etc/ossec-server.conf

   1 <!-- OSSEC example config -->
   2
   3 <ossec_config>
   4   <global>
   5     <email_notification>yes</email_notification>
   6     <email_to>daniel.cid@xxx.com</email_to>
   7     <smtp_server>smtp.xxx.com.</smtp_server>
   8     <email_from>ossecm@ossec.xxx.com.</email_from>
   9   </global>
  10
  11   <rules>
  12     <include>rules_config.xml</include>
  13     <include>sshd_rules.xml</include>
  14     <include>syslog_rules.xml</include>
  15     <include>pix_rules.xml</include>
  16     <include>named_rules.xml</include>
  17     <include>pure-ftpd_rules.xml</include>
  18     <include>proftpd_rules.xml</include>
  19     <include>web_rules.xml</include>
  20     <include>apache_rules.xml</include>
  21     <include>ids_rules.xml</include>
  22     <include>squid_rules.xml</include>
  23     <include>firewall_rules.xml</include>
  24     <include>postfix_rules.xml</include>
  25     <include>sendmail_rules.xml</include>
  26     <include>spamd_rules.xml</include>
  27     <include>msauth_rules.xml</include>
  28     <include>attack_rules.xml</include>
  29   </rules>
  30
  31   <syscheck>
  32     <!-- Frequency that syscheck is executed -- default every 2 hours -->
  33     <frequency>7200</frequency>
  34
  35     <!-- Directories to check  (perform all possible verifications) -->
  36     <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
  37     <directories check_all="yes">/bin,/sbin</directories>
  38
  39     <!-- Files/directories to ignore -->
  40     <ignore>/etc/mtab</ignore>
  41     <ignore>/etc/hosts.deny</ignore>
  42     <ignore>/etc/mail/statistics</ignore>
  43     <ignore>/etc/random-seed</ignore>
  44     <ignore>/etc/adjtime</ignore>
  45     <ignore>/etc/httpd/logs</ignore>
  46   </syscheck>
  47
  48   <rootcheck>
  49     <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
  50     <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
  51   </rootcheck>
  52
  53   <global>
  54     <white_list>127.0.0.1</white_list>
  55     <white_list>192.168.2.1</white_list>
  56     <white_list>192.168.2.190</white_list>
  57     <white_list>192.168.2.32</white_list>
  58     <white_list>192.168.2.10</white_list>
  59   </global>
  60
  61   <remote>
  62     <connection>secure</connection>
  63   </remote>
  64
  65   <alerts>
  66     <log_alert_level>1</log_alert_level>
  67     <email_alert_level>7</email_alert_level>
  68   </alerts>
  69
  70   <command>
  71     <name>host-deny</name>
  72     <executable>host-deny.sh</executable>
  73     <expect>srcip</expect>
  74     <timeout_allowed>yes</timeout_allowed>
  75   </command>
  76
  77   <command>
  78     <name>firewall-drop</name>
  79     <executable>firewall-drop.sh</executable>
  80     <expect>srcip</expect>
  81     <timeout_allowed>yes</timeout_allowed>
  82   </command>
  83
  84   <command>
  85     <name>disable-account</name>
  86     <executable>disable-account.sh</executable>
  87     <expect>user</expect>
  88     <timeout_allowed>yes</timeout_allowed>
  89   </command>
  90
  91
  92   <!-- Active Response Config -->
  93   <active-response>
  94     <!-- This response is going to execute the host-deny
  95        - command for every event that fires a rule with
  96        - level (severity) >= 6.
  97        - The IP is going to be blocked for  600 seconds.
  98       -->
  99     <command>host-deny</command>
 100     <location>local</location>
 101     <level>6</level>
 102     <timeout>600</timeout>
 103   </active-response>
 104
 105   <active-response>
 106     <!-- Firewall Drop response. Block the IP for
 107        - 600 seconds on the firewall (iptables,
 108        - ipfilter, etc).
 109       -->
 110     <command>firewall-drop</command>
 111     <location>local</location>
 112     <level>6</level>
 113     <timeout>600</timeout>
 114   </active-response>
 115
 116   <!-- Files to monitor (localfiles) -->
 117
 118   <localfile>
 119     <log_format>syslog</log_format>
 120     <location>/var/log/messages</location>
 121   </localfile>
 122
 123   <localfile>
 124     <log_format>syslog</log_format>
 125     <location>/var/log/authlog</location>
 126   </localfile>
 127
 128   <localfile>
 129     <log_format>syslog</log_format>
 130     <location>/var/log/secure</location>
 131   </localfile>
 132
 133   <localfile>
 134     <log_format>syslog</log_format>
 135     <location>/var/log/xferlog</location>
 136   </localfile>
 137
 138   <localfile>
 139     <log_format>syslog</log_format>
 140     <location>/var/log/maillog</location>
 141   </localfile>
 142
 143   <localfile>
 144     <log_format>apache</log_format>
 145     <location>/var/www/logs/access_log</location>
 146   </localfile>
 147
 148   <localfile>
 149     <log_format>apache</log_format>
 150     <location>/var/www/logs/error_log</location>
 151   </localfile>
 152 </ossec_config>