Hi Ruurd,
Let me see if I can answer some of your questions... 1- Ossec has a very centralized approach when analyzing the data, so there is not much to configure in the agent side. However, in addition to removing and adding the agents, the ossec server sends parts of its own configuration to them. If you look at /var/ossec/etc/shared you will see some of the files that are shared with the agents (by default it includes the rootkit files list, the active response files, and the rootkit trojans list). 2- Great idea. I am adding a simple module to do "heath checks" of the agents and it will extract memory usage, cpu usage, free disk space and uptime information. If you have more ideas of health checks to perform, let us know and we can add them. I didn't fully understood what you meant by verifying if SSL is active or encryption is running (you mean apache with SSL?)... 3- You already contributed by giving us some ideas and feedback. Other ways to contribute include reporting false positives or errors in the rules, providing logs or new rules to the log analysis engine, contributing with new code, reporting any error that you may find or even donating financially to the project. Hope it helps.. -- Daniel B. Cid dcid ( at ) ossec.net On 8/3/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
This morning we have seen the webcast from SANS regarding OSSEC. We found it very interesting and it has clarified some of our issues. Other issues however still remain. 1) In the webcast, Mike Poor is talking about Setup, configure, or remove agents from remote machines. We can add and remove agents, and give them a key. But that's it. We would like to know if there is a way to configure the agents (edit the ossec.conf) from the ossec server?. 2) The agent-info (in queue) contains the agent host OS. Is there a way to add more information like free disk space, encryption running, SSL active etc. 3) We are very enthusiastic about OSSEC. Is there anyway we can contribute to the project ? Thanks, Ruurd Bakker SecQuard Systems Mob?? +31(0)6 5262 5365 Email [EMAIL PROTECTED] Web?? www.xsguard.nl
