Hi,
I did some testing and it seems that anytime a log file changes, the analysis engine is triggered. So monitoring log files seems a rather expensive operation (and very useful of course). In the scenario of several virtual servers running on a real host, I would setup an ossec server installation on the real host. On the virtual servers will be only ossec agent for for rootkit checking and nothing more. This way, I hope I don't miss anything that ossec offers while the performace cost is reasonable. Any comments/suggestions please? Thanks, Thanh On Sun, Mar 18, 2007 at 10:49:15AM +0100, The Thanh Han wrote:
Hi Daniel, many thanks for the references. It's clear to me now that the ossec agent must run inside each virtual server to be able to detect rootkit. Do you think it's better to let the real host monitor logs and file integrity of the virtual servers? Or it's better to have the agents doing these work and send alert to the server (the real host)? The first variant seems to me slightly more efficient, but I am not sure since. Another advantage of the first variant is that if a virtual server is compromised, the intruder doesn't know that the system is being monitored. Is it safe to commment out rule sets that are not relevant to a particular system? For example if I am not running apache on my system, then commenting out apache_rules.xml is a good (and safe) thing to do? btw, how often are the log files checked? Everytime when syslogd is active? Thanks, Thanh On Sun, Mar 18, 2007 at 12:11:52AM -0400, Daniel Cid wrote: > Hi Thanh, > > Your assumtpions are right. You just need to add the files to be monitored > and the logs to be analyzed. Rootkit detection will only fully work > for the root server (not the virtual ones), unless you install ossec > on each virtual server. > > The following links can help (regarding rootcheck): > > http://www.ossec.net/wiki/index.php/Know_How:Rootkit_Detection > http://www.ossec.net/dcid/?p=25 > > Daniel > > On 3/17/07, Thanh Han The <[EMAIL PROTECTED]> wrote: > > > >Hi Daniel, > > > >many thanks for the great reply. I have been playing with > >ossec and like it very much. > > > >Another question is that if I run a virtual server (using > >vserver or openvz) whose root is ie /var/myserver and would > >like ossec to protect that virtual server from the real > >host, then which steps are needed? Probably I have to tell > >ossec which extra log files to check > >(/var/myserver/var/log/...) and which files to monitor > >integrity (like /var/myserver/{/bin,/etc,/sbin,...}), but > >what about rootkit check? Is there some doc about how > >rootcheck works? I took a look at the rootkit_files.txt > >file, but didn't get a clue. > > > >Best regards, > >Thanh > > > > > > > >On Fri, Mar 16, 2007 at 11:23:45PM -0400, Daniel Cid wrote: > >> Hi Thanh, > >> > >> Currently there is no "official" way to do what you want. You could hack > >the > >> ossec2db script (from Meir) for instead of inserting into a db, to > >generate > >> the desired e-mail message. In the future, I plan to add support for SMS > >> specific messages and some additional alerting options, but that will be > >> in a future version (1.2 and above).. > >> > >> *Btw, the current ossec-maild works fine with gmail SMTP (I used it all > >> the time), since you are not required to use TLS for it. > >> > >> Thanks, > >> > >> -- > >> Daniel B. Cid > >> dcid ( at ) ossec.net > >> > >> On 3/15/07, Thanh Han The <[EMAIL PROTECTED]> wrote: > >> > > >> >Hi list, > >> > > >> >is it possible to use some other program to send mail alert, > >> >instead of ossec-maild? For example, if I want to send > >> >mail alert to a google account, then SMTP authentication via > >> >TLS is required and I cannot figure out how to do that. Any > >> >hint please? > >> > > >> >Thanks, > >> >Thanh > >> > > >
