agentlessd would help to solve this problem with a script or two. Details
on agentless scripts are here:
<http://www.ossec.net/wiki/Know_How:agentless_scripts>
The following script is something to get you started, but NOT tested and is
going to fail unless you change it ;) I do think this is some thing that
is worth working on. If I get more time I might work on getting something
production ready. Unless someone else wants to take it on. <hint/><hint/>
#!/bin/sh
echo "STORE: now"
ldapsearch -h $1 -b "ou=people,dc=example,db=net" -D
"cn=user,ou=people,dc=example,db=net" -w password1
"(objectClass=inetOrgPerson)" dn | sort
echo "INFO: Completed ldapsearch for users"
--On June 15, 2010 11:17:48 AM -0700 Igor Widlinski
<igor.widlin...@eigendev.com> wrote:
Hey Everyone,
Is there a way to monitor changes done to LDAP database ie: new users,
new groups added.
I could use ossec to monitor LDAP database files located in
/var/lib/ldap, but as they are one big monolith, any change to db file
would trigger an alert (ie. user changing their password).
Previously we had a program called "osiris" which was great at figuring
out when new users/groups were added to ldap (but was bad at everything
else).
I wonder if there is a way to do this with ossec?? Also thinking to run a
command like "getent passwd > /etc/password.ldap" and "getent group >
/etc/group.ldap" and use ossec to
check for changes in those files. This might work..
Wonder if anybody else done this.
Igor W
