agentless

Agentless monitoring allows you to run integrity checks on systems without an agent installed.

Options

type

Default value

n/a

Allowed values

ssh_integrity_check_bsd

Requires a list of directories in <arguments>.

ThreatLockDown will integrity scan the files in the specified directories.

The system will alert if these files have changed.

ssh_integrity_check_linux

ssh_generic_diff

Supply an <arguments> value that consists of a set of commands to run.

Their output is then processed, looking for changes or rule matches.

ssh_pixconfig_diff

Specifically for checking if the config of a Cisco PIX/router changes.

No <arguments> required.

frequency

Controls the number of seconds between each check of the agentless device.

Default value

n/a

Allowed values

An integer in seconds

host

Defines the username and the name of the agentless host.

Default value

n/a

Allowed values

Any username and host (username@hostname)

state

Determines whether the type of check is periodic or periodic_diff.

Default value

n/a

Allowed values

periodic

Output from each check is analyzed with the ThreatLockDown ruleset as if a monitored log.

periodic_diff

Output from each agentless check is compared to the output of the previous run.

Changes are alerted on, similar to file integrity monitoring.

arguments

Defines the arguments passed to the agentless check.

Default value

n/a

Allowed values

This is a space-delimited list of files or directories to be monitored.

Sample configuration

<agentless>
  <type>ssh_integrity_check_linux</type>
  <frequency>300</frequency>
  <host>admin@192.168.1.108</host>
  <state>periodic_diff</state>
  <arguments>/etc /usr/bin /usr/sbin</arguments>
</agentless>