Settings Configuration – Server Management

6 min read

Main Configurations: #

1. Global Configuration: #

  • Global and remote settings: These include configurations for Argus’s general operation, such as time zones, logging, and communication parameters between the Argus manager and its agents.
  • Example settings:

<global>

  <frequency>10</frequency> <! – – Event collection interval – – >

  <remote_commands>yes</remote_commands> <!– Enable remote commands – – >

  <logall>no</logall> <! – – Log all messages or not – – >

</global>

2. Cluster: #

  • Master node configuration: The configuration for clustering, where settings define how nodes in a Argus cluster (master and worker nodes) communicate and share data.
  • Example settings:

<cluster>

  <name>my_cluster</name>

  <node_type>master</node_type>

  <port>1516</port> <! – – Cluster communication port – – >

</cluster>

3. Registration Service: #

  • Automatic agent registration service: Controls how agents are automatically registered and managed on the Argus server.
  • Example settings:

<auth>

  <disabled>no</disabled>

  <port>1515</port> <! – – Port for agent registration – – >

  <use_source_ip>yes</use_source_ip>

</auth>

Alerts and Output Management: #

1. Alerts: #

  • Settings related to the alerts and their format: Configure how alerts are generated, which formats are used (JSON, plain text), and the alert severity levels.
  • Example settings:

<alerts>

  <jsonout_output>yes</jsonout_output> <! – – Output alerts in JSON format – – >

  <log_alert_level>5</log_alert_level> <! – – Minimum alert severity level to log – – >

</alerts>

2. Integrations: #

  • Slack, VirusTotal, and PagerDuty integrations: Integrations with external APIs to send alerts and notifications to platforms like Slack and PagerDuty.
  • Example settings:

<integration>

  <name>Slack</name>

  <url>https://slack.webhook.url</url> <! – – Webhook for Slack integration – – >

</integration>

Auditing and Policy Monitoring: #

1. Policy Monitoring: #

  • Ensure compliance with security policies: Configuration to monitor systems to ensure compliance with security standards, hardening guidelines, and regulatory requirements.
  • Example settings:

<security_policy>

  <cis_benchmark>yes</cis_benchmark> <! – – Enable CIS benchmark checks – – >

  <hardening_guides>enabled</hardening_guides>

</security_policy>

2. OpenSCAP: #

  • Configuration for SCAP checks: Automates the assessment of system security against standards like SCAP (Security Content Automation Protocol).
  • Example settings:

<openscap>

  <enabled>yes</enabled>

  <schedule>daily</schedule> <! – – Schedule daily scans – – >

</openscap>

3. CIS-CAT: #

  • Configuration assessment using CIS-CAT: Uses CIS-CAT (Center for Internet Security) to evaluate the system’s compliance with security benchmarks.
  • Example settings:

<ciscat>

  <enabled>yes</enabled>

  <profile>server</profile> <! – – Profile for server environment – – >

</ciscat>

System Threats and Incident Response: #

Vulnerabilities: #

  • Discover applications affected by vulnerabilities: Configuration for detecting software with known vulnerabilities.
  • Example settings:

<vulnerability_detector>

  <enabled>yes</enabled>

  <provider>nvd</provider> <! – – Use National Vulnerability Database (NVD) – – >

</vulnerability_detector>

Osquery: #

  • Expose OS as a relational database: Integration with Osquery, allowing the OS to be queried like a database to identify anomalies and gather system information.
  • Example settings:

<osquery>

  <schedule>hourly</schedule> <! – – Run Osquery every hour – – >

</osquery>

Inventory Data: #

  • Gather system inventory: Collect data about the system, hardware, and network.
  • Example settings:

<inventory>

  <enabled>yes</enabled>

  <frequency>24h</frequency> <! – – Collect inventory data daily – – >

</inventory>

Active Response: #

  • Immediate threat response: Automatically trigger responses to detected threats.
  • Example settings:

<active-response>

  <command>firewall-drop</command> <! – – Block IP using firewall on trigger – – >

</active-response>

Commands: #

  • Command wodle configuration: Configuration options to manage custom commands for monitoring and response.
  • Example settings:

<command>

  <name>custom-command</name>

  <frequency>hourly</frequency>

</command>

Docker Listener: #

  • Monitor Docker activity: Collect and monitor events related to Docker containers (e.g., start, stop, pause events).
  • Example settings:

<docker_listener>

  <enabled>yes</enabled>

  <frequency>10m</frequency> <! – – Monitor Docker events every 10 minutes – – >

</docker_listener>

Log Data Analysis: #

Log Collection: #

  • Log analysis from text files, Windows events, or syslog: Settings for collecting logs from various sources.
  • Example settings:

<logcollector>

  <syslog>yes</syslog>

  <event_channel>Windows</event_channel>

</logcollector>

Integrity Monitoring: #

  • Identify changes in file content: Monitor files for unauthorized modifications, including changes in file content, ownership, and permissions.
  • Example settings:

<syscheck>

  <frequency>12h</frequency> <! – – Run integrity checks every 12 hours – – >

</syscheck>

Agentless: #

  • Run integrity checks on agentless devices: Monitor non-agent devices like routers, firewalls, or switches.
  • Example settings:

<agentless>

  <enabled>yes</enabled>

  <target>router.example.com</target>

</agentless>

Cloud Security Monitoring: #

Amazon S3: #

  • Collect AWS security events: Gather security data from AWS services, especially Amazon S3.
  • Example settings:

<amazon_s3>

  <enabled>yes</enabled>

  <access_key>your-access-key</access_key>

  <secret_key>your-secret-key</secret_key>

</amazon_s3>

Azure Logs: #

  • Configuration of the Azure Logs module: Collect logs and security events from Microsoft Azure.
  • Example settings:

<azure_logs>

  <enabled>yes</enabled>

  <tenant_id>your-tenant-id</tenant_id>

</azure_logs>

Google Cloud Pub/Sub: #

  • Configuration of the Google Cloud Pub/Sub module: Collect events from Google Cloud services using the Pub/Sub model.
  • Example settings:

<gcloud_pubsub>

  <enabled>yes</enabled>

  <project_id>your-project-id</project_id>

</gcloud_pubsub>

GitHub: #

  • Monitor GitHub organizations: Detect potential threats targeting GitHub repositories and organizations.
  • Example settings:

<github>

  <enabled>yes</enabled>

  <org_name>your-org</org_name>

</github>

Office 365: #

  • Configuration of the Office 365 module: Collect security and event logs from Office 365 services.
  • Example settings:

<office365>

  <enabled>yes</enabled>

  <tenant_id>your-tenant-id</tenant_id>

</office365>

What are your Feelings

Leave a Reply

Your email address will not be published. Required fields are marked *