Actually, I take that back... it's not going to tell me much about the actual agents listed in the file. But it will at least tell me if the file was touched - that way I'll be alerted. It's a good start I suppose.
On Thu, Jun 23, 2011 at 6:59 PM, Jeremy Lee <[email protected]> wrote: > Thanks Michael, > > I have FIM on so I'll have to get that set for alerting. However, I > realized we have Snoopy installed on this box, so I'm basically just > pointing OSSEC to watch the Snoopy log locally. I already created a decoder > for Snoopy and just had to create some rules to filter based on certain > matches. > > I think this may do the trick. > > > On Thu, Jun 23, 2011 at 6:53 PM, Michael Starks < > [email protected]> wrote: > >> On 06/23/2011 06:23 PM, jplee3 wrote: >> >> Is there a 'built-in' feature that can be set to notify if a certain >>> client(s) was removed from this file? >>> >>> Otherwise, I'm thinking I should setup file integrity monitoring as >>> well as a<localfile>full_command</**localfile> with a command that will >>> easily let me see what may have changed. >>> >> >> There's nothing built-in. Using a file integrity check is a good idea. Be >> careful of check_diff since that would email the keys in the clear. Using >> the command output as you suggested is a good idea since you could awk/grep >> them out. >> > >
