I am evaluating (vanilla) OSSEC+ (not Wazuh). If I understand the documentation correctly, all the rule-specific configuration has to be done on the server, which sounds very reasonable as I do not want to change the configuration of every single agent and a possible attacker shall not be able to manipulate it.
Following that I expect that changes in said configuration on the server are somehow reflected on the agents. But this seems not to happen in my case.
For a test I wanted to implement a crontab check. So if the crontab of the root user is changed, I want to get a notification about that.
Following the documentation I added the following to
/var/ossec/etc/ossec.conf
on the server:
<localfile>
<log_format>full_command</log_format>
<command>crontab -u root -l</command>
<frequency>30</frequency>
</localfile>
and the following to /var/ossec/rules/local_rules.xml (on the server as well)
<rule id="500002" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'crontab</match>
<check_diff />
<description>Crontab for user has changed!.</description>
</rule>
After that I restarted the server and the agent.
Now because the server is monitoring itself as well I can verify that this configuration is working in principle, because I do get the desired notification if I change the crontab on the server.
But this does not happen for the agent. Following other questions/answers on stackoverflow I tried adding
logcollector.remote_commands=1
to /var/ossec/etc/local_internal_options.conf (on the agent)
and restarted the agent multiple times.
I can see that the agent is doing something when I look into
/var/ossec/logs/ossec.log (agent)
and I do see it executing some other commands, but not the one I configured.
What am I doing wrong? Do I have to add every configuration to the server and every single agent, despite the documentation telling me otherwise?
PS. It does work if I add the command-configuration into /var/ossec/etc/ossec.conf on the agent.
