Re: [ossec-list] Silent mode for an agent during system updates?

On Mon, Dec 8, 2014 at 12:13 PM, Michael Starks < ossec-l...@michaelstarks.com> wrote: > With real-time checks enabled, it's a time-based security problem. Can the > agent send the hashes to the manager before the attacker can alter or stop > them? Yes: stop OSSEC, start your own agent. This is

Re: [ossec-list] Silent mode for an agent during system updates?

On 2014-12-08 9:56, Damian Gerow wrote: On Mon, Dec 8, 2014 at 10:39 AM, dan (ddp) wrote: Possibly compromised systems shouldn't have control over a database they do not have control over. That's kind of the idea behind sending the hashes to the manager. It helps prevent shady behavior.

Re: [ossec-list] Silent mode for an agent during system updates?

On Mon, Dec 8, 2014 at 11:05 AM, dan (ddp) wrote: > >> >> Possibly compromised systems shouldn't have control over a database > >> >> they do not have control over. That's kind of the idea behind sending > >> >> the hashes to the manager. It helps prevent shady behavior. > >> > > >> > > >> > So,

Re: [ossec-list] Silent mode for an agent during system updates?

On Mon, Dec 8, 2014 at 10:56 AM, Damian Gerow wrote: > On Mon, Dec 8, 2014 at 10:39 AM, dan (ddp) wrote: >> >> >> Possibly compromised systems shouldn't have control over a database >> >> they do not have control over. That's kind of the idea behind sending >> >> the hashes to the manager. It hel

Re: [ossec-list] Silent mode for an agent during system updates?

On Mon, Dec 8, 2014 at 10:39 AM, dan (ddp) wrote: > >> Possibly compromised systems shouldn't have control over a database > >> they do not have control over. That's kind of the idea behind sending > >> the hashes to the manager. It helps prevent shady behavior. > > > > > > So, possibly compromis

Re: [ossec-list] Silent mode for an agent during system updates?

On Mon, Dec 8, 2014 at 10:34 AM, Damian Gerow wrote: > On Mon, Dec 8, 2014 at 8:01 AM, dan (ddp) wrote: >> >> Yes and no. It's cludgy, but you could have a package update trigger >> an active response on the manager to clear the database. It could be a >> security issue, handing over some control

Re: [ossec-list] Silent mode for an agent during system updates?

On Mon, Dec 8, 2014 at 8:01 AM, dan (ddp) wrote: > Yes and no. It's cludgy, but you could have a package update trigger > an active response on the manager to clear the database. It could be a > security issue, handing over some control of the database to the > agent, but it should be possible. >

Re: [ossec-list] Silent mode for an agent during system updates?

On Fri, Dec 5, 2014 at 5:35 PM, Christina Plummer wrote: > >> > Is there a way to silence an agent for a specific time, so it will not >> > generate events? During a system update, there shouldn't be any alarms >> > of >> >> You can clear the database, update the system, and then run a new scan. >

Re: [ossec-list] Silent mode for an agent during system updates?

> Is there a way to silence an agent for a specific time, so it will not > > generate events? During a system update, there shouldn't be any alarms of > > You can clear the database, update the system, and then run a new scan. > I believe this has been asked

Re: [ossec-list] Silent mode for an agent during system updates?

On Tue, Oct 28, 2014 at 6:40 AM, SkarothNET wrote: > Hello. > > In my current OSSEC setup (one central OSSEC manager with 5 connected agents > running Linux) I configured Syscheck to check the directories /etc, /bin, > /sbin /usr/bin, /usr/sbin for modification. > Furthermore the log file /var/log

[ossec-list] Silent mode for an agent during system updates?

Hello. In my current OSSEC setup (one central OSSEC manager with 5 connected agents running Linux) I configured Syscheck to check the directories /etc, /bin, /sbin /usr/bin, /usr/sbin for modification. Furthermore the log file /var/log/messages is checked by OSSEC. This setup works fine so far.