Hello all, We're rolling out OSSEC, and have it rolled out to all our non-prod environments by using custom-rolled RPMs, and manual agent/server key setup. However, we don't have root access to our prod systems (we're using a managed server provider), and were thinking about trying to automate the whole thing to simplify it.
That got us thinking: What is the reason behind the server/agent key system? We presume it is for authentication/authorisation of the agents, and encryption of the connection to keep log data private. We couldn't think of a reason why you couldn't just use IP based security (blocking all traffic to the OSSEC server that isn't from your subnets), and SSL for encryption. This would arguably be slightly less secure, in terms of authorised agents, but what is the risk should an unauthorised agent be able to connect? What is to be lost by just using an SSL system (for confidentiality of logs), as it would make the automated deployments much easier. We'd be interested to hear the rationale behind the current system, as well as any tested methods of large-scale automated deployment. Calum