Hi Leo, I believe OSSEC uses its own md5/sha1 binaries present on the agent. You could setup a script to periodically replace that binary with a known good version, or do some fanciness to install the OSSEC binaries on RO media.
On Fri, Apr 22, 2011 at 1:36 PM, Lalbee99 <[email protected]> wrote: > I looked at the documentation and can't seem to find the answer to > this question anywhere. When syscheck runs on the client and performs > the file integrity (md5 & sha1) checks does it utilize the md5 & sha1 > binaries on the client? If it does, doesn't that go against the main > security priciple that a server being monitored should always be > considered compromised. In other words , you should only be using > binaries from a trusted source (read-only media or the actual master > server) when peforming client scans. > > -Leo
