As a small aside:
What OS are the test systems you use for developing OSSEC? as on a previous
thread you said it was hard to get solaris testers. I'm currently setting
up a VM as a dedicated OSSEC server, and could easily swap to CentOS
or Ubuntu for this, if this will be quicker/more robust.
Some agents would be required on solaris boxes, but do you need to add DB
support on agents or just the server?
If so for these I could possibly go agentless, I've modified
ssh_integrity_check_linux to perform agentless checks on solaris, using:
> # as SSH_integrity_check_linux
send "echo \"INFO: Starting.\"; for i in `find $args 2>/dev/null`;do tail
> \$i>/dev/null 2>&1 && md5=`digest -a md5 \$i` && sha1=`digest -a sha1 \$i`
> && fileInf=`ls -ldAn \$i | awk '{ printf \"%d:%s:%d:%d\", \$5, \$1, \$3,\$4
> }'` && echo FWD: \$fileInf:\$md5:\$sha1 \$i ; done; exit\r"
>
(cant figure out a way to get octal permissions to fully replace stat...
but ossec seems to pick up diffs on string permissions and notify of
changes.)
I also made a seperate script to pass logs to the server based on
yesterdays date (so only really runable every 24 hours) which seems to
work.
> # as SSH_integrity_check_linux
# calculate date as expect variable and pass to bash
> set ymonth [clock format [clock scan "2 days ago"] -format "%b"]
> set yday [clock format [clock scan "2 days ago"] -format "%e"]
> set yesterday [format "%s %d" $ymonth $yday]
>
# altered this file to make it use LOG:
send "echo \"INFO: Starting.\"; for i in `find $args 2>/dev/null`;do tail
> \$i>/dev/null 2>&1 && while read line; do ValidLine=`echo \$line|grep
> \"$yesterday\"` && echo LOG: \$ValidLine; done <\$i;done; exit\r"
> send "exit\r"
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
