Enable File Integrity

[Hardik Joshi]

i am new on ossec, can someone provide how to configure file integrity . rules where to configure for that. complete procedure.

[dan (ddp)]

On Tue, May 14, 2019 at 5:55 AM Hardik Joshi <josh...@gmail.com> wrote:
>
> i am new on ossec, can someone provide how to configure file integrity . rules where to configure for that. complete procedure.
>

It should be enabled on every system we currently support by default.
Is there something you're having trouble with specifically?
This is the syntax for adding or changing things in the ossec.conf:
https://www.ossec.net/docs/syntax/head_ossec_config.syscheck.html

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/f7b58a7d-1b6f-4cff-9314-57b7a066c985%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Hardik Joshi]

Thanks for the information.

i need to provide details in every agent configuration file?

how can i enable email alert for that? 

Thanks

Hardik Joshi

8866292445

To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMokHYeCOevf-CW%3DBn5j7UuPSW0FMTYT_Yn6z4vtd6Btww%40mail.gmail.com.

[dan (ddp)]

On Tue, Jul 9, 2019 at 2:33 AM Hardik Joshi <josh...@gmail.com> wrote:
>
> Thanks for the information.
>
> i need to provide details in every agent configuration file?
>

Either the ossec.conf file on each agent, or agent.conf on the server.
agent.conf is in /var/ossec/etc/shared, and (lazily) gets distributed
to each agent.
The OSSEC processes on the agents need to be restarted if the
agent.conf changes.

> how can i enable email alert for that?
>

Email alerts for syscheck events should be enabled by default.
The auto ignore option could interfere with this (if a file changes
more than 3 times), as well as the maximum emails per hour.

> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAFjM2gOMYk-TCcu9MSn3mw%3DZQuVYdakh6G3EEZnKsXi2%2BuvBGA%40mail.gmail.com.

[Hardik Joshi]

Thanks for information.

 I am unable to found  agent.conf  file in /var/ossec/etc/shared folder. can you pls provide exact details how to create and configure.

Thanks

Hardik Joshi

To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMr-L2ejQ12oRNar1hzJv1dNs-HV%2BCnZES0_kfJzP4NHGw%40mail.gmail.com.

[dan (ddp)]

On Thu, Jul 11, 2019 at 2:12 AM Hardik Joshi <josh...@gmail.com> wrote:
>
> Thanks for information.
>
> I am unable to found agent.conf file in /var/ossec/etc/shared folder. can you pls provide exact details how to create and configure.
>

The documentation we currently have for this is pretty sparse.

Use your favorite text editor to create the file on the OSSEC server.
In that file start with:

<agent_config>
</agent_config>

Between those 2 lines, enter your configuration.
For example, to add `/var/test` to the syscheck configuration of all
agents, use:

<agent_config>
<syscheck>
<directories check_all="yes">/var/test</directories>
</syscheck>
</agent_config>

Multiple "<agent_config>" blocks can be included in a single agent.conf.
When the agent.conf is modified, the agent's ossec processes will have
to be restarted for it to take effect.

To limit which agents the configuration applies to, you can add
modifiers to the agent_config line.
There is "os," "name," and "profile" available.

"os" defines the operating system of the agents the configuration will
apply on. For example you can use "Windows" or "Linux":
<agent_config os="Windows">

"name" is the name of an agent. If you want the configuration block to
apply to a specific agent, use this option.
<agent_config name="agent007">

"profile" is a descriptive term that you can use to group agents. The
agent "subscribes" to the profile in its ossec.conf.
I haven't used this option in years, so I don't remember how to use it off hand.


> Thanks
> Hardik Joshi
>
>

Hope this helps. Feel free to watch this space for further updates:
https://ossec-documentation.readthedocs.io/en/latest/configuration/agent_conf.html

[Hardik Joshi]

Hi,

i want to windows file monitoring on every server, can you please help me how to do this? with example please.

Thanks

Hardik Joshi

8511113164

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMpvgO9ts1LDQMBNAMYZDM4vbfCxzXcc%2BvaCyeADfP_HoQ%40mail.gmail.com.

[dan (ddp)]

On Wed, Sep 11, 2019 at 7:21 AM Hardik Joshi <josh...@gmail.com> wrote:
>
> Hi,
>
> i want to windows file monitoring on every server, can you please help me how to do this? with example please.
>

syscheck is enabled by default on Windows systems.
What changes are you looking to make to the configuration?

> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAFjM2gNzHK7q7T%2Btwmp45DQrbAh01fUVhLX_V5ecuBg1ViVWWg%40mail.gmail.com.

[Hardik Joshi]

i want to enable email alert for file created,modified,deleted with example.

Thanks

Hardik Joshi

8511113164

To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMot6a7tN0VjWTm2A%3DLYWA2mAO0z5GeT0CN7N7AC1Gn1XA%40mail.gmail.com.

[dan (ddp)]

On Fri, Sep 20, 2019 at 4:42 AM Hardik Joshi <josh...@gmail.com> wrote:
>
> i want to enable email alert for file created,modified,deleted with example.
>

For syscheck, I think it's something like:
On the server:
<syscheck>
<alert_new_files>yes</alert_new_files>
</syscheck>

On an agent:
<syscheck>
<directories check_all="yes" realtime="yes">/path/to/directory</directories>
</syscheck>

If you don't want to auto ignore files after 3 changes, disable the
auto_ignore option to the server.

<syscheck>
...
<auto_ignore>no</auto_ignore>
</syscheck>

Emailing syscheck alerts should already work out of the box (assuming
emailing alerts works).

> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAFjM2gMYxChx4%3DNBe3Wh0_bW0t2yMqsa5AatTQMep%3D8BPMuF3w%40mail.gmail.com.