OSSEC
The ossec role is used to install ossec server or client.
Default variables
---
# defaults file for ossec
ossec:
client: true
serverip: "123.123.123.123"
#auth_password should be 32 chars, lowercase letters and numbers, no symbols
auth_password: "xxx"
global:
email_notification: "yes"
email_to: "admin@example.com"
smtp_server: "mail.google.com"
email_from: "admin@example.com"
white_list:
- "8.8.8.8"
- "4.4.4.4"
alerts:
log_alert_level: 1
email_alert_level: 7
email_alerts:
email_to: "admin@example.com"
level: 14
ssl:
domain: "ossec.example.com"
handling: "selfsigned"
syscheck:
frequency: 79200
directories:
- /etc
- /usr/bin
- /usr/sbin
- /bin
- /sbin
ignore:
- /etc/mtab
- /etc/mnttab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
- /etc/puppet
- /etc/resolv.conf
- /etc/hybserv
rootcheck:
disabled: "no"
rootkit_files:
- /var/ossec/etc/shared/rootkit_files.txt
rootkit_trojans:
- /var/ossec/etc/shared/rootkit_trojans.txt
system_audit:
- /var/ossec/etc/shared/system_audit_rcl.txt
- /var/ossec/etc/shared/cis_debian_linux_rcl.txt
- /var/ossec/etc/shared/cis_rhel_linux_rcl.txt
- /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
command:
- name: "firewall-drop"
executable: "firewall-drop.sh"
expect: "srcip"
timeout_allowed: "yes"
activeresponse:
- disabled: "no"
command: "firewall-drop"
location: "all"
rules_id: "31151,5712,104130,101071,101132,101238,101251,103011"
repeated_offenders: "30,60,120"
timeout: "600"
- disabled: "no"
command: "firewall-drop"
location: "all"
rules_id: "100205"
repeated_offenders: "30,60,120"
timeout: "3600"
remote:
connection:
- syslog
- secure
localfile:
- { log_format: "syslog", location: "/var/log/messages" }
- { log_format: "syslog", location: "/var/log/auth.log" }
- { log_format: "syslog", location: "/var/log/syslog" }
- { log_format: "syslog", location: "/var/log/mail.info" }
- { log_format: "syslog", location: "/var/log/dpkg.log" }
rules:
- rules_config.xml
- pam_rules.xml
- sshd_rules.xml
- telnetd_rules.xml
- syslog_rules.xml
- arpwatch_rules.xml
- symantec-av_rules.xml
- symantec-ws_rules.xml
- pix_rules.xml
- named_rules.xml
- smbd_rules.xml
- vsftpd_rules.xml
- proftpd_rules.xml
- ms_ftpd_rules.xml
- ftpd_rules.xml
- hordeimp_rules.xml
- roundcube_rules.xml
- wordpress_rules.xml
- cimserver_rules.xml
- vpopmail_rules.xml
- vmpop3d_rules.xml
- courier_rules.xml
- web_rules.xml
- web_appsec_rules.xml
- apache_rules.xml
- nginx_rules.xml
- php_rules.xml
- mysql_rules.xml
- postgresql_rules.xml
- ids_rules.xml
- squid_rules.xml
- firewall_rules.xml
- cisco-ios_rules.xml
- netscreenfw_rules.xml
- sonicwall_rules.xml
- postfix_rules.xml
- sendmail_rules.xml
- imapd_rules.xml
- mailscanner_rules.xml
- dovecot_rules.xml
- ms-exchange_rules.xml
- racoon_rules.xml
- vpn_concentrator_rules.xml
- spamd_rules.xml
- msauth_rules.xml
- mcafee_av_rules.xml
- trend-osce_rules.xml
- ms-se_rules.xml
- zeus_rules.xml
- solaris_bsm_rules.xml
- vmware_rules.xml
- ms_dhcp_rules.xml
- asterisk_rules.xml
- ossec_rules.xml
- attack_rules.xml
- openbsd_rules.xml
- clam_av_rules.xml
- dropbear_rules.xml
# - customer1_rules.xml
# - customer2_rules.xml
# - customerN_rules.xml
- local_rules.xml