OSSEC HIDS is looking very promising. I've been waiting for a proper
HIDS solution ever since tripwire development fizzled out. Especially
one that is multi-platform.
As the manual is a bit lacking, I have some (newbie) questions:
1. Can I get syscheck to notify on file additions (ie if someone adds a
file to a monitored directory)?
2. Can I somehow "acknowledge" a change, ie so that if I alter a
monitored file, I can somehow let the agent know this was a valid
change, thus preventing it from notifying the server? (Or perhaps
better, let the server know, so that it doesnt trigger an alert)
3. I would like to configure everything (including the client rules)
centrally. Has anyone thought about this? It seems like all config are
stored locally and unencrypted, which means a hacker could simply
rewrite my configs to not monitor anything and restart ossec (doesnt
it?). But also in terms of administration, this would be quite nice.
4. If I hack a client, and just shut down ossec, can I get the server to
react to this? It seems to not do so. I think there should be some kind
of configurable timeout, after which an alert is triggered if the server
hasnt heard anything from the client.
Then a suggestion. I think all the config files should be encrypted, so
that making changes would require a password (like in tripwire). Even
better if all changes could only be done only via the server.
Also, relating to 3 - it would be great if I could configure groups of
rules. Iow, "all hosts", "linux hosts", "windows hosts", that would
apply to all hosts in said group, as well as per-client specific rules.
This would make maintaining a common configuration on all hosts much
easier. Maybe this is already possible (I dont know, as the docs are
still unfinished), if so please ignore :)
Thanks and keep up the great work. OSSEC HIDS fills a much-needed gap in
the linux world.
