PM UTC+1, Barry Kaplan wrote: > > Ok, here's a real CIS question. It looks like the CIS checks have only run > on the ossec server. What does it take for these to run on the clients? Do > I need to specify rootchecks on the client ossec.conf? Or should it get > pushed down from the server? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
