Re: [Nagios-users] OS Change Management Auditing using Nagios?
I am not using Nagios for that purpose, but rather Open-Audit. I believe there is a way to have changes in OA propagate to Nagios. Another tool you may want to look into is tripwire; it generates exactly the logs based on changes that you were looking for. Then use the check_log plugin to monitor the tripwire log file. The biggest concern with this type of tool that I would have is that monitoring OS changes is very labor-intensive. For me, to the point of impracticality. The problem is the sheer volume of patches that come out on a regular basis makes it all but impossible to keep up with. You'd have to look at every single patch and find out which files it changes before you have a way of knowing whether a particular tripwire alert is legitimate or not. Ken Netzorg wrote: Is anyone leveraging Nagios for notification of changes done to operating systems? I am looking to deploy a solution that monitors OS changes and generates alerts when a configuration or file change is made. Is anyone doing this type of thing through a Nagios plug-in? My goal would be to know when an OS is being changed and be able to correlate that to a scheduled change or potential compromise of the OS that needs to be further investigated. (Something more holistic than basic log monitoring unless there is a service that generates logs based on changes that will then be captured by a log review.) The monitoring would be done on both Windows and Linux platforms. Thanks, Ken -- Kevin Keane Owner The NetTech Find the Uncommon: Expert Solutions for a Network You Never Have to Think About Office: 866-642-7116 http://www.4nettech.com This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and permanently delete the e-mail and any copies, printouts or attachments thereof. -- This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] OS Change Management Auditing using Nagios?
Thanks, Kevin. You do raise a valid point about knowing what is changing in the general updates vs what is un-authorized and knowing the difference. My, possibly naive, thought is that I could batch updates/patches and make the assumption the changes are due to that process, but there is that chance something changes in that period as well. If nothing else, changes at 2am or off hours would hopefully raise an alarm to be investigated. I'll take a look at Tripwire in more depth (I glanced at it briefly and wasn't sure if it was too involved for what I was looking for or not) as well as open-audit. Thanks. Ken On Wed, Apr 15, 2009 at 8:45 AM, Kevin Keane subscript...@kkeane.comwrote: I am not using Nagios for that purpose, but rather Open-Audit. I believe there is a way to have changes in OA propagate to Nagios. Another tool you may want to look into is tripwire; it generates exactly the logs based on changes that you were looking for. Then use the check_log plugin to monitor the tripwire log file. The biggest concern with this type of tool that I would have is that monitoring OS changes is very labor-intensive. For me, to the point of impracticality. The problem is the sheer volume of patches that come out on a regular basis makes it all but impossible to keep up with. You'd have to look at every single patch and find out which files it changes before you have a way of knowing whether a particular tripwire alert is legitimate or not. Ken Netzorg wrote: Is anyone leveraging Nagios for notification of changes done to operating systems? I am looking to deploy a solution that monitors OS changes and generates alerts when a configuration or file change is made. Is anyone doing this type of thing through a Nagios plug-in? My goal would be to know when an OS is being changed and be able to correlate that to a scheduled change or potential compromise of the OS that needs to be further investigated. (Something more holistic than basic log monitoring unless there is a service that generates logs based on changes that will then be captured by a log review.) The monitoring would be done on both Windows and Linux platforms. Thanks, Ken -- Kevin Keane Owner The NetTech Find the Uncommon: Expert Solutions for a Network You Never Have to Think About Office: 866-642-7116 http://www.4nettech.com This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and permanently delete the e-mail and any copies, printouts or attachments thereof. -- This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null -- This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] OS Change Management Auditing using Nagios?
All that really depends on exactly how you are working. If you are manually applying the patches, and if you can take the machine offline for that period of time, your method will work. You'd simply have to tell tripwire to update its database. That's not a huge deal. I am using automatic updates wherever possible, so all the updates are expected to happen around 3AM. Since that is the default setting (at least in Windows), a hacker might well use the same window to sneak in his own changes. You are right - Tripwire is involved. When you are trying to track some tens of thousands of files (the size of most operating systems today) that is hardly surprising. Ken Netzorg wrote: Thanks, Kevin. You do raise a valid point about knowing what is changing in the general updates vs what is un-authorized and knowing the difference. My, possibly naive, thought is that I could batch updates/patches and make the assumption the changes are due to that process, but there is that chance something changes in that period as well. If nothing else, changes at 2am or off hours would hopefully raise an alarm to be investigated. I'll take a look at Tripwire in more depth (I glanced at it briefly and wasn't sure if it was too involved for what I was looking for or not) as well as open-audit. Thanks. Ken On Wed, Apr 15, 2009 at 8:45 AM, Kevin Keane subscript...@kkeane.com mailto:subscript...@kkeane.com wrote: I am not using Nagios for that purpose, but rather Open-Audit. I believe there is a way to have changes in OA propagate to Nagios. Another tool you may want to look into is tripwire; it generates exactly the logs based on changes that you were looking for. Then use the check_log plugin to monitor the tripwire log file. The biggest concern with this type of tool that I would have is that monitoring OS changes is very labor-intensive. For me, to the point of impracticality. The problem is the sheer volume of patches that come out on a regular basis makes it all but impossible to keep up with. You'd have to look at every single patch and find out which files it changes before you have a way of knowing whether a particular tripwire alert is legitimate or not. Ken Netzorg wrote: Is anyone leveraging Nagios for notification of changes done to operating systems? I am looking to deploy a solution that monitors OS changes and generates alerts when a configuration or file change is made. Is anyone doing this type of thing through a Nagios plug-in? My goal would be to know when an OS is being changed and be able to correlate that to a scheduled change or potential compromise of the OS that needs to be further investigated. (Something more holistic than basic log monitoring unless there is a service that generates logs based on changes that will then be captured by a log review.) The monitoring would be done on both Windows and Linux platforms. Thanks, Ken -- Kevin Keane Owner The NetTech Find the Uncommon: Expert Solutions for a Network You Never Have to Think About Office: 866-642-7116 http://www.4nettech.com This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and permanently delete the e-mail and any copies, printouts or attachments thereof. -- This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net mailto:Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null -- Kevin Keane Owner The NetTech Find the Uncommon: Expert Solutions for a Network You Never Have to Think About Office: 866-642-7116 http://www.4nettech.com This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this