:orphan:

###################################
Agentless
###################################

**Getting started with agentless monitoring**

1. Enable agentless monitoring on the **manager** (hub):

   .. code-block:: console

      /var/ossec/bin/ossec-control enable agentless

2. Register SSH (or device) credentials for each remote host. For Cisco devices (PIX, routers, and similar), pass an extra argument for the **enable** password. The same applies if you need **su** support on Unix-like systems. The following examples add a Linux host (``example.net``) and a PIX firewall (``pix.fw.local``):

   .. code-block:: console

      /var/ossec/agentless/register_host.sh add root@example.net 'mypass1'
      Host root@example.net added.

      /var/ossec/agentless/register_host.sh add pix@pix.fw.local 'pixpass' 'enablepass'
      Host pix@pix.fw.local added.

      /var/ossec/agentless/register_host.sh list
      Available hosts:

      pix@pix.fw.local
      root@example.net

.. note::

   ``register_host.sh`` is a shell script. **Quote passwords** that contain special characters so the shell does not interpret them. If you use **public key** authentication instead of passwords, pass ``NOPASS`` as the password and generate a key as the ``ossec`` user:

   .. code-block:: console

      sudo -u ossec ssh-keygen

   Keys are created under ``/var/ossec/.ssh``. Copy the public key to the remote host so passwordless SSH works for the configured user.

Configuring agentless
=====================

Once agentless is enabled and hosts are registered, add **<agentless>** stanzas to the manager configuration.

1. Edit ``ossec.conf`` on the manager:

   .. code-block:: console

      vim /var/ossec/etc/ossec.conf

2. After the **<syscheck>** … **</syscheck>** block, add an **<agentless>** section. Example (Linux integrity check):

   .. code-block:: xml

      <agentless>
        <type>ssh_integrity_check_linux</type>
        <frequency>36000</frequency>
        <host>root@example.net</host>
        <state>periodic_diff</state>
        <arguments>/bin /etc /sbin</arguments>
      </agentless>

   Use **<state>** and **<arguments>** as required for the **type** you choose (see below).

3. Restart the manager service so changes apply. On systems using systemd:

   .. code-block:: console

      systemctl restart ossec-hids

   If your distribution uses a different unit name (for example ``wazuh-manager``), use the equivalent command for your install.

Agentless types
===============

**ssh_integrity_check_bsd**
  List directories in **<arguments>**; OSSEC runs integrity checks on those paths on the remote BSD host.

**ssh_integrity_check_linux**
  Same as above for Linux remote hosts.

**ssh_generic_diff**
  Run the commands given in **<arguments>** on the remote host; OSSEC alerts when command output changes between runs.

**ssh_pixconfig_diff**
  Detect changes to Cisco PIX/router-style configuration (device-specific).

States
======

**periodic_diff**
  Script output is sent to the agentless process and **compared to the previous run**; differences raise an alert.

**periodic**
  Script output is processed each run without the same diff semantics as **periodic_diff** (see product documentation for your rule set).

Illustrative alert (legacy format)
==================================

The fragment below shows the **style** of agentless integrity alerts; exact fields and rule IDs depend on your ruleset and OSSEC/Wazuh version.

.. code-block:: text

   *OSSEC HIDS Notification.*
   *2008 Dec 12 01:58:30*
   *Received From: (ssh_generic_diff) root@example.net->agentless*
   *Rule: 555 fired (level 7) -> "Integrity checksum for agentless device changed."*
   *Portion of the log(s):*
   *ossec: agentless: Change detected:*
   *35c35*
   *< -rw-r-r- 1 root wheel 34 Dec 10 03:55 hosts.deny*
   *--*
   *> -rw-r-r- 1 root wheel 34 Dec 11 18:23 hosts.deny*
   *-END OF NOTIFICATION*
