Greetings from a prospective OSSEC user, I've been looking for pointers on how to properly integrate OSSEC and a configuration management system (beside http://www.ossec.net/wiki/Integration_&_Deployment_with_cfengine), before bitting the bullet and getting OSSEC deployed alongside bcfg2. What particularly interests me is how to clearly delineate file ownership between ossec and bcfg2. We have this scenario where quite often we will release file updates via bcfg2. I can think of 2 ways to attack this:
(1) the lazy way: clearly mark a separation between what's managed by bcfg2 and what's managed by OSSEC. In other words, for any file, it can only be handled by one or the other. That'll avoid spurious alerts but presents 2 risks, either files are managed by neither, or we can't keep that separation clean and when we add a file to bcfg2, we forget about taking it out of OSSEC's watch list. (2) the "right" way: teach bcfg2 how to update OSSEC's file fingerprint DB before it applies its updates, so that OSSEC can start with a fairly inclusive list of files to watch and see that list shrink as more files gets managed by bcfg2. Of course the cost here is the work to write a bcfg2 plugin that can talk OSSEC. Has anyone done (2) already? Thanks, Alexis
