You made some great points. I will answer each one of them separately and inline.
On 8/9/06, urgrue <[EMAIL PROTECTED]> wrote:
OSSEC HIDS is looking very promising. I've been waiting for a proper HIDS solution ever since tripwire development fizzled out. Especially one that is multi-platform.
Thanks :)
As the manual is a bit lacking, I have some (newbie) questions: 1. Can I get syscheck to notify on file additions (ie if someone adds a file to a monitored directory)?
Unfortunately, not on the current version. The new file will be added to the servers integrity database, but will not be alerted. If this file changes later, you will receive an alert. *noted to fix for next version
2. Can I somehow "acknowledge" a change, ie so that if I alter a monitored file, I can somehow let the agent know this was a valid change, thus preventing it from notifying the server? (Or perhaps better, let the server know, so that it doesnt trigger an alert)
You could manually edit the integrity database, but it is not recommended. You can also use the syscheck_update tool to clear it from a specific agent if you change it. When we have an UI it would be simpler to do something like that...
3. I would like to configure everything (including the client rules) centrally. Has anyone thought about this? It seems like all config are stored locally and unencrypted, which means a hacker could simply rewrite my configs to not monitor anything and restart ossec (doesnt it?). But also in terms of administration, this would be quite nice.
There are no rules in the agent. Everything is in the server side. In addition to that, the rootkit rules and the information regarding the active responses are sent from the server to the client automatically when the agent starts. The only thing local is the ossec.conf file (with the server ip, etc).
4. If I hack a client, and just shut down ossec, can I get the server to react to this? It seems to not do so. I think there should be some kind of configurable timeout, after which an alert is triggered if the server hasnt heard anything from the client.
Currently the server does not alert. Next version will have that :)
Then a suggestion. I think all the config files should be encrypted, so that making changes would require a password (like in tripwire). Even better if all changes could only be done only via the server.
What config files do you mean? We could encrypt the files, but how would the agent start automatically? You would need to type the password every time your system reboots? We could also use certificates, but if someone has root the box already, he can remove the certs or just reinstall ossec... However, it is something to think about...
Also, relating to 3 - it would be great if I could configure groups of rules. Iow, "all hosts", "linux hosts", "windows hosts", that would apply to all hosts in said group, as well as per-client specific rules. This would make maintaining a common configuration on all hosts much easier. Maybe this is already possible (I dont know, as the docs are still unfinished), if so please ignore :)
Not possible too :) Btw, when you say rules, you mean log analysis rules, rootkit information or files to monitor with the integrity checking daemon?
Thanks and keep up the great work. OSSEC HIDS fills a much-needed gap in the linux world.
Thanks for your suggestions. Hopefully, we will be able to add some of the features suggested for the next version. -- Daniel B. Cid dcid ( at ) ossec.net
