I'm glad that there is now a way for ossec clients to automatically
register with the server. This is great within any cloud
architecture. While auto scaling is not ready to be implemented
within the application I'm currently helping design (I do all the back
end linux/cloud stuff, not the coding of the application) one of our
contracts requires that we have some form of IDS. This is what
brought me to ossec in the first place. I can auto add agents as they
spin up through my configuration management by utilizing agent-auth
and it works wonderfully. The down side is I see no way to actually
have an agent tell the server daemon to remove itself.
./agent-auth -h
OSSEC HIDS ossec-authd: Connects to the manager to extract the agent
key.
Available options:
-h This help message.
-m <manager ip> Manager IP Address.
-p <port> Manager port (default 1515).
-A <agent name> Agent name (default is the hostname).
-D <OSSEC Dir> Location where OSSEC is installed.
For now I have been having to manually remove each agent within a test
environment which I find endlessly annoying. Starting to seem like I
need to write a script that occasionally goes through /var/ossec/etc/
client.keys and then utilize an AWS query to gather information
regarding which instances of a machine class are running then remove
the lines that are no longer relelvant what so ever?
Has someone come up with a solution for having completely stateless
machines that can come up and disappear at the notice of a moment?
