I did restart the ossec processes on the agent after the agent.conf was
updated. I will run it again to confirm and do a tail grep to see.
I didn't think about the agent's ossec.conf! I grabbed the conf from one of
the agents on a nessus box, where the agent It currently looks like:
<ossec_config>
<client>
<server-hostname>ossec-server.hostname</server-hostname>
</client>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>3600</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
</rootcheck>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
<localfile>
<log_format>command</log_format>
<command>df -P</command>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| ::1)' |
sort</command>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 5</command>
</localfile>
</ossec_config>
The agent.conf was distributed through normal channels as mentioned in my
writeup. I so restarting the agent on the nessus box as recommended and you
were right, it didn't show monitoring for the `/opt/nessus` directory.
Am I missing something from the agent syscheck in the ossec.conf?
Thanks for responding!
Jay
On Fri, Jul 27, 2018 at 2:49 PM, dan (ddp) <[email protected]> wrote:
> On Tue, Jul 17, 2018 at 12:57 PM, James Warne <[email protected]> wrote:
> > Hello all!
> >
> > I have gone through a large amount of posts, docs, and online resources
> but
> > haven't found a crystal clear answer to my specific issue. I might well
> be
> > missing something but we are a day or so in now and I feel like I need
> some
> > advice from the source!
> >
> > I went about trying to implement some custom profiles to better enable
> > centralized management of agents through my ossec server on a small
> scale as
> > a PoC, but I can't seem to get my custom profile to fire. I have
> attached an
> > about 125 line (675 line with configs/appendices) report in markdown
> > detailing:
> > 1) What I am trying to accomplish
> > 2) How I am trying to accomplish it
> > 3) What the failure looks like
> > 4) Configs/ alerts/ settings
> >
> > If anyone could provide guidance as to whether I am misunderstanding a
> core
> > tenant of profiles in the agent.conf, for instance, if there can only be
> one
> > explicit profile per agent and order matters, if the directories
> specified
> > in the profile don't include depth searches for some reason, or if there
> is
> > some other issue I lack the experience or depth of knowledge to figure
> out,
> > I would greatly appreciate it..
> >
> > Thanks to anyone who takes the time to read and help!
> >
>
> Did you restart the ossec processes on the agent after the agent.conf
> was updated?
> How is syscheck configured in the agent's ossec.conf? Configuring a
> directory twice can cause issues.
> Is there a mention of the directories configured in the agent.conf in
> that agent's ossec.log? Example entry:
> 2018/07/27 10:36:20 ossec-syscheckd: INFO: Monitoring directory:
> '/etc', with options perm | size | owner | group | realtime |
> sha256sum | genericsum.
>
>
>
> > All the Best,
> > Jay
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to [email protected].
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
James F. Warne
Cornell University '16
Georgetown University '12
(602) 318-9889
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
