mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 09:12:45 +01:00
221 lines
6.4 KiB
Plaintext
221 lines
6.4 KiB
Plaintext
<!--
|
|
Wazuh - Manager - Default configuration for centos 7
|
|
More info at: https://documentation.wazuh.com
|
|
Mailing list: https://groups.google.com/forum/#!forum/wazuh
|
|
-->
|
|
|
|
<ossec_config>
|
|
<global>
|
|
<jsonout_output>yes</jsonout_output>
|
|
<alerts_log>no</alerts_log>
|
|
<logall>no</logall>
|
|
<logall_json>yes</logall_json>
|
|
<email_notification>no</email_notification>
|
|
<smtp_server>smtp.example.wazuh.com</smtp_server>
|
|
<email_from>ossecm@example.wazuh.com</email_from>
|
|
<email_to>recipient@example.wazuh.com</email_to>
|
|
<email_maxperhour>12</email_maxperhour>
|
|
</global>
|
|
|
|
<alerts>
|
|
<log_alert_level>1</log_alert_level>
|
|
<email_alert_level>7</email_alert_level>
|
|
</alerts>
|
|
|
|
<remote>
|
|
<connection>secure</connection>
|
|
<port>1514</port>
|
|
<protocol>udp</protocol>
|
|
</remote>
|
|
|
|
<!-- Policy monitoring -->
|
|
<rootcheck>
|
|
<disabled>no</disabled>
|
|
<check_unixaudit>yes</check_unixaudit>
|
|
<check_files>yes</check_files>
|
|
<check_trojans>yes</check_trojans>
|
|
<check_dev>yes</check_dev>
|
|
<check_sys>yes</check_sys>
|
|
<check_pids>yes</check_pids>
|
|
<check_ports>yes</check_ports>
|
|
<check_if>yes</check_if>
|
|
|
|
<!-- Frequency that rootcheck is executed - every 12 hours -->
|
|
<frequency>43200</frequency>
|
|
|
|
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
|
|
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
|
|
|
|
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
|
|
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
|
|
<system_audit>/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt</system_audit>
|
|
|
|
<skip_nfs>yes</skip_nfs>
|
|
</rootcheck>
|
|
|
|
<wodle name="open-scap">
|
|
<disabled>yes</disabled>
|
|
<timeout>1800</timeout>
|
|
<interval>1d</interval>
|
|
<scan-on-start>yes</scan-on-start>
|
|
|
|
<content type="xccdf" path="ssg-centos-7-ds.xml">
|
|
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
|
|
<profile>xccdf_org.ssgproject.content_profile_common</profile>
|
|
</content>
|
|
</wodle>
|
|
|
|
<!-- File integrity monitoring -->
|
|
<syscheck>
|
|
<disabled>no</disabled>
|
|
|
|
<!-- Frequency that syscheck is executed default every 12 hours -->
|
|
<frequency>43200</frequency>
|
|
|
|
<scan_on_start>yes</scan_on_start>
|
|
|
|
<!-- Generate alert when new file detected -->
|
|
<alert_new_files>yes</alert_new_files>
|
|
|
|
<!-- Don't ignore files that change more than 'frequency' times -->
|
|
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
|
|
|
|
<!-- Directories to check (perform all possible verifications) -->
|
|
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
|
|
<directories check_all="yes">/bin,/sbin,/boot</directories>
|
|
|
|
<!-- Files/directories to ignore -->
|
|
<ignore>/etc/mtab</ignore>
|
|
<ignore>/etc/hosts.deny</ignore>
|
|
<ignore>/etc/mail/statistics</ignore>
|
|
<ignore>/etc/random-seed</ignore>
|
|
<ignore>/etc/random.seed</ignore>
|
|
<ignore>/etc/adjtime</ignore>
|
|
<ignore>/etc/httpd/logs</ignore>
|
|
<ignore>/etc/utmpx</ignore>
|
|
<ignore>/etc/wtmpx</ignore>
|
|
<ignore>/etc/cups/certs</ignore>
|
|
<ignore>/etc/dumpdates</ignore>
|
|
<ignore>/etc/svc/volatile</ignore>
|
|
|
|
<!-- File types to ignore -->
|
|
<ignore type="sregex">^/proc</ignore>
|
|
<ignore type="sregex">.log$|.swp$</ignore>
|
|
|
|
<!-- Check the file, but never compute the diff -->
|
|
<nodiff>/etc/ssl/private.key</nodiff>
|
|
|
|
<skip_nfs>yes</skip_nfs>
|
|
</syscheck>
|
|
|
|
<!-- Active response -->
|
|
<global>
|
|
<white_list>127.0.0.1</white_list>
|
|
<white_list>^localhost.localdomain$</white_list>
|
|
<white_list>10.0.0.2</white_list>
|
|
</global>
|
|
|
|
<command>
|
|
<name>disable-account</name>
|
|
<executable>disable-account.sh</executable>
|
|
<expect>user</expect>
|
|
<timeout_allowed>yes</timeout_allowed>
|
|
</command>
|
|
|
|
<command>
|
|
<name>restart-ossec</name>
|
|
<executable>restart-ossec.sh</executable>
|
|
<expect></expect>
|
|
</command>
|
|
|
|
<command>
|
|
<name>firewall-drop</name>
|
|
<executable>firewall-drop.sh</executable>
|
|
<expect>srcip</expect>
|
|
<timeout_allowed>yes</timeout_allowed>
|
|
</command>
|
|
|
|
<command>
|
|
<name>host-deny</name>
|
|
<executable>host-deny.sh</executable>
|
|
<expect>srcip</expect>
|
|
<timeout_allowed>yes</timeout_allowed>
|
|
</command>
|
|
|
|
<command>
|
|
<name>route-null</name>
|
|
<executable>route-null.sh</executable>
|
|
<expect>srcip</expect>
|
|
<timeout_allowed>yes</timeout_allowed>
|
|
</command>
|
|
|
|
<command>
|
|
<name>win_route-null</name>
|
|
<executable>route-null.cmd</executable>
|
|
<expect>srcip</expect>
|
|
<timeout_allowed>yes</timeout_allowed>
|
|
</command>
|
|
|
|
<!-- Active Response Config -->
|
|
<active-response>
|
|
<!-- This response is going to execute the host-deny
|
|
- command for every event that fires a rule with
|
|
- level (severity) >= 6.
|
|
- The IP is going to be blocked for 600 seconds.
|
|
-->
|
|
<command>host-deny</command>
|
|
<location>local</location>
|
|
<level>6</level>
|
|
<timeout>600</timeout>
|
|
</active-response>
|
|
|
|
<active-response>
|
|
<!-- Firewall Drop response. Block the IP for
|
|
- 600 seconds on the firewall (iptables,
|
|
- ipfilter, etc).
|
|
-->
|
|
<command>firewall-drop</command>
|
|
<location>local</location>
|
|
<level>6</level>
|
|
<timeout>600</timeout>
|
|
</active-response>
|
|
|
|
<!-- Log analysis -->
|
|
<localfile>
|
|
<log_format>command</log_format>
|
|
<command>df -P</command>
|
|
<frequency>360</frequency>
|
|
</localfile>
|
|
|
|
<localfile>
|
|
<log_format>full_command</log_format>
|
|
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
|
|
<alias>netstat listening ports</alias>
|
|
<frequency>360</frequency>
|
|
</localfile>
|
|
|
|
<localfile>
|
|
<log_format>full_command</log_format>
|
|
<command>last -n 20</command>
|
|
<frequency>360</frequency>
|
|
</localfile>
|
|
|
|
<localfile>
|
|
<log_format>syslog</log_format>
|
|
<location>/var/ossec/logs/active-responses.log</location>
|
|
</localfile>
|
|
|
|
<ruleset>
|
|
<!-- Default ruleset -->
|
|
<decoder_dir>ruleset/decoders</decoder_dir>
|
|
<rule_dir>ruleset/rules</rule_dir>
|
|
<rule_exclude>0215-policy_rules.xml</rule_exclude>
|
|
<list>etc/lists/audit-keys</list>
|
|
|
|
<!-- User-defined ruleset -->
|
|
<decoder_dir>etc/decoders</decoder_dir>
|
|
<rule_dir>etc/rules</rule_dir>
|
|
</ruleset>
|
|
|
|
</ossec_config>
|