I've been meaning to do a writeup on OSSEC. Although I love to wax technical I don't expect my readers to know a lot about the problem, so here's my contribution:
http://kacper.blog.linpro.no/archives/192 I've read great posts so far, especially the one about Abusing OSSEC was a clincher. As to the other issue about distributing client keys, there might be a better way: On Tue, Oct 19, 2010 at 5:57 PM, Jefferson, Shawn <[email protected]> wrote: [snip what with an evil party getting the private key] > 1. Decode log traffic. > 2. Potentially inject log traffic. On Wed, Oct 20, 2010 at 1:20 AM, Jefferson, Shawn <[email protected]> wrote: [snip] > Sure. I wasn't thinking of anything fancy, something like this: > > - read a list of computer names from a text file > - copy the installer > - launch a silent install via psexec > - extract the client key from the client.keys file that you get off the ossec > server > - copy it to the ossec client > - copy a customized ossec.conf to the client > - use "sc" to start the ossec agent remotely. Transferring the key in the clear really breaks the security of the system. Suppose instead that you distribute some command ssh client through Bigfix (such as rsync for windows) along with a pre-generated ssh key. Then you could extract the client.key from the server directly, then delete the ssh key in the Bigfix script immediately after copy so that it's not stored on every client. After mass deployment one could even revoke the ssh key on the server. Disclaimer: I haven't tried this (yet) but I'd be interested in hearing about how it makes out. -- http://kacper.doesntexist.org http://windows.dontexist.com Employ no technique to gain supreme enlightment. - Mar pa Chos kyi blos gros
