Configuration

  1. Integrity check BSD

  2. Integrity check Linux

  3. Generic Diff

  4. Pix config

Agentless monitoring is configured in the ossec.conf file in the section agentless.

Integrity check BSD

This sample configuration will monitor the /bin and /var directories:

<agentless>
  <type>ssh_integrity_check_bsd</type>
  <frequency>20000</frequency>
  <host>root@test.com</host>
  <state>periodic</state>
  <arguments>/bin /var/</arguments>
</agentless>

Notice in the <arguments> tag that multiple directories may be included, separated by a space.

Integrity check Linux

For Linux systems, set the type as ssh_integrity_check_linux as referenced below. Here also, a space-separated list of directories may be referenced in the configuration section using the <arguments> tag. Using this configuration, Wazuh will do an integrity check on the remote box.

The sample configuration will monitor the /bin, /etc and /sbin directories

<agentless>
  <type>ssh_integrity_check_linux</type>
  <frequency>36000</frequency>
  <host>root@test.com</host>
  <state>periodic</state>
  <arguments>/bin /etc /sbin</arguments>
</agentless>

Generic Diff

In this configuration the ls -la /etc and cat /etc/passwd commands will execute every 20000 seconds. An alert will be triggered if the output of the commands changes.

<agentless>
  <type>ssh_generic_diff</type>
  <frequency>20000</frequency>
  <host>root@test.com</host>
  <state>periodic_diff</state>
  <arguments>ls -la /etc; cat /etc/passwd</arguments>
</agentless>

Notice that multiple entries in the <arguments> tag can be included, separated by a ";".

Pix config

In this configuration, an alert will be triggered when a Cisco PIX or router configuration changes.

<agentless>
  <type>ssh_pixconfig_diff</type>
  <frequency>36000</frequency>
  <host>pix@pix.fw.local</host>
  <state>periodic_diff</state>
</agentless>