I am evaluating (vanilla) OSSEC+ (not Wazuh). If I understand the documentation correctly, all the rule-specific configuration has to be done on the server, which sounds very reasonable as I do not want to change the configuration of every single agent and a possible attacker shall not be able to manipulate it.
Following that I expect that changes in said configuration on the server are somehow reflected on the agents. But this seems not to happen in my case.
For a test I wanted to implement a crontab check. So if the crontab of the root user is changed, I want to get a notification about that.
Following the documentation I added the following to
/var/ossec/etc/ossec.conf
on the server:
<localfile>
<log_format>full_command</log_format>
<command>crontab -u root -l</command>
<frequency>30</frequency>
</localfile>
and the following to /var/ossec/rules/local_rules.xml
(on the server as well)
<rule id="500002" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'crontab</match>
<check_diff />
<description>Crontab for user has changed!.</description>
</rule>
After that I restarted the server and the agent.
Now because the server is monitoring itself as well I can verify that this configuration is working in principle, because I do get the desired notification if I change the crontab on the server.
But this does not happen for the agent. Following other questions/answers on stackoverflow I tried adding
logcollector.remote_commands=1
to /var/ossec/etc/local_internal_options.conf
(on the agent)
and restarted the agent multiple times.
I can see that the agent is doing something when I look into
/var/ossec/logs/ossec.log
(agent)
and I do see it executing some other commands, but not the one I configured.
What am I doing wrong? Do I have to add every configuration to the server and every single agent, despite the documentation telling me otherwise?
PS. It does work if I add the command-configuration into /var/ossec/etc/ossec.conf
on the agent.
In order to provide configuration to agents from the manager you must use Centralized agent configuration, you may append configuration to groups of agents by adding them to the agent.conf
of each group.
Unless specified otherwise all agents will originally be part of the default
group, so you must add this to /var/ossec/etc/shared/default/agent.conf
on the manager so the agent will use it.
When adding configuration to the manager's /var/ossec/etc/ossec.conf
this will only affect the manager's operations.