'Re: [ossec-list] Disable FS crawls'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    Re: [ossec-list] Disable FS crawls
From:       Christina Plummer <cplummer () gmail ! com>
Date:       2016-08-31 23:30:37
Message-ID: CACHybFdCfHzpB4mM1ZhLxTYE=TtdacsL29+=zSeUGefdfBhnEg () mail ! gmail ! com
[Download RAW message or body]

If you don't actually want to do file integrity checking at all, I think
you can just remove the <syscheck> section from your ossec.conf files on
the clients.  If you want to scan some directories but not others, just
make sure that you are only including the specific directories you want
scanned in the <directories> tag.

Per the syscheck FAQ, <ignore> might not completely disable scanning - it
might just disable alerting.

On Wed, Aug 31, 2016 at 12:20 PM, 'q' via ossec-list <
ossec-list@googlegroups.com> wrote:

> Hello Juraj!
> 
> 
> you can try <ignore> option in rootcheck section  in your
> ossec-agent-shared.conf
> 
> for example:
> 
> 
> <agent_config profile="my_profile">
> <syscheck>
> 
> </syscheck>
> 
> <rootcheck>
> 
> <ignore>/var/www/ptb/</ignore>
> 
> </rootcheck>
> 
> <agent_config>
> 
> 
> 
> 
> On 31.08.2016 15:08, B2RN wrote:
> 
> Hey all,
> 
> I'm trying to figure out whether there's a way to disable any sort of FS
> crawls performed by OSSEC. We have a few SAN clients that have 2.3PB of
> mounted network shares and I'd like to avoid OSSEC going through them for
> obvious reasons.
> 
> http://ossec-docs.readthedocs.io/en/latest/manual/syscheck/ mentions
> "skip_nfs", but this isn't actually NFS. It's a magical proprietary thing.
> 
> And like I said, I'd just want to disable FS crawls entirely and have the
> agent(s) set up with log parsing and maybe active-response. Depends on how
> well I can write up the decoders/rules.
> 
> By the way, asking before I start messing around with this because the
> machines are live.
> 
> Cheers,
> Juraj
> --
> 
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> 
> 
> --
> 
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> 

-- 

--- 
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.


[Attachment #3 (text/html)]

<div dir="ltr"><div>If you don&#39;t actually want to do file integrity checking at \
all, I think you can just remove the &lt;syscheck&gt; section from your ossec.conf \
files on the clients.   If you want to scan some directories but not others, just \
make sure that you are only including the specific directories you want scanned in \
the &lt;directories&gt; tag.   <br></div><div><br></div><div>Per the syscheck FAQ, \
&lt;ignore&gt; might not completely disable scanning - it might just disable \
alerting.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, \
Aug 31, 2016 at 12:20 PM, &#39;q&#39; via ossec-list <span dir="ltr">&lt;<a \
href="mailto:ossec-list@googlegroups.com" \
target="_blank">ossec-list@googlegroups.com</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <p>Hello Juraj!</p>
    <p><br>
    </p>
    <p>you can try &lt;ignore&gt; option in rootcheck section   in your
      ossec-agent-shared.conf</p>
    <p>for example:</p>
    <p><br>
    </p>
    <p>&lt;agent_config profile=&quot;my_profile&quot;&gt;<br>
               &lt;syscheck&gt;</p>
    <p>       &lt;/syscheck&gt;<br>
    </p>
    <p>       &lt;rootcheck&gt;</p>
    <p>              &lt;ignore&gt;/var/www/ptb/&lt;/ignore&gt;</p>
    <p>       &lt;/rootcheck&gt;</p>
    <p>&lt;agent_config&gt;<br>
    </p><div><div class="h5">
    <br>
    <br>
    <br>
    <br>
    <div>On 31.08.2016 15:08, B2RN wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">Hey all,<br>
        <br>
        I&#39;m trying to figure out whether there&#39;s a way to disable any
        sort of FS crawls performed by OSSEC. We have a few SAN clients
        that have 2.3PB of mounted network shares and I&#39;d like to avoid
        OSSEC going through them for obvious reasons.<br>
        <br>
        <a href="http://ossec-docs.readthedocs.io/en/latest/manual/syscheck/" \
                target="_blank">http://ossec-docs.readthedocs.<wbr>io/en/latest/manual/syscheck/</a>
                
        mentions &quot;skip_nfs&quot;, but this isn&#39;t actually NFS. It&#39;s a \
magical  proprietary thing.<br>
        <br>
        And like I said, I&#39;d just want to disable FS crawls entirely and
        have the agent(s) set up with log parsing and maybe
        active-response. Depends on how well I can write up the
        decoders/rules.<br>
        <br>
        By the way, asking before I start messing around with this
        because the machines are live.<br>
        <br>
        Cheers,<br>
        Juraj<br>
      </div>
      -- <br>
      <br>
      --- <br>
      You received this message because you are subscribed to the Google
      Groups &quot;ossec-list&quot; group.<br>
      To unsubscribe from this group and stop receiving emails from it,
      send an email to <a href="mailto:ossec-list+unsubscribe@googlegroups.com" \
                target="_blank">ossec-list+unsubscribe@<wbr>googlegroups.com</a>.<br>
      For more options, visit <a href="https://groups.google.com/d/optout" \
target="_blank">https://groups.google.com/d/<wbr>optout</a>.<br>  </blockquote>
    <br>
  </div></div></div><div class="HOEnZb"><div class="h5">


<p></p>

-- <br>
<br>
--- <br>
You received this message because you are subscribed to the Google Groups \
&quot;ossec-list&quot; group.<br> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com" \
target="_blank">ossec-list+unsubscribe@<wbr>googlegroups.com</a>.<br> For more \
options, visit <a href="https://groups.google.com/d/optout" \
target="_blank">https://groups.google.com/d/<wbr>optout</a>.<br> \
</div></div></blockquote></div><br></div>

<p></p>

-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
&quot;ossec-list&quot; group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic