106 lines
3.0 KiB
Plaintext
106 lines
3.0 KiB
Plaintext
<!-- OSSEC Slackware example config -->
|
|
<!-- Written by Mario Preksavec <mario at slackware dot hr> -->
|
|
|
|
<ossec_config>
|
|
<client>
|
|
<!-- Server IP address -->
|
|
<server-ip>127.0.0.1</server-ip>
|
|
</client>
|
|
|
|
<syscheck>
|
|
<!-- Frequency that syscheck is executed -- default every 2 hours -->
|
|
<frequency>7200</frequency>
|
|
|
|
<!-- Directories to check (perform all possible verifications) -->
|
|
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
|
|
<directories check_all="yes">/bin,/sbin,/boot</directories>
|
|
|
|
<!-- Files/directories to ignore -->
|
|
<ignore>/etc/mtab</ignore>
|
|
<ignore>/etc/hosts.deny</ignore>
|
|
<ignore>/etc/mail/statistics</ignore>
|
|
<ignore>/etc/random-seed</ignore>
|
|
<ignore>/etc/adjtime</ignore>
|
|
<ignore>/etc/ntp/drift</ignore>
|
|
</syscheck>
|
|
|
|
<rootcheck>
|
|
<!-- Local of the rootkit_files and rootkit_trojans files -->
|
|
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
|
|
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
|
|
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
|
|
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
|
|
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
|
|
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
|
|
<system_audit>/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt</system_audit>
|
|
<system_audit>/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt</system_audit>
|
|
</rootcheck>
|
|
|
|
<!-- Files to monitor (localfiles) -->
|
|
|
|
<localfile>
|
|
<log_format>syslog</log_format>
|
|
<location>/var/log/messages</location>
|
|
</localfile>
|
|
|
|
<localfile>
|
|
<log_format>syslog</log_format>
|
|
<location>/var/log/syslog</location>
|
|
</localfile>
|
|
|
|
<localfile>
|
|
<log_format>syslog</log_format>
|
|
<location>/var/log/debug</location>
|
|
</localfile>
|
|
|
|
<localfile>
|
|
<log_format>syslog</log_format>
|
|
<location>/var/log/secure</location>
|
|
</localfile>
|
|
|
|
<localfile>
|
|
<log_format>syslog</log_format>
|
|
<location>/var/log/cron</location>
|
|
</localfile>
|
|
|
|
<localfile>
|
|
<log_format>syslog</log_format>
|
|
<location>/var/log/maillog</location>
|
|
</localfile>
|
|
|
|
<localfile>
|
|
<log_format>syslog</log_format>
|
|
<location>/var/log/spooler</location>
|
|
</localfile>
|
|
|
|
<localfile>
|
|
<log_format>apache</log_format>
|
|
<location>/var/log/httpd/access_log</location>
|
|
</localfile>
|
|
|
|
<localfile>
|
|
<log_format>apache</log_format>
|
|
<location>/var/log/httpd/error_log</location>
|
|
</localfile>
|
|
|
|
<localfile>
|
|
<log_format>command</log_format>
|
|
<command>df -h</command>
|
|
</localfile>
|
|
|
|
<localfile>
|
|
<log_format>full_command</log_format>
|
|
<command>netstat -tan | grep LISTEN | grep -v 127.0.0.1 | sort</command>
|
|
</localfile>
|
|
|
|
<localfile>
|
|
<log_format>full_command</log_format>
|
|
<command>last -n 5</command>
|
|
</localfile>
|
|
|
|
<localfile>
|
|
<log_format>full_command</log_format>
|
|
<command>lastb -n 5</command>
|
|
</localfile>
|
|
</ossec_config>
|