Both sides previous revision
Previous revision
Next revision
|
Previous revision
|
ossec [2014/06/03 23:58] a |
ossec [2014/07/24 20:55] a [Installation] |
===== Installation ===== | ===== Installation ===== |
| |
| ==== Database support ==== |
| |
| Enable database support: |
| |
| <code> |
| cd src |
| make setdb |
| Error: PostgreSQL client libraries not installed. |
| |
| Info: Compiled with MySQL support. |
| </code> |
| |
| then ran ./install.sh |
===== GNU/Debian (Ubuntu)===== | ===== GNU/Debian (Ubuntu)===== |
See: [[http://www.ossec.net/?page_id=19|OSSEC Download]] | See: [[http://www.ossec.net/?page_id=19|OSSEC Download]] |
<email_alert_level>7</email_alert_level> | <email_alert_level>7</email_alert_level> |
</alerts> | </alerts> |
| |
<!-- Files to monitor (localfiles) --> | <!-- Files to monitor (localfiles) --> |
| |
<localfile> | <localfile> |
<log_format>syslog</log_format> | <log_format>syslog</log_format> |
</code> | </code> |
| |
| |
| ==== Agent configuration (Debian) ==== |
| <code |/var/ossec/etc/ossec.conf> |
| <ossec_config> |
| <client> |
| <server-ip>SERVER-IP</server-ip> |
| </client> |
| |
| <syscheck> |
| <!-- Frequency that syscheck is executed - default to every 22 hours --> |
| <frequency>79200</frequency> |
| |
| <!-- Directories to check (perform all possible verifications) --> |
| <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> |
| <directories check_all="yes">/bin,/sbin</directories> |
| |
| <!-- Files/directories to ignore --> |
| <ignore>/etc/mtab</ignore> |
| <ignore>/etc/mnttab</ignore> |
| <ignore>/etc/hosts.deny</ignore> |
| <ignore>/etc/mail/statistics</ignore> |
| <ignore>/etc/random-seed</ignore> |
| <ignore>/etc/adjtime</ignore> |
| <ignore>/etc/httpd/logs</ignore> |
| <ignore>/etc/utmpx</ignore> |
| <ignore>/etc/wtmpx</ignore> |
| <ignore>/etc/cups/certs</ignore> |
| <ignore>/etc/dumpdates</ignore> |
| <ignore>/etc/svc/volatile</ignore> |
| |
| <!-- Windows files to ignore --> |
| <ignore>C:\WINDOWS/System32/LogFiles</ignore> |
| <ignore>C:\WINDOWS/Debug</ignore> |
| <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> |
| <ignore>C:\WINDOWS/iis6.log</ignore> |
| <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> |
| <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> |
| <ignore>C:\WINDOWS/Prefetch</ignore> |
| <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> |
| <ignore>C:\WINDOWS/SoftwareDistribution</ignore> |
| <ignore>C:\WINDOWS/Temp</ignore> |
| <ignore>C:\WINDOWS/system32/config</ignore> |
| <ignore>C:\WINDOWS/system32/spool</ignore> |
| <ignore>C:\WINDOWS/system32/CatRoot</ignore> |
| </syscheck> |
| |
| <rootcheck> |
| <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> |
| <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> |
| <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> |
| <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> |
| <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> |
| <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> |
| </rootcheck> |
| <!-- Files to monitor (localfiles) --> |
| |
| <localfile> |
| <log_format>syslog</log_format> |
| <location>/var/log/messages</location> |
| </localfile> |
| |
| <localfile> |
| <log_format>syslog</log_format> |
| <location>/var/log/auth.log</location> |
| </localfile> |
| |
| <localfile> |
| <log_format>syslog</log_format> |
| <location>/var/log/syslog</location> |
| </localfile> |
| |
| <localfile> |
| <log_format>syslog</log_format> |
| <location>/var/log/mail.info</location> |
| </localfile> |
| |
| <localfile> |
| <log_format>syslog</log_format> |
| <location>/var/log/dpkg.log</location> |
| </localfile> |
| |
| <localfile> |
| <log_format>command</log_format> |
| <command>df -h</command> |
| </localfile> |
| |
| <localfile> |
| <log_format>full_command</log_format> |
| <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command> |
| </localfile> |
| |
| <localfile> |
| <log_format>full_command</log_format> |
| <command>last -n 5</command> |
| </localfile> |
| </ossec_config> |
| </code> |
| |
| |