I am struggling to find a good read on pros and cons of running OSSEC on Docker containers.
I am looking to implement intrusion detection on underlying hosts and not on the containers. All applications run on containers but are orchestrated by a orchestrator, therefore threat level is considered low. Because the solution needs to be highly available, I think installing ossec-local is more appropriate to the use case. On the server/client model, it appears that agents need to be registered to server and server then does heavy lifting. I want to send logs from ossec-local to Splunk (or other monitoring/alerting tools). And finally, I have been instructed to run OSSEC on Docker containers. The logic behind that is, everything runs on containers. In my head that is an anti-pattern - containers are for isolation, an isolated process should not be watching hosts. Or maybe it should? Depending on the rules to be implemented, it sounds like I would need to map multiple volumes. Does anyone have experience of similar use case? Any pointers/links and thoughts will be highly appreciated. When I am done, I will share my learnings in a blog. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
