blob: bbcdec16c3f0698c0a237c0581b420dd82e57faa (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
Unless stated otherwise, every option here corresponds to certain configuration
block which would be placed in one of the configuration files in "ossec.conf.d"
directory. Disabled options will do the same, but for "ossec.conf.d/disabled"
directory. All "*.conf" files from the "ossec.conf.d" directory will be merged
into "ossec.conf" in alphabetic order. If you are not satisfied with the
generated configuration, you can disable the corresponding option and use files
from "ossec.conf.d/disabled" directory as samples.
The "pushed" sections (*_P options) relate to configuration pushed to agents
using "agent.conf". The generated configuration blocks will be placed in
"agent.conf.d" and "agent.conf.d/disabled" directories.
Note that the agent needs to enable proper profile to benefit from "agent.conf"
configuration pushed by the server. This also means that profiles not enabled
on the agent are ignored. This is why all "pushed" options are enabled by
default. The port currently contains configuration templates for the following
agent systems:
- FreeBSD
- Debian Linux
Consider contributing to the port by contacting the maintainer and providing
configuration templates for other operating systems runnig OSSEC agents.
Files generated by the port will be overwritten during port upgrades so any
additional configuration should be put in separate files.
File Integrity Checking:
NOAUTO_SC:
OSSEC by default will ignore files that change too often (after the third
change). This option disables this feature. Files that change too often
as a result of correct system operation should better be added to ignore
list manually.
Command Output Monitoring:
Adds additional commands, the output of which can be monitored. To actually
send alerts about the changing output, the proper rules need to be configured
as well (see CMDOUT_R option).
These commands can be tweaked in "command.conf".
Active Response Firewall:
Creates "firewall-drop.sh" hardlink to one of the scripts shipped with OSSEC.
This option is only meaningful if this OSSEC instance will be the target of
"firewall-drop" active response.
|
