On 10/26/2011 08:33 PM, dan (ddp) wrote:
Please excuse my ignorance. I'll take notes. :)
On Wed, Oct 26, 2011 at 8:15 AM, carlopmart<[email protected]> wrote:
On 10/26/2011 01:00 PM, Michael Starks wrote:
List the most annoying bugs. What makes OSSEC difficult to use? What is
the biggest area for improvement? What are we missing? Any rules fp too
much? Now is the time to get it all out.
--
Michael Starks
[I] Immutable Security
http://www.immutablesecurity.com
IMHO, exists some improvements needed to implement on OSSEC:
a) Ability to be installed on cluster systems, like RHCS (RedHat Cluster
Suite) or Pacemaker/Corosync.
What is inadequate with the current system in a clustered environment?
I probably just don't know enough about how these clusters operate,
but what needs to change in OSSEC?
I will try to explain. Installing OSSEC in a "real cluster suite" has
these advantages:
a) All alerts, events, etc resides on a shared storage. ALL information
is always available. With the current model will have one part on
serverA and another part on serverB. It is not an ideal situation, for
example if you use some type of event correlator like Splunk or Sguil.
b) Only one server IP is needed to configure on clients. If serverA
fails, serverB takes the control tranparently for the client.
Of course, this type of configuration permits cluster over geolocation
sides ...
What needs to change in OSSEC code?? Needs to permit to bind to specific
IP address and assign a hostname different from the real host on is
installed. After this, OSSEC can works on cluster suites .... at least
the ones I know.
--
CL Martinez
carlopmart {at} gmail {d0t} com
