On Sep 12, 8:10 am, "dan (ddp)" <[email protected]> wrote: > There was an idea previously about allowing SHAs and MD5s to be > searched as the key in a cdb list. Then when you're getting ready to > upgrade you pre-seed your list with the new checksums, and have a rule > to check the list when a new checksum is detected. > > On Mon, Sep 12, 2011 at 6:56 AM, Nick Green > > > > > > > > <[email protected]> wrote: > > > Is this something people would be interested in if we put some dev time > > into it? We would create some kind of change daemons for both Linux puppet > > style change control systems and Windows SCCM change control system. (exact > > details to be fleshed out if the interest is there) > > > Regards > > /nick > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] On > > Behalf Of dan (ddp) > > Sent: Wednesday, September 07, 2011 6:46 PM > > To: [email protected] > > Subject: Re: [ossec-list] OSSEC syscheckd and Change Control Systems > > > There's currently no way to do this. > > > On Wed, Sep 7, 2011 at 12:26 PM, Nick Green <[email protected]> > > wrote: > >> Hi List, > > >> Just joined and have a scenario I need to crack ... > > >> 1. Ossec monitors file system file integrity. > >> 2. Change control system updates files e.g. /etc/passwd 3. Change > >> control system notifies ossec of new files to update md5/sha1 > >> checksums BUT not alert because is authorized change. > > >> (that's the gist ... it a lot more complicated on the auth side but > >> for this illustration its enough) > > >> Does anyone run a similar installation as the above? Does ossec have a > >> command line call you update a file but not alert? > > >> Many thanks > > >> /Nick
Would it be possible for OSSEC to check the Puppet Filebucket as the files are stored on a path based on their MD5 sum? So like with MD5 sum 54fb6627dbaa37721048e4549db3224d has the path /var/lib/puppet/ clientbucket/5/4/f/b/6/6/2/7/54fb6627dbaa37721048e4549db3224d. I run into this a lot, so I'd be interested in helping solve this problem. - Trey
