There was an idea previously about allowing SHAs and MD5s to be searched as the key in a cdb list. Then when you're getting ready to upgrade you pre-seed your list with the new checksums, and have a rule to check the list when a new checksum is detected.
On Mon, Sep 12, 2011 at 6:56 AM, Nick Green <[email protected]> wrote: > > Is this something people would be interested in if we put some dev time into > it? We would create some kind of change daemons for both Linux puppet style > change control systems and Windows SCCM change control system. (exact details > to be fleshed out if the interest is there) > > Regards > /nick > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Wednesday, September 07, 2011 6:46 PM > To: [email protected] > Subject: Re: [ossec-list] OSSEC syscheckd and Change Control Systems > > There's currently no way to do this. > > On Wed, Sep 7, 2011 at 12:26 PM, Nick Green <[email protected]> > wrote: >> Hi List, >> >> Just joined and have a scenario I need to crack ... >> >> 1. Ossec monitors file system file integrity. >> 2. Change control system updates files e.g. /etc/passwd 3. Change >> control system notifies ossec of new files to update md5/sha1 >> checksums BUT not alert because is authorized change. >> >> (that's the gist ... it a lot more complicated on the auth side but >> for this illustration its enough) >> >> Does anyone run a similar installation as the above? Does ossec have a >> command line call you update a file but not alert? >> >> >> Many thanks >> >> /Nick >
