Ever helpful OSSEC list, I have three items I'm trying to figure out:
1. How can I get the OSSEC server process to bind to a network interface of my choosing? I'm guessing I can do something when compiling, but is there a parameter that can be changed to make this happen? I found an existing thread titled "How do you force the OSSEC agent to use a particular network interface" but there was no conclusion. I use a software firewall but would like to use defense in depth and not listen unnecessarily on an interface. 2. I have syscheck watching /etc/hosts.allow in realtime with the new report_changes option. I modified this file (added a new line with a comment) and received an alert as expected. When I removed the comment I got another alert saying "File '/etc/hosts.allow' was deleted. Unable to retrieve checksum". I expected to just get another alert saying the checksum had changed. Can someone explain this to me? 3. We use Nagios to periodically log-in to our servers (using SSH) to retrieve status information on processes. Everytime this happens I get the successful SSH connection alert and 2 additional alerts related to PAM/login. Is there an easy way to surpress these alerts if they happen all within a second of one another? As always, help is appreciated. Thanks, Chris
