Configuration
Agentless monitoring is configured in the ossec.conf file in the section Agentless.
Integrity check BSD
In this example, the configuration is set to monitor the /bin
and /var
directories
<agentless>
<type>ssh_integrity_check_bsd</type>
<frequency>20000</frequency>
<host>root@test.com</host>
<state>periodic</state>
<arguments>/bin /var/</arguments>
</agentless>
Integrity check Linux
For Linux systems, set the type
as ssh_integrity_check_linux
as referenced below. A space-separated list of directories may be referenced in the configuration section using the arguments tag. Using this configuration, Wazuh will do an integrity check on the remote box.
The below example is configured to monitor the /bin
and /etc /sbin
directories
<agentless>
<type>ssh_integrity_check_linux</type>
<frequency>36000</frequency>
<host>root@test.com</host>
<state>periodic</state>
<arguments>/bin /etc/ /sbin</arguments>
</agentless>
Generic Diff
In this example, the configuration is set to execute ls -la /etc
and cat /etc/passwd
commands every 20000 seconds. An alert will be triggered if the output of those commands change.
<agentless>
<type>ssh_generic_diff</type>
<frequency>20000</frequency>
<host>root@test.com</host>
<state>periodic_diff</state>
<arguments>ls -la /etc; cat /etc/passwd</arguments>
</agentless>
Pix config
In this example, the configuration is set to trigger an alert when a Cisco PIX or router configuration changes.
<agentless>
<type>ssh_pixconfig_diff</type>
<frequency>36000</frequency>
<host>pix@pix.fw.local</host>
<state>periodic_diff</state>
</agentless>