2016-07-24 16:11:12 -04:00
|
|
|
default["ossec"]["version"] = "2.8"
|
|
|
|
default["ossec"]["syslog_output"]["ip"] = "172.16.254.254"
|
|
|
|
default["ossec"]["syslog_output"]["port"] = "514"
|
|
|
|
default["ossec"]["syslog_output"]["min_level"] = "5"
|
|
|
|
default["ossec"]["receiver_port"] = "1514"
|
|
|
|
default["ossec"]["log_alert_level"] = "1"
|
|
|
|
default["ossec"]["email_alert_level"] = "7"
|
|
|
|
default["ossec"]["email_maxperhour"] = "9999"
|
2016-07-24 18:12:09 -04:00
|
|
|
default["ossec"]["email_idsname"] = "ossec"
|
2016-07-24 16:11:12 -04:00
|
|
|
default["ossec"]["memory_size"] = "100000"
|
|
|
|
default["ossec"]["remote"]["connection"] = "secure"
|
|
|
|
default["ossec"]["agents"] = {}
|
|
|
|
default["ossec"]["rules"] = {}
|
|
|
|
default["ossec"]["email_alerts"] = {}
|
|
|
|
if node["roles"].include?("ossec-server")
|
|
|
|
default["ossec"]["agent"]["enable"] = false
|
|
|
|
else
|
|
|
|
default["ossec"]["agent"]["enable"] = true
|
|
|
|
end
|
|
|
|
|
|
|
|
if platform_family?('debian')
|
|
|
|
default["ossec"]["server"]["service_name"] = "ossec-hids-server"
|
|
|
|
default["ossec"]["client"]["service_name"] = "ossec-hids-client"
|
|
|
|
elsif platform_family?('rhel')
|
|
|
|
default["ossec"]["server"]["service_name"] = "ossec-hids"
|
|
|
|
default["ossec"]["client"]["service_name"] = "ossec-hids"
|
|
|
|
end
|
|
|
|
|
|
|
|
# Sane defaults for each distribution platform for syslog files
|
|
|
|
if platform_family?('debian')
|
|
|
|
default["ossec"]["syslog_files"]["/var/log/auth.log"] = {}
|
|
|
|
default["ossec"]["syslog_files"]["/var/log/daemon.log"] = {}
|
|
|
|
default["ossec"]["syslog_files"]["/var/log/kern.log"] = {}
|
|
|
|
default["ossec"]["syslog_files"]["/var/log/mail.log"] = {}
|
|
|
|
default["ossec"]["syslog_files"]["/var/log/syslog"] = {}
|
|
|
|
default["ossec"]["syslog_files"]["/var/log/user.log"] = {}
|
|
|
|
default["ossec"]["syslog_files"]["/var/log/chef/client.log"] = {}
|
|
|
|
|
|
|
|
elsif platform_family?('rhel')
|
|
|
|
default["ossec"]["syslog_files"]["/var/log/cron"] = {}
|
|
|
|
default["ossec"]["syslog_files"]["/var/log/dmesg"] = {}
|
|
|
|
default["ossec"]["syslog_files"]["/var/log/maillog"] = {}
|
|
|
|
default["ossec"]["syslog_files"]["/var/log/messages"] = {}
|
|
|
|
default["ossec"]["syslog_files"]["/var/log/secure"] = {}
|
|
|
|
default["ossec"]["syslog_files"]["/var/log/spooler"] = {}
|
|
|
|
default["ossec"]["syslog_files"]["/var/log/yum.log"] = {}
|
|
|
|
default["ossec"]["syslog_files"]["/var/log/chef/client.log"] = {}
|
|
|
|
end
|
|
|
|
|
|
|
|
# Sane defaults for syscheck
|
|
|
|
default["ossec"]["syscheck"]["frequency"] = '7200'
|
|
|
|
default["ossec"]["syscheck"]["alert_new_files"] = 'yes'
|
|
|
|
default["ossec"]["syscheck"]["auto_ignore"] = 'no'
|
|
|
|
|
|
|
|
default["ossec"]["syscheck"]["directories"]['/bin'] = {
|
|
|
|
'report_changes' => 'no',
|
|
|
|
'realtime' => 'yes'
|
|
|
|
}
|
|
|
|
default["ossec"]["syscheck"]["directories"]['/boot'] = {
|
|
|
|
'report_changes' => 'no',
|
|
|
|
'realtime' => 'no'
|
|
|
|
}
|
|
|
|
default["ossec"]["syscheck"]["directories"]['/etc'] = {
|
|
|
|
'report_changes' => 'yes',
|
|
|
|
'realtime' => 'no'
|
|
|
|
}
|
|
|
|
default["ossec"]["syscheck"]["directories"]['/lib/lsb'] = {
|
|
|
|
'report_changes' => 'no',
|
|
|
|
'realtime' => 'yes'
|
|
|
|
}
|
|
|
|
default["ossec"]["syscheck"]["directories"]['/lib/modules'] = {
|
|
|
|
'report_changes' => 'no',
|
|
|
|
'realtime' => 'yes'
|
|
|
|
}
|
|
|
|
default["ossec"]["syscheck"]["directories"]['/lib/plymouth'] = {
|
|
|
|
'report_changes' => 'no',
|
|
|
|
'realtime' => 'yes'
|
|
|
|
}
|
|
|
|
default["ossec"]["syscheck"]["directories"]['/lib/security'] = {
|
|
|
|
'report_changes' => 'no',
|
|
|
|
'realtime' => 'yes'
|
|
|
|
}
|
|
|
|
default["ossec"]["syscheck"]["directories"]['/lib/terminfo'] = {
|
|
|
|
'report_changes' => 'no',
|
|
|
|
'realtime' => 'yes'
|
|
|
|
}
|
|
|
|
default["ossec"]["syscheck"]["directories"]['/lib/ufw'] = {
|
|
|
|
'report_changes' => 'no',
|
|
|
|
'realtime' => 'yes'
|
|
|
|
}
|
|
|
|
default["ossec"]["syscheck"]["directories"]['/lib/xtables'] = {
|
|
|
|
'report_changes' => 'no',
|
|
|
|
'realtime' => 'no'
|
|
|
|
}
|
|
|
|
default["ossec"]["syscheck"]["directories"]['/media'] = {
|
|
|
|
'report_changes' => 'no',
|
|
|
|
'realtime' => 'no'
|
|
|
|
}
|
|
|
|
default["ossec"]["syscheck"]["directories"]['/opt'] = {
|
|
|
|
'report_changes' => 'no',
|
|
|
|
'realtime' => 'no'
|
|
|
|
}
|
|
|
|
default["ossec"]["syscheck"]["directories"]['/root'] = {
|
|
|
|
'report_changes' => 'yes',
|
|
|
|
'realtime' => 'no'
|
|
|
|
}
|
|
|
|
default["ossec"]["syscheck"]["directories"]['/srv'] = {
|
|
|
|
'report_changes' => 'no',
|
|
|
|
'realtime' => 'no'
|
|
|
|
}
|
|
|
|
default["ossec"]["syscheck"]["directories"]['/sbin'] = {
|
|
|
|
'report_changes' => 'no',
|
|
|
|
'realtime' => 'yes'
|
|
|
|
}
|
|
|
|
default["ossec"]["syscheck"]["directories"]['/usr/'] = {
|
|
|
|
'report_changes' => 'yes',
|
|
|
|
'realtime' => 'yes'
|
|
|
|
}
|
|
|
|
default["ossec"]["syscheck"]["directories"]['/tmp'] = {
|
|
|
|
'report_changes' => 'no',
|
|
|
|
'realtime' => 'no'
|
|
|
|
}
|
|
|
|
|
|
|
|
# Syscheck Ignore Files
|
|
|
|
default["ossec"]["syscheck"]["ignore"]['/etc/openvpn/openvpn-status.log'] = {}
|
|
|
|
default["ossec"]["syscheck"]["ignore"]['/etc/motd'] = {}
|
|
|
|
default["ossec"]["syscheck"]["ignore"]['/etc/blkid.tab'] = {}
|
|
|
|
default["ossec"]["syscheck"]["ignore"]['/etc/mtab'] = {}
|
|
|
|
default["ossec"]["syscheck"]["ignore"]['/etc/mail/statistics'] = {}
|
|
|
|
default["ossec"]["syscheck"]["ignore"]['/etc/random-seed'] = {}
|
|
|
|
default["ossec"]["syscheck"]["ignore"]['/etc/adjtime'] = {}
|
|
|
|
default["ossec"]["syscheck"]["ignore"]['/etc/prelink.cache'] = {}
|
|
|
|
default["ossec"]["syscheck"]["ignore"]['/root/.bash_history'] = {}
|
|
|
|
default["ossec"]["syscheck"]["ignore"]['/root/.viminfo'] = {}
|
|
|
|
default["ossec"]["syscheck"]["ignore"]['/etc/dnscache/stats'] = {}
|
|
|
|
default["ossec"]["syscheck"]["ignore"]['/etc/dnscache/log'] = {}
|
|
|
|
default["ossec"]["syscheck"]["ignore"]['/etc/dnscache2/stats'] = {}
|
|
|
|
default["ossec"]["syscheck"]["ignore"]['/etc/dnscache2/log'] = {}
|
|
|
|
default["ossec"]["syscheck"]["ignore"]['/etc/tinydns/stats'] = {}
|
|
|
|
default["ossec"]["syscheck"]["ignore"]['/etc/tinydns/log'] = {}
|
|
|
|
|
|
|
|
# Commands
|
|
|
|
default["ossec"]["command"]["host-deny"]["enabled"] = false
|
|
|
|
default["ossec"]["command"]["host-deny"]["executable"] = 'host-deny.sh'
|
|
|
|
default["ossec"]["command"]["host-deny"]["expect"] = 'srcip'
|
|
|
|
default["ossec"]["command"]["host-deny"]["timeout_allowed"] = 'yes'
|
|
|
|
|
|
|
|
default["ossec"]["command"]["firewall-stop"]["enabled"] = true
|
|
|
|
default["ossec"]["command"]["firewall-stop"]["executable"] = 'firewall-drop.sh'
|
|
|
|
default["ossec"]["command"]["firewall-stop"]["expect"] = 'srcip'
|
|
|
|
default["ossec"]["command"]["firewall-stop"]["timeout_allowed"] = 'yes'
|
|
|
|
|
|
|
|
default["ossec"]["command"]["disable-account"]["enabled"] = false
|
|
|
|
default["ossec"]["command"]["disable-account"]["executable"] = 'disable-account.sh'
|
|
|
|
default["ossec"]["command"]["disable-account"]["expect"] = 'user'
|
|
|
|
default["ossec"]["command"]["disable-account"]["timeout_allowed"] = 'yes'
|
|
|
|
|
|
|
|
default["ossec"]["local_command"] = {}
|
|
|
|
|
|
|
|
# Active-Responses
|
|
|
|
default["ossec"]["active-response"]["host-deny"]["enabled"] = true
|
|
|
|
default["ossec"]["active-response"]["host-deny"]["location"] = 'local'
|
|
|
|
default["ossec"]["active-response"]["host-deny"]["level"] = '10'
|
|
|
|
default["ossec"]["active-response"]["host-deny"]["timeout"] = '600'
|
|
|
|
|
|
|
|
default["ossec"]["active-response"]["firewall-stop"]["enabled"] = true
|
|
|
|
default["ossec"]["active-response"]["firewall-stop"]["location"] = 'local'
|
|
|
|
default["ossec"]["active-response"]["firewall-stop"]["level"] = '10'
|
|
|
|
default["ossec"]["active-response"]["firewall-stop"]["timeout"] = '600'
|
|
|
|
|
|
|
|
default["ossec"]["active-response"]["disable-account"]["enabled"] = false
|
|
|
|
default["ossec"]["active-response"]["disable-account"]["location"] = 'local'
|
|
|
|
default["ossec"]["active-response"]["disable-account"]["level"] = '10'
|
|
|
|
default["ossec"]["active-response"]["disable-account"]["timeout"] = '600'
|
|
|
|
|
|
|
|
|
|
|
|
# internal options, you probably don't want to touch that
|
|
|
|
default["ossec"]["internal"]["analysisd"]["default_timeframe"] = "360"
|
|
|
|
default["ossec"]["internal"]["analysisd"]["stats_maxdiff"] = "25000"
|
|
|
|
default["ossec"]["internal"]["analysisd"]["stats_mindiff"] = "250"
|
|
|
|
default["ossec"]["internal"]["analysisd"]["stats_percent_diff"] = "30"
|
|
|
|
default["ossec"]["internal"]["analysisd"]["fts_list_size"] = "32"
|
|
|
|
default["ossec"]["internal"]["analysisd"]["fts_min_size_for_str"] = "14"
|
|
|
|
default["ossec"]["internal"]["analysisd"]["log_fw"] = "1"
|
|
|
|
default["ossec"]["internal"]["logcollector"]["loop_timeout"] = "2"
|
|
|
|
default["ossec"]["internal"]["logcollector"]["open_attempts"] = "8"
|
|
|
|
default["ossec"]["internal"]["logcollector"]["remote_commands"] = 1
|
|
|
|
default["ossec"]["internal"]["remoted"]["recv_counter_flush"] = "128"
|
|
|
|
default["ossec"]["internal"]["remoted"]["comp_average_printout"] = "19999"
|
|
|
|
default["ossec"]["internal"]["remoted"]["verify_msg_id"] = "1"
|
|
|
|
default["ossec"]["internal"]["maild"]["strict_checking"] = "1"
|
|
|
|
default["ossec"]["internal"]["maild"]["groupping"] = "0"
|
|
|
|
default["ossec"]["internal"]["maild"]["full_subject"] = "1"
|
|
|
|
default["ossec"]["internal"]["maild"]["geoip"] = "1"
|
|
|
|
default["ossec"]["internal"]["monitord"]["compress"] = "1"
|
|
|
|
default["ossec"]["internal"]["monitord"]["sign"] = "1"
|
|
|
|
default["ossec"]["internal"]["monitord"]["monitor_agents"] = "1"
|
|
|
|
default["ossec"]["internal"]["syscheck"]["sleep"] = "2"
|
|
|
|
default["ossec"]["internal"]["syscheck"]["sleep_after"] = "15"
|
|
|
|
default["ossec"]["internal"]["dbd"]["reconnect_attempts"] = "10"
|
|
|
|
default["ossec"]["internal"]["window"]["debug"] = "0"
|
|
|
|
default["ossec"]["internal"]["syscheck"]["debug"] = "0"
|
|
|
|
default["ossec"]["internal"]["remoted"]["debug"] = "0"
|
|
|
|
default["ossec"]["internal"]["analysisd"]["debug"] = "0"
|
|
|
|
default["ossec"]["internal"]["logcollector"]["debug"] = "0"
|
|
|
|
default["ossec"]["internal"]["agent"]["debug"] = "0"
|
|
|
|
|
|
|
|
# What OSSEC fules files to load
|
|
|
|
default["ossec"]["load_rules"] = {
|
|
|
|
'rules_config.xml' => true,
|
|
|
|
'pam_rules.xml' => true,
|
|
|
|
'sshd_rules.xml' => true,
|
|
|
|
'telnetd_rules.xml' => false,
|
|
|
|
'syslog_rules.xml' => true,
|
|
|
|
'arpwatch_rules.xml' => true,
|
|
|
|
'symantec-av_rules.xml' => false,
|
|
|
|
'symantec-ws_rules.xml' => false,
|
|
|
|
'pix_rules.xml' => false,
|
|
|
|
'named_rules.xml' => true,
|
|
|
|
'smbd_rules.xml' => true,
|
|
|
|
'vsftpd_rules.xml' => false,
|
|
|
|
'pure-ftpd_rules.xml' => false,
|
|
|
|
'proftpd_rules.xml' => false,
|
|
|
|
'ms_ftpd_rules.xml' => false,
|
|
|
|
'ftpd_rules.xml' => false,
|
|
|
|
'hordeimp_rules.xml' => false,
|
|
|
|
'roundcube_rules.xml' => false,
|
|
|
|
'wordpress_rules.xml' => false,
|
|
|
|
'cimserver_rules.xml' => false,
|
|
|
|
'vpopmail_rules.xml' => false,
|
|
|
|
'vmpop3d_rules.xml' => false,
|
|
|
|
'courier_rules.xml' => false,
|
|
|
|
'web_rules.xml' => true,
|
|
|
|
'web_appsec_rules.xml' => true,
|
|
|
|
'apache_rules.xml' => true,
|
|
|
|
'nginx_rules.xml' => true,
|
|
|
|
'php_rules.xml' => true,
|
|
|
|
'mysql_rules.xml' => true,
|
|
|
|
'postgresql_rules.xml' => true,
|
|
|
|
'ids_rules.xml' => true,
|
|
|
|
'squid_rules.xml' => false,
|
|
|
|
'firewall_rules.xml' => true,
|
|
|
|
'cisco-ios_rules.xml' => false,
|
|
|
|
'netscreenfw_rules.xml' => false,
|
|
|
|
'sonicwall_rules.xml' => false,
|
|
|
|
'postfix_rules.xml' => true,
|
|
|
|
'sendmail_rules.xml' => false,
|
|
|
|
'imapd_rules.xml' => false,
|
|
|
|
'mailscanner_rules.xml' => false,
|
|
|
|
'dovecot_rules.xml' => false,
|
|
|
|
'ms-exchange_rules.xml' => false,
|
|
|
|
'racoon_rules.xml' => false,
|
|
|
|
'vpn_concentrator_rules.xml' => false,
|
|
|
|
'spamd_rules.xml' => false,
|
|
|
|
'msauth_rules.xml' => false,
|
|
|
|
'clam_av_rules.xml' => true,
|
|
|
|
'mcafee_av_rules.xml' => false,
|
|
|
|
'trend-osce_rules.xml' => false,
|
|
|
|
'ms-se_rules.xml' => false,
|
|
|
|
'zeus_rules.xml' => false,
|
|
|
|
'solaris_bsm_rules.xml' => false,
|
|
|
|
'vmware_rules.xml' => false,
|
|
|
|
'ms_dhcp_rules.xml' => false,
|
|
|
|
'asterisk_rules.xml' => false,
|
|
|
|
'ossec_rules.xml' => true,
|
|
|
|
'attack_rules.xml' => true,
|
|
|
|
'local_rules.xml' => true,
|
|
|
|
}
|