On Wed, Jan 18, 2012 at 7:49 AM, maz <[email protected]> wrote: > I'm glad that there is now a way for ossec clients to automatically > register with the server. This is great within any cloud > architecture. While auto scaling is not ready to be implemented > within the application I'm currently helping design (I do all the back > end linux/cloud stuff, not the coding of the application) one of our > contracts requires that we have some form of IDS. This is what > brought me to ossec in the first place. I can auto add agents as they > spin up through my configuration management by utilizing agent-auth > and it works wonderfully. The down side is I see no way to actually > have an agent tell the server daemon to remove itself. > > > ./agent-auth -h > > OSSEC HIDS ossec-authd: Connects to the manager to extract the agent > key. > Available options: > -h This help message. > -m <manager ip> Manager IP Address. > -p <port> Manager port (default 1515). > -A <agent name> Agent name (default is the hostname). > -D <OSSEC Dir> Location where OSSEC is installed. > > For now I have been having to manually remove each agent within a test > environment which I find endlessly annoying. Starting to seem like I > need to write a script that occasionally goes through /var/ossec/etc/ > client.keys and then utilize an AWS query to gather information > regarding which instances of a machine class are running then remove > the lines that are no longer relelvant what so ever? > > Has someone come up with a solution for having completely stateless > machines that can come up and disappear at the notice of a moment?
I think authenticating the removal is the hard part. Adding a new agent isn't generally a big deal, removing one is huge.
