On Fri, Aug 3, 2018 at 10:38 AM, James Warne <[email protected]> wrote: > Dan, > > Thanks for the response! That's correct. > > In the big md file, the ossec.conf file is from the server. I might have > misunderstood, but I thought your previous message was asking for the > ossec.conf file from the agent that was experiencing the issue. Those files > are not the same. I was under the impression that the ossec.conf on the > server would manage that. > > In order for an individual agent to run that section of the agent.conf, does > *it's* ossec.conf require the configuration section? Should I configure my > config manager to replicate the server ossec.conf across agents? Minor > follow up: did I goof really hard? >
The server's ossec.conf only affects the server. An agent's ossec.conf only affects that agent. If the agent's ossec.conf does not subscribe to a config profile, that profile will not be applied. The server ignores the agent.conf entirely (except for pushing it out to agents). The server's ossec.conf and the agents' ossec.conf shouldn't really be squished. I can't say for sure if it will cause issues, but why invite trouble? > All the Best, > Jay > > On Fri, Aug 3, 2018 at 11:53 AM, dan (ddp) <[email protected]> wrote: >> >> ) >> >> On Fri, Jul 27, 2018 at 3:10 PM, James Warne <[email protected]> wrote: >> > I did restart the ossec processes on the agent after the agent.conf was >> > updated. I will run it again to confirm and do a tail grep to see. >> > >> > I didn't think about the agent's ossec.conf! I grabbed the conf from one >> > of >> > the agents on a nessus box, where the agent It currently looks like: >> > <ossec_config> >> > <client> >> > <server-hostname>ossec-server.hostname</server-hostname> >> > </client> >> > >> > <syscheck> >> > <!-- Frequency that syscheck is executed - default to every 22 hours >> > --> >> > <frequency>3600</frequency> >> > >> > <!-- Directories to check (perform all possible verifications) --> >> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> > <directories check_all="yes">/bin,/sbin,/boot</directories> >> > >> > <!-- Files/directories to ignore --> >> > <ignore>/etc/mtab</ignore> >> > <ignore>/etc/mnttab</ignore> >> > <ignore>/etc/hosts.deny</ignore> >> > <ignore>/etc/mail/statistics</ignore> >> > <ignore>/etc/random-seed</ignore> >> > <ignore>/etc/adjtime</ignore> >> > <ignore>/etc/httpd/logs</ignore> >> > <ignore>/etc/utmpx</ignore> >> > <ignore>/etc/wtmpx</ignore> >> > <ignore>/etc/cups/certs</ignore> >> > <ignore>/etc/dumpdates</ignore> >> > <ignore>/etc/svc/volatile</ignore> >> > >> > <!-- Windows files to ignore --> >> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> >> > <ignore>C:\WINDOWS/Debug</ignore> >> > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> >> > <ignore>C:\WINDOWS/iis6.log</ignore> >> > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> >> > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> >> > <ignore>C:\WINDOWS/Prefetch</ignore> >> > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> >> > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> >> > <ignore>C:\WINDOWS/Temp</ignore> >> > <ignore>C:\WINDOWS/system32/config</ignore> >> > <ignore>C:\WINDOWS/system32/spool</ignore> >> > <ignore>C:\WINDOWS/system32/CatRoot</ignore> >> > </syscheck> >> > >> > <rootcheck> >> > >> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> >> > >> > >> > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> >> > >> > <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> >> > >> > >> > <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> >> > >> > >> > <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> >> > >> > >> > <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> >> > </rootcheck> >> > <!-- Files to monitor (localfiles) --> >> > >> > <localfile> >> > <log_format>syslog</log_format> >> > <location>/var/log/messages</location> >> > </localfile> >> > >> > <localfile> >> > <log_format>syslog</log_format> >> > <location>/var/log/secure</location> >> > </localfile> >> > >> > <localfile> >> > <log_format>syslog</log_format> >> > <location>/var/log/maillog</location> >> > </localfile> >> > >> > <localfile> >> > <log_format>command</log_format> >> > <command>df -P</command> >> > </localfile> >> > >> > <localfile> >> > <log_format>full_command</log_format> >> > <command>netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| ::1)' | >> > sort</command> >> > </localfile> >> > >> > <localfile> >> > <log_format>full_command</log_format> >> > <command>last -n 5</command> >> > </localfile> >> > </ossec_config> >> > >> > The agent.conf was distributed through normal channels as mentioned in >> > my >> > writeup. I so restarting the agent on the nessus box as recommended and >> > you >> > were right, it didn't show monitoring for the `/opt/nessus` directory. >> > >> >> So this ossec.conf does not include the config-profile option. >> >> In the big md file you incldued originally, I see this block in an >> ossec.conf file (Appendix B): >> <!-- Special Client Config Profiles --> >> <client> >> <server-ip>192.168.0.4</server-ip> >> <config-profile>nessus</config-profile> >> </client> >> >> But the ossec.conf file it's included in appears to be an ossec >> server. So there's either a jumble in the md file or a jumble in the >> config. >> >> >> > Am I missing something from the agent syscheck in the ossec.conf? >> > >> > Thanks for responding! >> > >> > Jay >> > >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > > > -- > James F. Warne > Cornell University '16 > Georgetown University '12 > (602) 318-9889 > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
