IMO this would be an excellent feature to be added to OSSEC! +2
/me have to try to vote twice for this. On Fri, Jun 10, 2011 at 17:58, Francisco Jelves <[email protected]> wrote: > Fyi > > 2011/6/9, Christopher Moraes <[email protected]>: >> Hi everyone, >> >> I have made a small enhancement to OSSEC to support different configuration >> profiles for agents. If you are interested in this feature and would like >> to help, I would appreciate if you could help me test it out. >> >> The code is available from my bitbucket repository at >> http://bitbucket.org/cmoraes/ossec. >> (based off the current 2.6 beta source code) >> >> Background - >> >> I needed OSSEC to support different syscheck/rootkit/localfile rules for >> different categories of servers. For e.g. I needed one config for our Linux >> Oracle servers, another one for our Linux JEE App servers, another for our >> Windows Domain controllers, etc. >> >> From what I found, ossec currently supports agent configurations based on >> agent name or OS name. For my use case, creating a config for each agent >> name was too granular (I have 25 linux database (oracle) servers and wanted >> to create one configuration for all of them) and creating one for each OS >> was too coarse grained. >> >> So I have implemented a feature to support configuration "profiles". >> Agents can be assigned a profile name (which can be any string) and that >> profile name is matched with the config profile in the shared agent.conf. >> >> A new "profile" attribute is now supported in the agent.conf file. >> >> <agent_config *profile*="LinuxOracleDBServer"> >> ..... >> </agent_config> >> >> And in the agent's etc/ossec.conf file, a new config element >> "config-profile" is added >> >> <ossec_config> >> <client> >> <server-ip>10.200.36.157</server-ip> >> *<config-profile>LinuxOracleDBServer</config-profile>* >> </client> >> </ossec_config> >> >> This should make the enhancement backward compatible, so you don't have to >> change already deployed agents if you don't want to assign them a profile. >> >> The code is in an alpha state. I have tested it for a few use cases. If you >> can try it out, I'd love to hear your feedback. >> >> Regards, >> Chris >> > > -- > Enviado desde mi dispositivo móvil > -- Registered Linux User # 379282
