File Integrity Monitoring for ESXi 4.x, 5.x and 6.x
58 views
Skip to first unread message
Jit Tank
Nov 3, 2016, 5:51:33 AM11/3/16
to ossec-list
I note that OSSEC agent only supports VMWare ESX 3.0,3.5.
Is it possible to perform file integrity checks on VMware vSphere ESXi 4.x, 5.x and 6.x?
If possible, how is this completed? By agentless monitoring or by compiling new agent binaries that can reside on the ESXi 4.x, 5.x and 6.x platforms?
dan (ddp)
Nov 3, 2016, 8:45:45 AM11/3/16
to ossec...@googlegroups.com
work (but I haven't tried it).
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Jit Tank
Nov 3, 2016, 11:58:15 AM11/3/16
to ossec-list
Can anyone confirm the ssh_integrity_check_linux agentless script works on the ESXi 4.x, 5.x and 6.x platforms?
dan (ddp)
Nov 3, 2016, 12:07:44 PM11/3/16
to ossec...@googlegroups.com
On Thu, Nov 3, 2016 at 11:58 AM, Jit Tank <jit...@gmail.com> wrote:
> Can anyone confirm the ssh_integrity_check_linux agentless script works on
> the ESXi 4.x, 5.x and 6.x platforms?
>
If you have an ESXi box, you can.
> Can anyone confirm the ssh_integrity_check_linux agentless script works on
> the ESXi 4.x, 5.x and 6.x platforms?
>
Jit Tank
Nov 3, 2016, 12:22:49 PM11/3/16
to ossec-list
This is the problem - all the ESXi servers are in production environment and there is no chance of running/testing this script against these hosts (it's a case of "process" stopping "progress" scenario).
If there is some experience out there it would be appreciated ....
dan (ddp)
Nov 3, 2016, 12:24:28 PM11/3/16
to ossec...@googlegroups.com
On Thu, Nov 3, 2016 at 12:07 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Thu, Nov 3, 2016 at 11:58 AM, Jit Tank <jit...@gmail.com> wrote:
>> Can anyone confirm the ssh_integrity_check_linux agentless script works on
>> the ESXi 4.x, 5.x and 6.x platforms?
>>
>
> If you have an ESXi box, you can.
>
After some quick testing, you have to modify ssh.exp adding:
> On Thu, Nov 3, 2016 at 11:58 AM, Jit Tank <jit...@gmail.com> wrote:
>> Can anyone confirm the ssh_integrity_check_linux agentless script works on
>> the ESXi 4.x, 5.x and 6.x platforms?
>>
>
> If you have an ESXi box, you can.
>
"Password:" {
send "$pass\r"
source $sshloginsrc
}
I haven't figured out sshlogin.exp yet, but something there has to be
modified as well.
dan (ddp)
Nov 3, 2016, 12:31:36 PM11/3/16
to ossec...@googlegroups.com
On Thu, Nov 3, 2016 at 12:24 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Thu, Nov 3, 2016 at 12:07 PM, dan (ddp) <ddp...@gmail.com> wrote:
>> On Thu, Nov 3, 2016 at 11:58 AM, Jit Tank <jit...@gmail.com> wrote:
>>> Can anyone confirm the ssh_integrity_check_linux agentless script works on
>>> the ESXi 4.x, 5.x and 6.x platforms?
>>>
>>
>> If you have an ESXi box, you can.
>>
>
> After some quick testing, you have to modify ssh.exp adding:
> "Password:" {
> send "$pass\r"
> source $sshloginsrc
> }
>
>
> I haven't figured out sshlogin.exp yet, but something there has to be
> modified as well.
>
It get farther when I add this, but I haven't verified if it's actually working:
> On Thu, Nov 3, 2016 at 12:07 PM, dan (ddp) <ddp...@gmail.com> wrote:
>> On Thu, Nov 3, 2016 at 11:58 AM, Jit Tank <jit...@gmail.com> wrote:
>>> Can anyone confirm the ssh_integrity_check_linux agentless script works on
>>> the ESXi 4.x, 5.x and 6.x platforms?
>>>
>>
>> If you have an ESXi box, you can.
>>
>
> After some quick testing, you have to modify ssh.exp adding:
> "Password:" {
> send "$pass\r"
> source $sshloginsrc
> }
>
>
> I haven't figured out sshlogin.exp yet, but something there has to be
> modified as well.
>
"*" {
send_user "\nINFO: Started.\n"
}
I expect my lack of expect knowledge is to blame for my inability to
match the command prompt.
dan (ddp)
Nov 3, 2016, 12:44:56 PM11/3/16
to ossec...@googlegroups.com
The actual business line in ssh_integrity_check_linux.exp has to be modified.
send "echo \"INFO: Starting.\"; for i in `find $args 2>/dev/null`;do
tail \$i >/dev/null 2>&1 && md5=`md5sum \$i | cut -d \" \" -f 1` &&
sha1=`sha1sum \$i | cut -d \" \" -f 1` && echo FWD: `stat -c
\"%s:%a:%u:%g\" \$i`:\$md5:\$sha1 \$i; done; exit\r"
I haven't figured out what it needs to be yet, but I'm quickly eating
up my free time :-)
Jit Tank
Nov 3, 2016, 12:50:18 PM11/3/16
to ossec...@googlegroups.com
Dan - thanks for your time ... which version of ESXi are you testing against?
--
---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/OT0WKGWdQD4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+unsubscribe@googlegroups.com.
dan (ddp)
Nov 3, 2016, 12:51:55 PM11/3/16
to ossec...@googlegroups.com
dan (ddp)
Nov 3, 2016, 12:52:30 PM11/3/16
to ossec...@googlegroups.com
On Thu, Nov 3, 2016 at 12:50 PM, Jit Tank <jit...@gmail.com> wrote:
> Dan - thanks for your time ... which version of ESXi are you testing
> against?
>
5.5
> Dan - thanks for your time ... which version of ESXi are you testing
> against?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> email to ossec-list+...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages