On Mon, Apr 11, 2016 at 4:57 AM, John Jenkins <[email protected]> wrote: > Apologies if this has been answered before but I couldn't find any > information about this. I'm also new to OSSEC. > > How does an agent based install of OSSEC detect or prevent the > modification of the agent itself? > > For example, what's to stop someone replacing the agent with their own > custom binary to do god-knows what? >
An alert should be triggered when the OSSEC agent disconnects, so unless they were changing the binary in memory there should be some trail. Beyond that, I don't think there's anything it specifically does, and I'm not sure what else it could do. > Are there any best practices to prevent this? > > I'm aware that an agentless install can help mitigate this however the > sshd binary would possibly be a weak point there. Also you lose some > of the nicer features of the agent based install. > > Also am I right in thinking the file integrity database is also stored > locally and open to modification in a local only install? > If the installation type is "local," the DB is local. If the installation type is "agent," it is stored on the manager. The agent only sends the file info to the manager, and the manager compares to previous records. > John. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
