Hi everyone, I have made a small enhancement to OSSEC to support different configuration profiles for agents. If you are interested in this feature and would like to help, I would appreciate if you could help me test it out.
The code is available from my bitbucket repository at http://bitbucket.org/cmoraes/ossec. (based off the current 2.6 beta source code) Background - I needed OSSEC to support different syscheck/rootkit/localfile rules for different categories of servers. For e.g. I needed one config for our Linux Oracle servers, another one for our Linux JEE App servers, another for our Windows Domain controllers, etc. >From what I found, ossec currently supports agent configurations based on agent name or OS name. For my use case, creating a config for each agent name was too granular (I have 25 linux database (oracle) servers and wanted to create one configuration for all of them) and creating one for each OS was too coarse grained. So I have implemented a feature to support configuration "profiles". Agents can be assigned a profile name (which can be any string) and that profile name is matched with the config profile in the shared agent.conf. A new "profile" attribute is now supported in the agent.conf file. <agent_config *profile*="LinuxOracleDBServer"> ..... </agent_config> And in the agent's etc/ossec.conf file, a new config element "config-profile" is added <ossec_config> <client> <server-ip>10.200.36.157</server-ip> *<config-profile>LinuxOracleDBServer</config-profile>* </client> </ossec_config> This should make the enhancement backward compatible, so you don't have to change already deployed agents if you don't want to assign them a profile. The code is in an alpha state. I have tested it for a few use cases. If you can try it out, I'd love to hear your feedback. Regards, Chris