I've been working with getting OSSEC deployed in a distributed, mixed environment, which hosts which are frequently destroyed and recreated.
I've managed to get the install and rules fairly well set up thus far, but am hitting a small issue presently, which is that a couple of files are being alerted very soon after start, the files being /etc/resolv.conf and /etc/shadow- Presently I'm starting OSSEC as a very last step of our host install, but I'm figuring DHCP has yet to finalise resolv.conf, and the local users being setup during a preceeding install step means that shadow- is yet to be written at the time OSSEC is starting. At least that's my random ideas so far. What I'm wondering is if I can ignore these files for the first, say, minute after OSSEC starts? Otherwise I may have to ignore these files completely, which may be low impact anyhow given that DHCP may legitimately overwrite resolv.conf and shadow- is essentially a backup. Any ideas greatly appreciated! Dan -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
