DIRECTORY="/var/ossec"
fi
-# create users
+# create group
+if ! getent group $OSSEC_GROUP >/dev/null; then
+ addgroup --system $OSSEC_GROUP
+fi
+
+# create/modify users
if ! getent passwd $OSSEC_USER >/dev/null; then
- adduser --quiet --system --no-create-home --home $DIRECTORY --shell /bin/false $OSSEC_USER
+ adduser --quiet --system --no-create-home \
+ --ingroup $OSSEC_GROUP \
+ --home $DIRECTORY --shell /bin/false $OSSEC_USER
+else
+ usermod -g $OSSEC_GROUP -s /bin/false -d $DIRECTORY $OSSEC_USER
fi
if ! getent passwd $OSSEC_USER_MAIL >/dev/null; then
- adduser --quiet --system --no-create-home --home $DIRECTORY --shell /bin/false $OSSEC_USER_MAIL
+ adduser --quiet --system --no-create-home \
+ --ingroup $OSSEC_GROUP \
+ --home $DIRECTORY --shell /bin/false $OSSEC_USER_MAIL
+else
+ usermod -g $OSSEC_GROUP -s /bin/false -d $DIRECTORY $OSSEC_USER_MAIL
fi
if ! getent passwd $OSSEC_USER_EXEC >/dev/null; then
- adduser --quiet --system --no-create-home --home $DIRECTORY --shell /bin/false $OSSEC_USER_EXEC
+ adduser --quiet --system --no-create-home \
+ --ingroup $OSSEC_GROUP \
+ --home $DIRECTORY --shell /bin/false $OSSEC_USER_EXEC
+else
+ usermod -g $OSSEC_GROUP -s /bin/false -d $DIRECTORY $OSSEC_USER_EXEC
fi
if ! getent passwd $OSSEC_USER_REM >/dev/null; then
- adduser --quiet --system --no-create-home --home $DIRECTORY --shell /bin/false $OSSEC_USER_REM
-fi
-
-# create group
-if ! getent group $OSSEC_GROUP >/dev/null; then
- addgroup --system $OSSEC_GROUP
+ adduser --quiet --system --no-create-home \
+ --ingroup $OSSEC_GROUP \
+ --home $DIRECTORY --shell /bin/false $OSSEC_USER_REM
+else
+ usermod -g $OSSEC_GROUP -s /bin/false -d $DIRECTORY $OSSEC_USER_REM
fi
# fix ownership
--- /dev/null
+<ossec_config>
+ <global>
+ <email_notification>yes</email_notification>
+ <email_to>root@localhost</email_to>
+ <smtp_server>127.0.0.1</smtp_server>
+ <email_from>ossecm@localhost</email_from>
+ </global>
+
+ <rules>
+ <include>rules_config.xml</include>
+ <include>pam_rules.xml</include>
+ <include>sshd_rules.xml</include>
+ <include>telnetd_rules.xml</include>
+ <include>syslog_rules.xml</include>
+ <include>arpwatch_rules.xml</include>
+ <include>symantec-av_rules.xml</include>
+ <include>symantec-ws_rules.xml</include>
+ <include>pix_rules.xml</include>
+ <include>named_rules.xml</include>
+ <include>smbd_rules.xml</include>
+ <include>vsftpd_rules.xml</include>
+ <include>pure-ftpd_rules.xml</include>
+ <include>proftpd_rules.xml</include>
+ <include>ms_ftpd_rules.xml</include>
+ <include>ftpd_rules.xml</include>
+ <include>hordeimp_rules.xml</include>
+ <include>roundcube_rules.xml</include>
+ <include>wordpress_rules.xml</include>
+ <include>vpopmail_rules.xml</include>
+ <include>vmpop3d_rules.xml</include>
+ <include>courier_rules.xml</include>
+ <include>web_rules.xml</include>
+ <include>apache_rules.xml</include>
+ <include>nginx_rules.xml</include>
+ <include>php_rules.xml</include>
+ <include>mysql_rules.xml</include>
+ <include>postgresql_rules.xml</include>
+ <include>ids_rules.xml</include>
+ <include>squid_rules.xml</include>
+ <include>firewall_rules.xml</include>
+ <include>cisco-ios_rules.xml</include>
+ <include>netscreenfw_rules.xml</include>
+ <include>sonicwall_rules.xml</include>
+ <include>postfix_rules.xml</include>
+ <include>sendmail_rules.xml</include>
+ <include>imapd_rules.xml</include>
+ <include>mailscanner_rules.xml</include>
+ <include>dovecot_rules.xml</include>
+ <include>ms-exchange_rules.xml</include>
+ <include>racoon_rules.xml</include>
+ <include>vpn_concentrator_rules.xml</include>
+ <include>spamd_rules.xml</include>
+ <include>msauth_rules.xml</include>
+ <include>mcafee_av_rules.xml</include>
+ <include>trend-osce_rules.xml</include>
+ <!-- <include>policy_rules.xml</include> -->
+ <include>zeus_rules.xml</include>
+ <include>solaris_bsm_rules.xml</include>
+ <include>vmware_rules.xml</include>
+ <include>ms_dhcp_rules.xml</include>
+ <include>asterisk_rules.xml</include>
+ <include>ossec_rules.xml</include>
+ <include>attack_rules.xml</include>
+ <include>local_rules.xml</include>
+ </rules>
+
+ <syscheck>
+ <!-- Frequency that syscheck is executed - default to every 22 hours -->
+ <frequency>79200</frequency>
+
+ <!-- Directories to check (perform all possible verifications) -->
+ <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
+ <directories check_all="yes">/bin,/sbin</directories>
+
+ <!-- Files/directories to ignore -->
+ <ignore>/etc/mtab</ignore>
+ <ignore>/etc/mnttab</ignore>
+ <ignore>/etc/hosts.deny</ignore>
+ <ignore>/etc/mail/statistics</ignore>
+ <ignore>/etc/random-seed</ignore>
+ <ignore>/etc/adjtime</ignore>
+ <ignore>/etc/httpd/logs</ignore>
+ <ignore>/etc/utmpx</ignore>
+ <ignore>/etc/wtmpx</ignore>
+ <ignore>/etc/cups/certs</ignore>
+ <ignore>/etc/dumpdates</ignore>
+ <ignore>/etc/svc/volatile</ignore>
+ </syscheck>
+
+ <rootcheck>
+ <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
+ <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
+ <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
+ <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
+ <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
+ <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
+ </rootcheck>
+
+ <active-response>
+ <disabled>yes</disabled>
+ </active-response>
+
+ <alerts>
+ <log_alert_level>1</log_alert_level>
+ <email_alert_level>7</email_alert_level>
+ </alerts>
+ <!-- Files to monitor (localfiles) -->
+
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/messages</location>
+ </localfile>
+
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/auth.log</location>
+ </localfile>
+
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/syslog</location>
+ </localfile>
+
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/xferlog</location>
+ </localfile>
+
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/vsftpd.log</location>
+ </localfile>
+
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/mail.info</location>
+ </localfile>
+
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/maillog</location>
+ </localfile>
+
+ <localfile>
+ <log_format>syslog</log_format>
+ <location>/var/log/dpkg.log</location>
+ </localfile>
+
+ <localfile>
+ <log_format>apache</log_format>
+ <location>/var/log/apache2/error.log</location>
+ </localfile>
+
+ <localfile>
+ <log_format>apache</log_format>
+ <location>/var/log/apache2/access.log</location>
+ </localfile>
+</ossec_config>
projects / ossec-hids.git / commitdiff