On Sep 12, 8:10 am, "dan (ddp)" <[email protected]> wrote:
> There was an idea previously about allowing SHAs and MD5s to be
> searched as the key in a cdb list. Then when you're getting ready to
> upgrade you pre-seed your list with the new checksums, and have a rule
> to check the list when a new checksum is detected.
>
> On Mon, Sep 12, 2011 at 6:56 AM, Nick Green
>
>
>
>
>
>
>
> <[email protected]> wrote:
>
> > Is this something people would be interested in if we put some dev time 
> > into it? We would create some kind of change daemons for both Linux puppet 
> > style change control systems and Windows SCCM change control system. (exact 
> > details to be fleshed out if the interest is there)
>
> > Regards
> > /nick
>
> > -----Original Message-----
> > From: [email protected] [mailto:[email protected]] On 
> > Behalf Of dan (ddp)
> > Sent: Wednesday, September 07, 2011 6:46 PM
> > To: [email protected]
> > Subject: Re: [ossec-list] OSSEC syscheckd and Change Control Systems
>
> > There's currently no way to do this.
>
> > On Wed, Sep 7, 2011 at 12:26 PM, Nick Green <[email protected]> 
> > wrote:
> >> Hi List,
>
> >> Just joined and have a scenario I need to crack ...
>
> >> 1. Ossec monitors file system file integrity.
> >> 2. Change control system updates files e.g. /etc/passwd 3. Change
> >> control system notifies ossec of new files to update md5/sha1
> >> checksums BUT not alert because is authorized change.
>
> >> (that's the gist ... it a lot more complicated on the auth side but
> >> for this illustration its enough)
>
> >> Does anyone run a similar installation as the above? Does ossec have a
> >> command line call you update a file but not alert?
>
> >> Many thanks
>
> >> /Nick

Would it be possible for OSSEC to check the Puppet Filebucket as the
files are stored on a path based on their MD5 sum?  So like with MD5
sum 54fb6627dbaa37721048e4549db3224d has the path /var/lib/puppet/
clientbucket/5/4/f/b/6/6/2/7/54fb6627dbaa37721048e4549db3224d.

I run into this a lot, so I'd be interested in helping solve this
problem.

- Trey

Reply via email to