Hey OSSEC list, I would like to ask you a few questions about how OSSEC is deployed at your company. Of course the answers to these contain sensitive data, so I would already be very happy about vague answers if necessary.
So here we go: 1) Do you deploy OSSEC only on servers or also on desktop machines? 2) Do you use a singe OSSEC server or several independent OSSEC servers or do you have a multi-server architecture as described here: http://www.ossec.net/dcid/?p=144 3) Do you make use of agentless monitoring? 4) If you deploy an OSSEC agent on a notebook that is often used for use outside the company network, do you let them access the OSSEC server when they are on the road or only when they are inside the network? Do you have a dedicated OSSEC server for connections from the internet? Do you only allow agents from external IPs to connect after setting up a VPN connection? 5) Do you use OSSEC not only for intrusion detection but also for general monitoring tasks (e.g. if some log messages trigger false positives in regards to intrusion detection, but show that there is need for some maintenance, do you forward these alerts to the responsible admin)? Kind regards, Oscar
