This sounds like a neat idea! If you don't hear anything back remind
the list about it after 2.6 is released.

On Thu, Jun 9, 2011 at 4:09 PM, Christopher Moraes
<[email protected]> wrote:
> Hi everyone,
> I have made a small enhancement to OSSEC to support different configuration
> profiles for agents.  If you are interested in this feature and would like
> to help, I would appreciate if you could help me test it out.
> The code is available from my bitbucket repository
> at http://bitbucket.org/cmoraes/ossec.
> (based off the current 2.6 beta source code)
> Background -
> I needed OSSEC to support different syscheck/rootkit/localfile rules for
> different categories of servers. For e.g. I needed one config for our Linux
> Oracle servers, another one for our Linux JEE App servers, another for our
> Windows Domain controllers, etc.
> From what I found, ossec currently supports agent configurations based on
> agent name or OS name.  For my use case, creating a config for each agent
> name was too granular (I have 25 linux database (oracle) servers and wanted
> to create one configuration for all of them) and creating one for each OS
> was too coarse grained.
> So I have implemented a feature to support configuration "profiles".
> Agents can be assigned a profile name (which can be any string) and that
> profile name is matched with the config profile in the shared agent.conf.
> A new "profile" attribute is now supported in the agent.conf file.
> <agent_config profile="LinuxOracleDBServer">
> .....
> </agent_config>
> And in the agent's etc/ossec.conf file, a new config element
> "config-profile" is added
> <ossec_config>
>   <client>
>     <server-ip>10.200.36.157</server-ip>
>     <config-profile>LinuxOracleDBServer</config-profile>
>   </client>
> </ossec_config>
> This should make the enhancement backward compatible, so you don't have to
> change already deployed agents if you don't want to assign them a profile.
> The code is in an alpha state.  I have tested it for a few use cases. If you
> can try it out, I'd love to hear your feedback.
> Regards,
> Chris
>
>
>

Reply via email to