Marty E. Hillman wrote: > That brings up a good idea for future enhancement: the ability to gpg > encrypt email so that information is not clear text. An attacker with > access to the internal network could theoretically poison the arp cache > and intercept packets corresponding to any such reporting email at > present. The log would remain intact, but the alert could be prevented.
Wouldnt this require the OSSEC daemon to have access to a passwordless gpg private key to encrypt the message? I guess you could argue that if someone breaks into your OSSEC management host you have bigger things to worry about than a compromised passwordless gpg key. -- -dave
