Agentless

Getting started with agentless monitoring

1. Enable agentless monitoring on the manager (hub):

   /var/ossec/bin/ossec-control enable agentless
   

2. Register SSH (or device) credentials for each remote host. For Cisco devices (PIX, routers, and similar), pass an extra argument for the enable password. The same applies if you need su support on Unix-like systems. The following examples add a Linux host (example.net) and a PIX firewall (pix.fw.local):

   /var/ossec/agentless/register_host.sh add root@example.net 'mypass1'
   Host root@example.net added.
   
   /var/ossec/agentless/register_host.sh add pix@pix.fw.local 'pixpass' 'enablepass'
   Host pix@pix.fw.local added.
   
   /var/ossec/agentless/register_host.sh list
   Available hosts:
   
   pix@pix.fw.local
   root@example.net
   

Note

register_host.sh is a shell script. Quote passwords that contain special characters so the shell does not interpret them. If you use public key authentication instead of passwords, pass NOPASS as the password and generate a key as the ossec user:

sudo -u ossec ssh-keygen

Keys are created under /var/ossec/.ssh. Copy the public key to the remote host so passwordless SSH works for the configured user.

Configuring agentless

Once agentless is enabled and hosts are registered, add <agentless> stanzas to the manager configuration.

1. Edit ossec.conf on the manager:

   vim /var/ossec/etc/ossec.conf
   

2. After the <syscheck> … </syscheck> block, add an <agentless> section. Example (Linux integrity check):

   <agentless>
     <type>ssh_integrity_check_linux</type>
     <frequency>36000</frequency>
     <host>root@example.net</host>
     <state>periodic_diff</state>
     <arguments>/bin /etc /sbin</arguments>
   </agentless>
   

   Use <state> and <arguments> as required for the type you choose (see below).

3. Restart the manager service so changes apply. On systems using systemd:

   systemctl restart ossec-hids
   

   If your distribution uses a different unit name (for example wazuh-manager), use the equivalent command for your install.

Agentless types

ssh_integrity_check_bsd

List directories in <arguments>; OSSEC runs integrity checks on those paths on the remote BSD host.

ssh_integrity_check_linux

Same as above for Linux remote hosts.

ssh_generic_diff

Run the commands given in <arguments> on the remote host; OSSEC alerts when command output changes between runs.

ssh_pixconfig_diff

Detect changes to Cisco PIX/router-style configuration (device-specific).

States

periodic_diff

Script output is sent to the agentless process and compared to the previous run; differences raise an alert.

periodic

Script output is processed each run without the same diff semantics as periodic_diff (see product documentation for your rule set).

Illustrative alert (legacy format)

The fragment below shows the style of agentless integrity alerts; exact fields and rule IDs depend on your ruleset and OSSEC/Wazuh version.

*OSSEC HIDS Notification.*
*2008 Dec 12 01:58:30*
*Received From: (ssh_generic_diff) root@example.net->agentless*
*Rule: 555 fired (level 7) -> "Integrity checksum for agentless device changed."*
*Portion of the log(s):*
*ossec: agentless: Change detected:*
*35c35*
*< -rw-r-r- 1 root wheel 34 Dec 10 03:55 hosts.deny*
*--*
*> -rw-r-r- 1 root wheel 34 Dec 11 18:23 hosts.deny*
*-END OF NOTIFICATION*