[EMAIL PROTECTED] wrote: > Your suggestion is very valid. But if there is existence any security > product so is the steps to stop/distrupt is openly available on > internet. > If the user is aware about the name so he can be of the configuration > file its paramter manipulation etc. > So I just wanna enquire if the same can be installed in stealth mode > or even in disguise mode so that the end user is abstracted by the > HIDS name /service.
This link seems to offer some suggestions: http://www.governmentsecurity.org/archive/t7554.html. I can't vouch for any of them. I'll just reiterate that I don't think it's a good idea. If the user is an Administrator it's likely that the service can't truly stay hidden and the user will know about it. If the user isn't an Administrator then they won't have rights to stop the service (unless maybe they are a Power User). But if they have local access they can become an Administrator. IMHO, OSSEC is mainly designed to detect attacks from unauthorized users, not authorized users. While it certainly can and does detect unauthorized activity from authorized users, if the person has Admin access to the system there's not much you can do to truly stop them from hiding their tracks.
