Configuration

  1. Integrity check BSD

  2. Integrity check Linux

  3. Generic Diff

  4. Pix config

Agentless monitoring is configured in the ossec.conf file in the section Agentless.

Integrity check BSD

In this example, the configuration is set to monitor the /bin and /var directories

<agentless>
  <type>ssh_integrity_check_bsd</type>
  <frequency>20000</frequency>
  <host>root@test.com</host>
  <state>periodic</state>
  <arguments>/bin /var/</arguments>
</agentless>

Integrity check Linux

For Linux systems, set the type as ssh_integrity_check_linux as referenced below. A space-separated list of directories may be referenced in the configuration section using the arguments tag. Using this configuration, Wazuh will do an integrity check on the remote box.

The below example is configured to monitor the /bin and /etc /sbin directories

<agentless>
  <type>ssh_integrity_check_linux</type>
  <frequency>36000</frequency>
  <host>root@test.com</host>
  <state>periodic</state>
  <arguments>/bin /etc/ /sbin</arguments>
</agentless>

Generic Diff

In this example, the configuration is set to execute ls -la /etc and cat /etc/passwd commands every 20000 seconds. An alert will be triggered if the output of those commands change.

<agentless>
  <type>ssh_generic_diff</type>
  <frequency>20000</frequency>
  <host>root@test.com</host>
  <state>periodic_diff</state>
  <arguments>ls -la /etc; cat /etc/passwd</arguments>
</agentless>

Pix config

In this example, the configuration is set to trigger an alert when a Cisco PIX or router configuration changes.

<agentless>
  <type>ssh_pixconfig_diff</type>
  <frequency>36000</frequency>
  <host>pix@pix.fw.local</host>
  <state>periodic_diff</state>
</agentless>