On Wed, 05 Aug 2009 17:23:39 -0700, Ross Lawrie <[email protected]> wrote:
> I'm wondering what the proper procedure is from an admin point of view > upon a notification of a changed file on a monitored system. That's really a policy question. Do you want a history of file changes? Do you want to be notified about all changes or only some? Are certain files critical enough where a change should go to your pager? There's really no one correct answer here. > If the file change is known and okay, is the procedure to Update (clear) > the database for the agent? It's nice having the output of > syscheck_control show a quick history of changes for a given agent, that > list would zero upon an update (clear). You could, but I wouldn't recommend it. If the system is compromised or there is some question as to the integrity of a change, you're going to want to have a history to fall back on. > If I update the database for an agent, is there a quick (command-line) > method to view a history of changes for that agent, or would it require > parsing the logs through ossec-reportd? Well, if you update the syscheck database, that history is gone. You could always look at the alerts history to see what happened. But there are other reasons to keep file history in the syscheck database. For example, if you're alerting on all files but have used syscheck_control to flag one or more files to not alert, you'll need that database. > Lastly, and this may be a useless question, but is it possible to update > the database signature for a single file while not updating other > changed files on an agent? I could see the argument being that > signatures shouldn't be updated unless all changes are known to be good. I'm not exactly sure what you are trying to do here. Do you want to mark certain files as acknowledged as good? That would be a good feature, but I don't think it's possible yet. -- Michael Starks [I] Immutable Security http://www.immutablesecurity.com Information Security, Privacy and Personal Liberty
