src/win32/ossec.conf

   1 <!-- OSSEC-HIDS Win32 Agent Configuration.
   2   -  This file is composed of 3 main sections:
   3   -    - Client config - Settings to connect to the OSSEC server
   4   -    - Localfile     - Files/Event logs to monitor
   5   -    - syscheck      - System file/Registry entries to monitor
   6   -->
   7
   8 <!-- READ ME FIRST. If you are configuring OSSEC-HIDS for the first time,
   9   -  try to use the "Manage_Agent" tool. Go to Control Panel->OSSEC Agent
  10   -  to execute it.
  11   -
  12   -  First, add a server-ip entry with the real IP of your server.
  13   -  Second, and optionally, change the settings of the files you want
  14   -          to monitor. Look at our Manual and FAQ for more information.
  15   -  Third, start the Agent and enjoy.
  16   -
  17   -  Example of server-ip:
  18   -  <client> <server-ip>1.2.3.4</server-ip> </client>
  19   -->
  20
  21 <ossec_config>
  22
  23   <!-- One entry for each file/Event log to monitor. -->
  24   <localfile>
  25     <location>Application</location>
  26     <log_format>eventlog</log_format>
  27   </localfile>
  28
  29   <localfile>
  30     <location>Security</location>
  31     <log_format>eventlog</log_format>
  32   </localfile>
  33
  34   <localfile>
  35     <location>System</location>
  36     <log_format>eventlog</log_format>
  37   </localfile>
  38
  39   <localfile>
  40     <location>Windows PowerShell</location>
  41     <log_format>eventlog</log_format>
  42   </localfile>
  43
  44   <!-- Rootcheck - Policy monitor config -->
  45   <rootcheck>
  46     <windows_audit>./shared/win_audit_rcl.txt</windows_audit>
  47     <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
  48     <windows_malware>./shared/win_malware_rcl.txt</windows_malware>
  49   </rootcheck>
  50
  51    <!-- Syscheck - Integrity Checking config. -->
  52   <syscheck>
  53
  54     <!-- Default frequency, every 20 hours. It doesn't need to be higher
  55       -  on most systems and one a day should be enough.
  56       -->
  57     <frequency>72000</frequency>
  58
  59     <!-- By default it is disabled. In the Install you must choose
  60       -  to enable it.
  61       -->
  62     <disabled>yes</disabled>
  63
  64     <!-- Default files to be monitored - system32 only. -->
  65     <directories check_all="yes">%WINDIR%/win.ini</directories>
  66     <directories check_all="yes">%WINDIR%/system.ini</directories>
  67     <directories check_all="yes">C:\autoexec.bat</directories>
  68     <directories check_all="yes">C:\config.sys</directories>
  69     <directories check_all="yes">C:\boot.ini</directories>
  70
  71     <directories check_all="yes">%WINDIR%/SysNative/at.exe</directories>
  72     <directories check_all="yes">%WINDIR%/SysNative/attrib.exe</directories>
  73     <directories check_all="yes">%WINDIR%/SysNative/cacls.exe</directories>
  74     <directories check_all="yes">%WINDIR%/SysNative/cmd.exe</directories>
  75     <directories check_all="yes">%WINDIR%/SysNative/drivers/etc</directories>
  76     <directories check_all="yes">%WINDIR%/SysNative/eventcreate.exe</directories>
  77     <directories check_all="yes">%WINDIR%/SysNative/ftp.exe</directories>
  78     <directories check_all="yes">%WINDIR%/SysNative/lsass.exe</directories>
  79     <directories check_all="yes">%WINDIR%/SysNative/net.exe</directories>
  80     <directories check_all="yes">%WINDIR%/SysNative/net1.exe</directories>
  81     <directories check_all="yes">%WINDIR%/SysNative/netsh.exe</directories>
  82     <directories check_all="yes">%WINDIR%/SysNative/reg.exe</directories>
  83     <directories check_all="yes">%WINDIR%/SysNative/regedt32.exe</directories>
  84     <directories check_all="yes">%WINDIR%/SysNative/regsvr32.exe</directories>
  85     <directories check_all="yes">%WINDIR%/SysNative/runas.exe</directories>
  86     <directories check_all="yes">%WINDIR%/SysNative/sc.exe</directories>
  87     <directories check_all="yes">%WINDIR%/SysNative/schtasks.exe</directories>
  88     <directories check_all="yes">%WINDIR%/SysNative/sethc.exe</directories>
  89     <directories check_all="yes">%WINDIR%/SysNative/subst.exe</directories>
  90     <directories check_all="yes">%WINDIR%/SysNative/wbem/WMIC.exe</directories>
  91     <directories check_all="yes">%WINDIR%/SysNative/WindowsPowerShell\v1.0\powershell.exe</directories>
  92     <directories check_all="yes">%WINDIR%/SysNative/winrm.vbs</directories>
  93
  94     <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories>
  95     <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories>
  96     <directories check_all="yes">%WINDIR%/System32/at.exe</directories>
  97     <directories check_all="yes">%WINDIR%/System32/attrib.exe</directories>
  98     <directories check_all="yes">%WINDIR%/System32/cacls.exe</directories>
  99     <directories check_all="yes">%WINDIR%/System32/debug.exe</directories>
 100     <directories check_all="yes">%WINDIR%/System32/drwatson.exe</directories>
 101     <directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories>
 102     <directories check_all="yes">%WINDIR%/System32/edlin.exe</directories>
 103     <directories check_all="yes">%WINDIR%/System32/eventcreate.exe</directories>
 104     <directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories>
 105     <directories check_all="yes">%WINDIR%/System32/ftp.exe</directories>
 106     <directories check_all="yes">%WINDIR%/System32/net.exe</directories>
 107     <directories check_all="yes">%WINDIR%/System32/net1.exe</directories>
 108     <directories check_all="yes">%WINDIR%/System32/netsh.exe</directories>
 109     <directories check_all="yes">%WINDIR%/System32/rcp.exe</directories>
 110     <directories check_all="yes">%WINDIR%/System32/reg.exe</directories>
 111     <directories check_all="yes">%WINDIR%/regedit.exe</directories>
 112     <directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories>
 113     <directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories>
 114     <directories check_all="yes">%WINDIR%/System32/rexec.exe</directories>
 115     <directories check_all="yes">%WINDIR%/System32/rsh.exe</directories>
 116     <directories check_all="yes">%WINDIR%/System32/runas.exe</directories>
 117     <directories check_all="yes">%WINDIR%/System32/sc.exe</directories>
 118     <directories check_all="yes">%WINDIR%/System32/subst.exe</directories>
 119     <directories check_all="yes">%WINDIR%/System32/telnet.exe</directories>
 120     <directories check_all="yes">%WINDIR%/System32/tftp.exe</directories>
 121     <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories>
 122     <directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>
 123     <directories check_all="yes">%WINDIR%/System32/wbem/WMIC.exe</directories>
 124     <directories check_all="yes">%WINDIR%/System32/WindowsPowerShell\v1.0\powershell.exe</directories>
 125     <directories check_all="yes">%WINDIR%/System32/winrm.vbs</directories>
 126
 127     <directories check_all="yes" realtime="yes">%PROGRAMDATA%/Microsoft/Windows/Start Menu/Programs/Startup</directories>
 128
 129     <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
 130
 131     <!-- Windows registry entries to monitor. -->
 132     <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
 133     <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
 134     <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
 135     <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
 136     <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
 137     <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
 138     <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
 139     <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
 140     <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
 141     <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
 142     <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
 143     <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
 144
 145     <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
 146     <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
 147     <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
 148
 149     <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
 150     <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
 151     <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
 152     <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
 153     <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
 154     <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
 155     <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
 156
 157     <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
 158
 159     <!-- Windows registry entries to ignore. -->
 160     <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
 161     <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
 162     <registry_ignore type="sregex">\Enum$</registry_ignore>
 163   </syscheck>
 164
 165   <active-response>
 166     <disabled>yes</disabled>
 167   </active-response>
 168
 169 </ossec_config>
 170
 171 <!-- END of Default Configuration. -->