2. one of the things i like about it is that when i modify a monitored file or make changes or even touch a file it sends out a notification to my blackberry.
if nothing else it gives me the assurance that it is working. steve > > OSSEC HIDS is looking very promising. I've been waiting for a proper > HIDS solution ever since tripwire development fizzled out. Especially > one that is multi-platform. > > As the manual is a bit lacking, I have some (newbie) questions: > > 1. Can I get syscheck to notify on file additions (ie if someone adds a > file to a monitored directory)? > 2. Can I somehow "acknowledge" a change, ie so that if I alter a > monitored file, I can somehow let the agent know this was a valid > change, thus preventing it from notifying the server? (Or perhaps > better, let the server know, so that it doesnt trigger an alert) > 3. I would like to configure everything (including the client rules) > centrally. Has anyone thought about this? It seems like all config are > stored locally and unencrypted, which means a hacker could simply > rewrite my configs to not monitor anything and restart ossec (doesnt > it?). But also in terms of administration, this would be quite nice. > 4. If I hack a client, and just shut down ossec, can I get the server to > react to this? It seems to not do so. I think there should be some kind > of configurable timeout, after which an alert is triggered if the server > hasnt heard anything from the client. > > Then a suggestion. I think all the config files should be encrypted, so > that making changes would require a password (like in tripwire). Even > better if all changes could only be done only via the server. > > Also, relating to 3 - it would be great if I could configure groups of > rules. Iow, "all hosts", "linux hosts", "windows hosts", that would > apply to all hosts in said group, as well as per-client specific rules. > This would make maintaining a common configuration on all hosts much > easier. Maybe this is already possible (I dont know, as the docs are > still unfinished), if so please ignore :) > > Thanks and keep up the great work. OSSEC HIDS fills a much-needed gap in > the linux world. > >
