Hi Daniel,
many thanks for the references. It's clear to me now that the ossec agent must run inside each virtual server to be able to detect rootkit. Do you think it's better to let the real host monitor logs and file integrity of the virtual servers? Or it's better to have the agents doing these work and send alert to the server (the real host)? The first variant seems to me slightly more efficient, but I am not sure since. Another advantage of the first variant is that if a virtual server is compromised, the intruder doesn't know that the system is being monitored. Is it safe to commment out rule sets that are not relevant to a particular system? For example if I am not running apache on my system, then commenting out apache_rules.xml is a good (and safe) thing to do? btw, how often are the log files checked? Everytime when syslogd is active? Thanks, Thanh On Sun, Mar 18, 2007 at 12:11:52AM -0400, Daniel Cid wrote:
Hi Thanh, Your assumtpions are right. You just need to add the files to be monitored and the logs to be analyzed. Rootkit detection will only fully work for the root server (not the virtual ones), unless you install ossec on each virtual server. The following links can help (regarding rootcheck): http://www.ossec.net/wiki/index.php/Know_How:Rootkit_Detection http://www.ossec.net/dcid/?p=25 Daniel On 3/17/07, Thanh Han The <[EMAIL PROTECTED]> wrote: > >Hi Daniel, > >many thanks for the great reply. I have been playing with >ossec and like it very much. > >Another question is that if I run a virtual server (using >vserver or openvz) whose root is ie /var/myserver and would >like ossec to protect that virtual server from the real >host, then which steps are needed? Probably I have to tell >ossec which extra log files to check >(/var/myserver/var/log/...) and which files to monitor >integrity (like /var/myserver/{/bin,/etc,/sbin,...}), but >what about rootkit check? Is there some doc about how >rootcheck works? I took a look at the rootkit_files.txt >file, but didn't get a clue. > >Best regards, >Thanh > > > >On Fri, Mar 16, 2007 at 11:23:45PM -0400, Daniel Cid wrote: >> Hi Thanh, >> >> Currently there is no "official" way to do what you want. You could hack >the >> ossec2db script (from Meir) for instead of inserting into a db, to >generate >> the desired e-mail message. In the future, I plan to add support for SMS >> specific messages and some additional alerting options, but that will be >> in a future version (1.2 and above).. >> >> *Btw, the current ossec-maild works fine with gmail SMTP (I used it all >> the time), since you are not required to use TLS for it. >> >> Thanks, >> >> -- >> Daniel B. Cid >> dcid ( at ) ossec.net >> >> On 3/15/07, Thanh Han The <[EMAIL PROTECTED]> wrote: >> > >> >Hi list, >> > >> >is it possible to use some other program to send mail alert, >> >instead of ossec-maild? For example, if I want to send >> >mail alert to a google account, then SMTP authentication via >> >TLS is required and I cannot figure out how to do that. Any >> >hint please? >> > >> >Thanks, >> >Thanh >> > >
