Hi all,
I guess this is more confirmation than anything but...
1) OSSEC agentless basically just includes syscheck - is this correct?
So rootcheck is not something that's done, nor log analysis.
The scripts supplied with OSSEC only do syscheck, you can do just about
anything you would like by writing your own script.
I have some blog posts on agentless and the agentless docs have been update
recently.
http://www.ossec.net/doc/manual/agent/index.html
http://praetorianprefect.com/?s=ossec
2) There is no Windows implementation for OSSEC agentless
monitoring...?
Agentlessd runs on a centralized ossec server which much be a UNIX. This is
also where agentless scripts are run. Their is nothing to limit an
agentless script from connecting and preforming active on a windows box or
any other system for that matter.
3) Is there any major difference in how standard syscheck in local/
agent mode runs compared to in agentless mode?
full ossec agent does far more then any script does (that I know of), but
the scripts could do more if needed.
Another reason the full agent is useful is that it's writen in C and far
faster.
I'm in the process of evaluating whether OSSEC in agentless mode will
satisfy FIM-specific requirements of PCI. Obviously, rootcheck would
be a really nice [and more secure] thing to have but that's not
necessarily a requirement as far as PCI is concerned.
