Ticket #42533: ossec-client.conf

File ossec-client.conf, 6.9 KB (added by jul_bsd@…, 9 years ago)
Line 
1<!-- OSSEC Agent example config for Mac -->
2
3<ossec_config>
4  <client>
5    <server-ip>x.x.x.x</server-ip>
6  </client>
7
8  <syscheck>
9    <disabled>no</disabled>
10    <!-- Frequency that syscheck is executed -- default every 20 hours -->
11    <frequency>72000</frequency>
12   
13    <!-- Directories to check  (perform all possible verifications) -->
14    <directories check_all="yes">/usr/bin,/usr/sbin</directories>
15    <directories check_all="yes">/bin,/sbin</directories>
16    <directories check_all="yes">/private/etc</directories>
17    <directories check_all="yes">/Applications</directories>
18    <directories check_all="yes">/System,/Network,/Library</directories>
19    <directories check_all="yes">/Developer</directories>
20    <directories check_all="yes">/opt/local/etc,/opt/local/bin,/opt/local/sbin</directories>
21    <directories check_all="yes">/home</directories>
22    <directories check_all="yes">/Library/Preferences</directories>
23    <directories check_all="yes">/Users/Shared</directories>
24
25    <!-- Startup items + user-defined one? -->
26    <directories check_all="yes">/System/Library/LaunchDaemons,/System/Library/LaunchAgents,/Library/LaunchDaemons,/Library/LaunchAgents,/Library/Preferences/com.apple.loginwindow.plist,/System/Library/XPCServices</directories>
27
28    <!-- User files -->
29    <directories check_all="yes">/Users/*/Library/Preferences</directories>
30    <directories check_all="yes">/Users/*/Library/Logs</directories>
31    <directories check_all="yes">/Users/*/Library/Preferences/com.apple.loginitems.plist</directories>
32    <directories check_all="yes">/Users/*/Library/Mail/V2/MailData/Accounts.plist</directories>
33    <directories check_all="yes">/Users/*/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2</directories>
34
35    <!-- coredump directory (disabled by default on macos) -->
36    <directories check_all="yes">/cores</directories>
37
38    <!-- Apple web server -->
39    <directories check_all="yes">/Library/WebServer/Documents</directories>
40
41    <!-- macports web server -->
42<!--
43    <directories check_all="yes">/opt/local/www</directories>
44-->
45    <!-- Doing realtime monitoring for sensitive scripts on webserver -->
46    <!-- Note: NOT REPORTING ON NEW FILE: see http://tonyonsecurity.com/2013/07/27/ossec-detecting-new-files-understanding-how-it-works/ -->
47    <directories realtime="yes" report_changes="yes" restrict=".php|.js|.asp|.pl|.exe|.ht*">/opt/local/www</directories>
48<!--
49    <alert_new_files>yes</alert_new_files>
50    <scan_on_start>no</scan_on_start>
51    <auto_ignore>no</auto_ignore>
52-->
53
54    <!-- Files/directories to ignore -->
55<!--
56    <ignore>/etc/mtab</ignore>
57    <ignore>/etc/hosts.deny</ignore>
58    <ignore>/etc/mail/statistics</ignore>
59    <ignore>/etc/random-seed</ignore>
60    <ignore>/etc/adjtime</ignore>
61    <ignore>/etc/httpd/logs</ignore>
62-->
63    <ignore>/Library/Caches</ignore>
64    <ignore>/System/Library/Caches</ignore>
65    <ignore>/Volumes</ignore>
66    <ignore>/private/tmp</ignore>
67    <ignore>/private/var/tmp</ignore>
68    <ignore>/opt/tmp</ignore>
69<!-- Apple Malware definitions file (auto-updated) -->
70    <ignore>/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist</ignore>
71    <ignore>/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist</ignore>
72    <ignore>/Library/Managed Preferences/Guest/com.apple.familycontrols.contentfilter.plist</ignore>
73<!-- Google Chrome just auto update too much ... just keeping main executable: 'Google Chrome Canary.app/Contents/MacOS/Google Chrome Canary' -->
74    <ignore>/Applications/Google Chrome Canary.app/Contents/Resources/</ignore>
75    <ignore>/Applications/Google Chrome Canary.app/Contents/Info.plist</ignore>
76    <ignore>/Applications/Google Chrome Canary.app/Contents/_CodeSignature/CodeResources</ignore>
77  </syscheck>
78
79  <rootcheck>
80    <rootkit_files>/opt/local/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
81    <rootkit_trojans>/opt/local/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
82  </rootcheck>
83
84  <!-- Files to monitor (localfiles) -->
85
86<!-- can be multiline -->
87  <localfile>
88    <log_format>syslog</log_format>
89    <location>/private/var/log/system.log</location>
90  </localfile>
91
92  <localfile>
93    <log_format>syslog</log_format>
94    <location>/private/var/log/authd.log</location>
95  </localfile>
96
97  <localfile>
98    <log_format>syslog</log_format>
99    <location>/private/var/log/appfirewall.log</location>
100  </localfile>
101
102  <localfile>
103    <log_format>syslog</log_format>
104    <location>/private/var/log/alf.log</location>
105  </localfile>
106
107<!-- can be multiline -->
108  <localfile>
109    <log_format>syslog</log_format>
110    <location>/private/var/log/appstore.log</location>
111  </localfile>
112
113<!-- can be multiline -->
114  <localfile>
115    <log_format>syslog</log_format>
116    <location>/private/var/log/install.log</location>
117  </localfile>
118
119  <localfile>
120    <log_format>syslog</log_format>
121    <location>/private/var/log/mail.log</location>
122  </localfile>
123
124  <localfile>
125    <log_format>syslog</log_format>
126    <location>/private/var/log/notifyd.log</location>
127  </localfile>
128
129  <localfile>
130    <log_format>syslog</log_format>
131    <location>/private/var/log/opendirectoryd.log</location>
132  </localfile>
133
134  <localfile>
135    <log_format>syslog</log_format>
136    <location>/private/var/log/shutdown_monitor.log</location>
137  </localfile>
138
139  <localfile>
140    <log_format>syslog</log_format>
141    <location>/private/var/log/wifi.log</location>
142  </localfile>
143
144<!-- Apache2 from Apple -->
145<!--
146  <localfile>
147    <log_format>apache</log_format>
148    <location>/private/var/log/apache2/access_log</location>
149  </localfile>
150
151  <localfile>
152    <log_format>apache</log_format>
153    <location>/private/var/log/apache2/error_log</location>
154  </localfile>
155-->
156
157<!-- Macports log -->
158
159  <localfile>
160    <log_format>syslog</log_format>
161    <location>/opt/local/var/log/php55/php-fpm.log</location>
162  </localfile>
163
164  <localfile>
165    <log_format>apache</log_format>
166    <location>/opt/local/var/log/nginx/access.log</location>
167  </localfile>
168
169<!-- Custom commands -->
170
171<!-- monitor network listen access -->
172<localfile>
173    <log_format>full_command</log_format>
174    <command>netstat -tan |awk '/LISTEN/ && !/(127.0.0.1|::1)/'</command>
175</localfile>
176
177<!-- monitor disk occupation -->
178<localfile>
179    <log_format>command</log_format>
180    <command>df -h</command>
181</localfile>
182
183<!-- monitor last logged users -->
184<localfile>
185    <log_format>command</log_format>
186    <command>last -5</command>
187</localfile>
188
189<!-- monitor ipfw rules -->
190<localfile>
191    <log_format>command</log_format>
192    <command>ipfw -t list</command>
193</localfile>
194
195<!-- monitor user list -->
196<localfile>
197    <log_format>command</log_format>
198    <command>dscl . list /users</command>
199</localfile>
200
201<!-- monitor active launchd sons -->
202<localfile>
203    <log_format>command</log_format>
204    <command>launchctl list</command>
205</localfile>
206
207<!-- monitor shared memory -->
208<localfile>
209    <log_format>command</log_format>
210    <command>ipcs -m</command>
211</localfile>
212
213</ossec_config>