| Both sides previous revision
Previous revision
Next revision
|
Previous revision
|
ossec [2014/06/03 23:58]
a |
ossec [2014/07/24 20:55] (current)
a [Installation] |
| ===== Installation ===== | ===== Installation ===== |
| |
| | ==== Database support ==== |
| | |
| | Enable database support: |
| | |
| | <code> |
| | cd src |
| | make setdb |
| | Error: PostgreSQL client libraries not installed. |
| | |
| | Info: Compiled with MySQL support. |
| | </code> |
| | |
| | then ran ./install.sh |
| ===== GNU/Debian (Ubuntu)===== | ===== GNU/Debian (Ubuntu)===== |
| See: [[http://www.ossec.net/?page_id=19|OSSEC Download]] | See: [[http://www.ossec.net/?page_id=19|OSSEC Download]] |
| <email_alert_level>7</email_alert_level> | <email_alert_level>7</email_alert_level> |
| </alerts> | </alerts> |
| | |
| <!-- Files to monitor (localfiles) --> | <!-- Files to monitor (localfiles) --> |
| |
| <localfile> | <localfile> |
| <log_format>syslog</log_format> | <log_format>syslog</log_format> |
| </code> | </code> |
| |
| | |
| | ==== Agent configuration (Debian) ==== |
| | <code |/var/ossec/etc/ossec.conf> |
| | <ossec_config> |
| | <client> |
| | <server-ip>SERVER-IP</server-ip> |
| | </client> |
| | |
| | <syscheck> |
| | <!-- Frequency that syscheck is executed - default to every 22 hours --> |
| | <frequency>79200</frequency> |
| | |
| | <!-- Directories to check (perform all possible verifications) --> |
| | <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> |
| | <directories check_all="yes">/bin,/sbin</directories> |
| | |
| | <!-- Files/directories to ignore --> |
| | <ignore>/etc/mtab</ignore> |
| | <ignore>/etc/mnttab</ignore> |
| | <ignore>/etc/hosts.deny</ignore> |
| | <ignore>/etc/mail/statistics</ignore> |
| | <ignore>/etc/random-seed</ignore> |
| | <ignore>/etc/adjtime</ignore> |
| | <ignore>/etc/httpd/logs</ignore> |
| | <ignore>/etc/utmpx</ignore> |
| | <ignore>/etc/wtmpx</ignore> |
| | <ignore>/etc/cups/certs</ignore> |
| | <ignore>/etc/dumpdates</ignore> |
| | <ignore>/etc/svc/volatile</ignore> |
| | |
| | <!-- Windows files to ignore --> |
| | <ignore>C:\WINDOWS/System32/LogFiles</ignore> |
| | <ignore>C:\WINDOWS/Debug</ignore> |
| | <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> |
| | <ignore>C:\WINDOWS/iis6.log</ignore> |
| | <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> |
| | <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> |
| | <ignore>C:\WINDOWS/Prefetch</ignore> |
| | <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> |
| | <ignore>C:\WINDOWS/SoftwareDistribution</ignore> |
| | <ignore>C:\WINDOWS/Temp</ignore> |
| | <ignore>C:\WINDOWS/system32/config</ignore> |
| | <ignore>C:\WINDOWS/system32/spool</ignore> |
| | <ignore>C:\WINDOWS/system32/CatRoot</ignore> |
| | </syscheck> |
| | |
| | <rootcheck> |
| | <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> |
| | <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> |
| | <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> |
| | <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> |
| | <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> |
| | <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> |
| | </rootcheck> |
| | <!-- Files to monitor (localfiles) --> |
| | |
| | <localfile> |
| | <log_format>syslog</log_format> |
| | <location>/var/log/messages</location> |
| | </localfile> |
| | |
| | <localfile> |
| | <log_format>syslog</log_format> |
| | <location>/var/log/auth.log</location> |
| | </localfile> |
| | |
| | <localfile> |
| | <log_format>syslog</log_format> |
| | <location>/var/log/syslog</location> |
| | </localfile> |
| | |
| | <localfile> |
| | <log_format>syslog</log_format> |
| | <location>/var/log/mail.info</location> |
| | </localfile> |
| | |
| | <localfile> |
| | <log_format>syslog</log_format> |
| | <location>/var/log/dpkg.log</location> |
| | </localfile> |
| | |
| | <localfile> |
| | <log_format>command</log_format> |
| | <command>df -h</command> |
| | </localfile> |
| | |
| | <localfile> |
| | <log_format>full_command</log_format> |
| | <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command> |
| | </localfile> |
| | |
| | <localfile> |
| | <log_format>full_command</log_format> |
| | <command>last -n 5</command> |
| | </localfile> |
| | </ossec_config> |
| | </code> |
| |
| |
