src/win32/ossec.conf

   1 <!-- OSSEC Win32 Agent Configuration.
   2   -  This file is compost of 3 main sections:
   3   -    - Client config - Settings to connect to the OSSEC server.
   4   -    - Localfile     - Files/Event logs to monitor.
   5   -    - syscheck      - System file/Registry entries to monitor.
   6   -->
   7
   8 <!-- READ ME FIRST. If you are configuring OSSEC for the first time,
   9   -  try to use the "Manage_Agent" tool. Go to control panel->OSSEC Agent
  10   -  to execute it.
  11   -
  12   -  First, add a server-ip entry with the real IP of your server.
  13   -  Second, and optionally, change the settings of the files you want
  14   -          to monitor. Look at our Manual and FAQ for more information.
  15   -  Third, start the Agent and enjoy.
  16   -
  17   -  Example of server-ip:
  18   -  <client> <server-ip>1.2.3.4</server-ip> </client>
  19   -->
  20
  21
  22 <ossec_config>
  23
  24   <!-- One entry for each file/Event log to monitor. -->
  25   <localfile>
  26     <location>Application</location>
  27     <log_format>eventlog</log_format>
  28   </localfile>
  29
  30   <localfile>
  31     <location>Security</location>
  32     <log_format>eventlog</log_format>
  33   </localfile>
  34
  35   <localfile>
  36     <location>System</location>
  37     <log_format>eventlog</log_format>
  38   </localfile>
  39
  40
  41   <!-- Rootcheck - Policy monitor config -->
  42   <rootcheck>
  43     <windows_audit>./shared/win_audit_rcl.txt</windows_audit>
  44     <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
  45     <windows_malware>./shared/win_malware_rcl.txt</windows_malware>
  46   </rootcheck>
  47
  48
  49    <!-- Syscheck - Integrity Checking config. -->
  50   <syscheck>
  51
  52     <!-- Default frequency, every 20 hours. It doesn't need to be higher
  53       -  on most systems and one a day should be enough.
  54       -->
  55     <frequency>72000</frequency>
  56
  57     <!-- By default it is disabled. In the Install you must choose
  58       -  to enable it.
  59       -->
  60     <disabled>yes</disabled>
  61
  62
  63     <!-- Default files to be monitored - system32 only. -->
  64     <directories check_all="yes">%WINDIR%/win.ini</directories>
  65     <directories check_all="yes">%WINDIR%/system.ini</directories>
  66     <directories check_all="yes">C:\autoexec.bat</directories>
  67     <directories check_all="yes">C:\config.sys</directories>
  68     <directories check_all="yes">C:\boot.ini</directories>
  69     <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories>
  70     <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories>
  71     <directories check_all="yes">%WINDIR%/System32/at.exe</directories>
  72     <directories check_all="yes">%WINDIR%/System32/attrib.exe</directories>
  73     <directories check_all="yes">%WINDIR%/System32/cacls.exe</directories>
  74     <directories check_all="yes">%WINDIR%/System32/debug.exe</directories>
  75     <directories check_all="yes">%WINDIR%/System32/drwatson.exe</directories>
  76     <directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories>
  77     <directories check_all="yes">%WINDIR%/System32/edlin.exe</directories>
  78     <directories check_all="yes">%WINDIR%/System32/eventcreate.exe</directories>
  79     <directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories>
  80     <directories check_all="yes">%WINDIR%/System32/ftp.exe</directories>
  81     <directories check_all="yes">%WINDIR%/System32/net.exe</directories>
  82     <directories check_all="yes">%WINDIR%/System32/net1.exe</directories>
  83     <directories check_all="yes">%WINDIR%/System32/netsh.exe</directories>
  84     <directories check_all="yes">%WINDIR%/System32/rcp.exe</directories>
  85     <directories check_all="yes">%WINDIR%/System32/reg.exe</directories>
  86     <directories check_all="yes">%WINDIR%/regedit.exe</directories>
  87     <directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories>
  88     <directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories>
  89     <directories check_all="yes">%WINDIR%/System32/rexec.exe</directories>
  90     <directories check_all="yes">%WINDIR%/System32/rsh.exe</directories>
  91     <directories check_all="yes">%WINDIR%/System32/runas.exe</directories>
  92     <directories check_all="yes">%WINDIR%/System32/sc.exe</directories>
  93     <directories check_all="yes">%WINDIR%/System32/subst.exe</directories>
  94     <directories check_all="yes">%WINDIR%/System32/telnet.exe</directories>
  95     <directories check_all="yes">%WINDIR%/System32/tftp.exe</directories>
  96     <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories>
  97     <directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>
  98     <directories check_all="yes" realtime="yes">C:\Documents and Settings/All Users/Start Menu/Programs/Startup</directories>
  99     <directories check_all="yes" realtime="yes">C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup</directories>
 100     <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
 101
 102
 103     <!-- Windows registry entries to monitor. -->
 104     <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
 105     <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
 106     <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
 107     <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
 108     <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
 109     <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
 110     <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
 111     <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
 112     <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
 113     <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
 114     <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
 115     <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
 116
 117
 118     <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
 119     <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
 120     <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
 121
 122     <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
 123     <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
 124     <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
 125     <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
 126     <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
 127     <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
 128     <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
 129
 130     <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
 131
 132
 133
 134     <!-- Windows registry entries to ignore. -->
 135     <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
 136     <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
 137     <registry_ignore type="sregex">\Enum$</registry_ignore>
 138   </syscheck>
 139
 140   <active-response>
 141     <disabled>yes</disabled>
 142   </active-response>
 143
 144 </ossec_config>
 145
 146
 147 <!-- END of Default Configuration. -->
 148