This roles setup a OSSEC Agent
This role is only tested on Ubuntu trusty. You need to have a OSSEC server running. The server needs to be running before the client because the client needs to get the credentials from the server, otherwise it won't be able to talk to the server until the next restart.
The role uses the Ubuntu package defaults. The below all the options with their defaults as examples, but list
items are truncated. Please view defaults/main.yml for a full list.
Server
ossec_server: 127.0.0.1Rules
ossec_rules:
- rules_config.xmlSyscheck
ossec_syscheck_frequency: 7200
ossec_syscheck_directories:
- check_all: yes
directories: /etc,/usr/bin,/usr/sbin
ossec_syscheck_ignore_directories:
- /etc/mtabRootcheck
ossec_rootcheck_rootkit_files: /var/ossec/etc/shared/rootkit_files.txt
ossec_rootcheck_rootkit_rojans: /var/ossec/etc/shared/rootkit_trojans.txtGlobal whitelist
ossec_global_white_lists:
- 127.0.0.1Remote
ossec_remote_connection: secure
ossec_remote_port: 1514
ossec_remote_protocol: udp
ossec_remote_local_ip: 0.0.0.0Alerts
ossec_alerts_log_alert_level: 1
ossec_alerts_email_alert_level: 7Commands
ossec_commands:
- name: host-deny
executable: host-deny.sh
expect: srcip
timeout_allowed: yesActive Responses
ossec_active_responses:
- command: host-deny
location: local
level: 6
timeout: 600Localfile
ossec_localfile:
- log_format: syslog
location: /var/log/messages- hosts: agents
vars:
ossec_server: 10.13.123.123
roles:
- verygood.ossec-agent
BSD