This sounds like a neat idea! If you don't hear anything back remind the list about it after 2.6 is released.
On Thu, Jun 9, 2011 at 4:09 PM, Christopher Moraes <[email protected]> wrote: > Hi everyone, > I have made a small enhancement to OSSEC to support different configuration > profiles for agents. If you are interested in this feature and would like > to help, I would appreciate if you could help me test it out. > The code is available from my bitbucket repository > at http://bitbucket.org/cmoraes/ossec. > (based off the current 2.6 beta source code) > Background - > I needed OSSEC to support different syscheck/rootkit/localfile rules for > different categories of servers. For e.g. I needed one config for our Linux > Oracle servers, another one for our Linux JEE App servers, another for our > Windows Domain controllers, etc. > From what I found, ossec currently supports agent configurations based on > agent name or OS name. For my use case, creating a config for each agent > name was too granular (I have 25 linux database (oracle) servers and wanted > to create one configuration for all of them) and creating one for each OS > was too coarse grained. > So I have implemented a feature to support configuration "profiles". > Agents can be assigned a profile name (which can be any string) and that > profile name is matched with the config profile in the shared agent.conf. > A new "profile" attribute is now supported in the agent.conf file. > <agent_config profile="LinuxOracleDBServer"> > ..... > </agent_config> > And in the agent's etc/ossec.conf file, a new config element > "config-profile" is added > <ossec_config> > <client> > <server-ip>10.200.36.157</server-ip> > <config-profile>LinuxOracleDBServer</config-profile> > </client> > </ossec_config> > This should make the enhancement backward compatible, so you don't have to > change already deployed agents if you don't want to assign them a profile. > The code is in an alpha state. I have tested it for a few use cases. If you > can try it out, I'd love to hear your feedback. > Regards, > Chris > > >
