FYI, I believe OSSEC 2.7 now has a configuration toggle that would would allow commands in agent.conf to be executed on each Agent--this allows for centralized management of (full_)commands.
On Nov 29, 2012, at 10:23 AM, [email protected] wrote: > Michael Starks responded with the Windows command to determine account > availability. > > net user account_name | find "Account active Yes" > > This could be placed the the full_command syntax on the agent machine's > ossec.conf. This would need to be distributed to all agent machines by some > means. > > Scott > > On Nov 29, 2012, at 2:56 AM, Michiel van Es <[email protected]> wrote: > >> Hmm the code is from 2010 and there are 2 beta versions..doesn't look there >> is a lot of progress on the development of this product. >> I might try OpenVAS but it would be great if there was a check, since we do >> check files for Linux with OSSEC, I would imagine you could do something >> similar with OSSEC, Windows Accounts are stored (at least on older version) >> in the SAM database. >> >> Op dinsdag 27 november 2012 18:20:47 UTC+1 schreef sklauminzer het volgende: >> Something like this might be a better tool for your needs: >> SSA - Security System Analyzer 2.0 >> http://code.google.com/p/ssa/ >> >> You could tie it into OSSEC with the full_command option. >> >> If all you need to t o determine the Admin account status, then use a >> PowerShell command in full_command. >> >> Scott >> >> On Nov 27, 2012, at 4:02 AM, Michiel van Es <[email protected]> wrote: >> >> > Hi, >> > >> > We want to check for hardening and one of our Windows hardening rules is >> > to rename the Administrator account and create a decoy Administrator >> > account, not part of any group and disabled. >> > One of the things we want to check is to see if the Administrator account >> > is enabled on Windows machines. >> > >> > Is there a check of simple script how I can establish this on the Windows >> > machines? >> > >> > Regards, >> > >> > Michiel >>
