Thanks Dan. I think this will work out for what I'm trying to do. BTW: I don't think this is possible, without auditd/snoopy or similar, but does OSSEC offer any sort of 'native' ability to track who is making changes to a file, etc? Or are there any workarounds that would offer this functionality? Just double-checking to cover the bases :)
On Jun 15, 3:19 pm, "dan (ddp)" <[email protected]> wrote: > Sorry I wasn't more precise, I meant the full_command support. > > Example: > <localfile> > <log_format>full_command</log_format> > <command>netstat -an |grep LISTEN | grep -v '127.0.0.1'</command> > <frequency>600</frequency> > <alias>netstat</alias> > </localfile> > > > > > > > > On Wed, Jun 15, 2011 at 6:12 PM, Jeremy Lee <[email protected]> wrote: > > Are you referring to agent_control to kick off syscheck/rootcheck? > > > I'm also trying to play around with the actual rootcheck binary > > (./ossec-rootcheck) to accomplish the same thing, I seem to be having issues > > getting it to recognize the test file I'm working with. I'll have to play > > with it more. > > > On Wed, Jun 15, 2011 at 12:37 PM, dan (ddp) <[email protected]> wrote: > > >> You could use a command for this, and run it as often as you like. > > >> On Wed, Jun 15, 2011 at 12:46 PM, jplee3 <[email protected]> wrote: > >> > Hey guys, > > >> > So I am researching something for our sysengs working on HPUX. We need > >> > to be able to audit a particular configuration file (or more) where a > >> > debugging flag can be added (which in turn would begin outputting > >> > files containing sensitive data to another directory on the system). > > >> > Essentially, we want to be alerted if this debugging flag is ever > >> > turned on. > > >> > The first thought was if there is an audit tool equivalent for HPUX > >> > (auditd or snoopy) but the syseng mentioned not as far as he knows, so > >> > that's not an immediate option. > > >> > Is it possible to use OSSEC for this purpose? The only thing I can > >> > think of is using syscheck, with the 'report changes' option on, and > >> > then sending out an alert whenever the "debug" keyword is seen. But > >> > I'm not sure that would even be possible. > > >> > Can anyone shed some light or offer suggestions?
