[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    [ossec-list] File integrity checking: integration between OSSEC and
From:       Alexis Le-Quoc <alq666 () gmail ! com>
Date:       2009-12-20 19:47:59
Message-ID: 57422469-0bb7-46af-acb8-809ed8061525 () a21g2000yqc ! googlegroups ! com
[Download RAW message or body]

Greetings from a prospective OSSEC user,

I've been looking for pointers on how to properly integrate OSSEC and
a configuration management system (beside
http://www.ossec.net/wiki/Integration_&_Deployment_with_cfengine),
before bitting the bullet and getting OSSEC deployed alongside bcfg2.
What particularly interests me is how to clearly delineate file
ownership between ossec and bcfg2. We have this scenario where quite
often we will release file updates via bcfg2. I can think of 2 ways to
attack this:

(1) the lazy way: clearly mark a separation between what's managed by
bcfg2 and what's managed by OSSEC. In other words, for any file, it
can only be handled by one or the other. That'll avoid spurious alerts
but presents 2 risks, either files are managed by neither, or we can't
keep that separation clean and when we add a file to bcfg2, we forget
about taking it out of OSSEC's watch list.

(2) the "right" way: teach bcfg2 how to update OSSEC's file
fingerprint DB before it applies its updates, so that OSSEC can start
with a fairly inclusive list of files to watch and see that list
shrink as more files gets managed by bcfg2. Of course the cost here is
the work to write a bcfg2 plugin that can talk OSSEC.

Has anyone done (2) already?

Thanks,

Alexis
[prev in list] [next in list] [prev in thread] [next in thread]