X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=src%2Fwin32%2Fossec.conf;h=e66dc14d905aa5a0f6501bfeff124ff57031d0c9;hp=6a943eacc7dc49e9e66644c6ca4c9144c0bf6cc7;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b

diff --git a/src/win32/ossec.conf b/src/win32/ossec.conf
old mode 100755
new mode 100644
index 6a943ea..e66dc14
--- a/src/win32/ossec.conf
+++ b/src/win32/ossec.conf
@@ -1,24 +1,23 @@
-<!-- OSSEC Win32 Agent Configuration.
-  -  This file is compost of 3 main sections:
-  -    - Client config - Settings to connect to the OSSEC server. 
-  -    - Localfile     - Files/Event logs to monitor.
-  -    - syscheck      - System file/Registry entries to monitor.
+<!-- OSSEC-HIDS Win32 Agent Configuration.
+  -  This file is composed of 3 main sections:
+  -    - Client config - Settings to connect to the OSSEC server
+  -    - Localfile     - Files/Event logs to monitor
+  -    - syscheck      - System file/Registry entries to monitor
   -->
 
-<!-- READ ME FIRST. If you are configuring OSSEC for the first time, 
-  -  try to use the "Manage_Agent" tool. Go to control panel->OSSEC Agent
+<!-- READ ME FIRST. If you are configuring OSSEC-HIDS for the first time,
+  -  try to use the "Manage_Agent" tool. Go to Control Panel->OSSEC Agent
   -  to execute it.
   -
   -  First, add a server-ip entry with the real IP of your server.
-  -  Second, and optionally, change the settings of the files you want 
+  -  Second, and optionally, change the settings of the files you want
   -          to monitor. Look at our Manual and FAQ for more information.
   -  Third, start the Agent and enjoy.
   -
-  -  Example of server-ip: 
+  -  Example of server-ip:
   -  <client> <server-ip>1.2.3.4</server-ip> </client>
   -->
 
-
 <ossec_config>
 
   <!-- One entry for each file/Event log to monitor. -->
@@ -36,19 +35,22 @@
     <location>System</location>
     <log_format>eventlog</log_format>
   </localfile>
-
+  
+  <localfile>
+    <location>Windows PowerShell</location>
+    <log_format>eventlog</log_format>
+  </localfile>
 
   <!-- Rootcheck - Policy monitor config -->
   <rootcheck>
     <windows_audit>./shared/win_audit_rcl.txt</windows_audit>
     <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
     <windows_malware>./shared/win_malware_rcl.txt</windows_malware>
-  </rootcheck>  
-
+  </rootcheck>
 
    <!-- Syscheck - Integrity Checking config. -->
   <syscheck>
-  
+
     <!-- Default frequency, every 20 hours. It doesn't need to be higher
       -  on most systems and one a day should be enough.
       -->
@@ -57,8 +59,7 @@
     <!-- By default it is disabled. In the Install you must choose
       -  to enable it.
       -->
-    <disabled>yes</disabled>  
-
+    <disabled>yes</disabled>
 
     <!-- Default files to be monitored - system32 only. -->
     <directories check_all="yes">%WINDIR%/win.ini</directories>
@@ -66,6 +67,30 @@
     <directories check_all="yes">C:\autoexec.bat</directories>
     <directories check_all="yes">C:\config.sys</directories>
     <directories check_all="yes">C:\boot.ini</directories>
+
+    <directories check_all="yes">%WINDIR%/SysNative/at.exe</directories>
+    <directories check_all="yes">%WINDIR%/SysNative/attrib.exe</directories>
+    <directories check_all="yes">%WINDIR%/SysNative/cacls.exe</directories>
+    <directories check_all="yes">%WINDIR%/SysNative/cmd.exe</directories>
+    <directories check_all="yes">%WINDIR%/SysNative/drivers/etc</directories>
+    <directories check_all="yes">%WINDIR%/SysNative/eventcreate.exe</directories>
+    <directories check_all="yes">%WINDIR%/SysNative/ftp.exe</directories>
+    <directories check_all="yes">%WINDIR%/SysNative/lsass.exe</directories>
+    <directories check_all="yes">%WINDIR%/SysNative/net.exe</directories>
+    <directories check_all="yes">%WINDIR%/SysNative/net1.exe</directories>
+    <directories check_all="yes">%WINDIR%/SysNative/netsh.exe</directories>
+    <directories check_all="yes">%WINDIR%/SysNative/reg.exe</directories>
+    <directories check_all="yes">%WINDIR%/SysNative/regedt32.exe</directories>
+    <directories check_all="yes">%WINDIR%/SysNative/regsvr32.exe</directories>
+    <directories check_all="yes">%WINDIR%/SysNative/runas.exe</directories>
+    <directories check_all="yes">%WINDIR%/SysNative/sc.exe</directories>
+    <directories check_all="yes">%WINDIR%/SysNative/schtasks.exe</directories>
+    <directories check_all="yes">%WINDIR%/SysNative/sethc.exe</directories>
+    <directories check_all="yes">%WINDIR%/SysNative/subst.exe</directories>
+    <directories check_all="yes">%WINDIR%/SysNative/wbem/WMIC.exe</directories>
+    <directories check_all="yes">%WINDIR%/SysNative/WindowsPowerShell\v1.0\powershell.exe</directories>
+    <directories check_all="yes">%WINDIR%/SysNative/winrm.vbs</directories>
+
     <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories>
     <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories>
     <directories check_all="yes">%WINDIR%/System32/at.exe</directories>
@@ -95,10 +120,13 @@
     <directories check_all="yes">%WINDIR%/System32/tftp.exe</directories>
     <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories>
     <directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>
-    <directories check_all="yes" realtime="yes">C:\Documents and Settings/All Users/Start Menu/Programs/Startup</directories>
-    <directories check_all="yes" realtime="yes">C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup</directories>
-    <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
+    <directories check_all="yes">%WINDIR%/System32/wbem/WMIC.exe</directories>
+    <directories check_all="yes">%WINDIR%/System32/WindowsPowerShell\v1.0\powershell.exe</directories>
+    <directories check_all="yes">%WINDIR%/System32/winrm.vbs</directories>
 
+    <directories check_all="yes" realtime="yes">%PROGRAMDATA%/Microsoft/Windows/Start Menu/Programs/Startup</directories>
+
+    <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
 
     <!-- Windows registry entries to monitor. -->
     <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
@@ -114,7 +142,6 @@
     <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
     <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
 
-
     <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
     <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
     <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
@@ -129,13 +156,11 @@
 
     <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
 
-
-
     <!-- Windows registry entries to ignore. -->
     <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
     <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
     <registry_ignore type="sregex">\Enum$</registry_ignore>
-  </syscheck>    
+  </syscheck>
 
   <active-response>
     <disabled>yes</disabled>
@@ -143,6 +168,4 @@
 
 </ossec_config>
 
-
 <!-- END of Default Configuration. -->
-
