Agent Keys -- Need to be Unique?

3 views
Skip to first unread message

Bernard Golden

unread,
Dec 16, 2009, 8:48:48 AM12/16/09
to ossec-list
I have a question regarding the keys the manager uses to encrypt
communication to/from the agent machines. Do the keys themselves need
to be unique, or would it be possible to have the manager use a common
key to communicate with each of the agents?

Thus, the format of the client.keys file would be:

Agent ID Name IPAddress CommonKey

Would appreciate clarification on this.

The goal is to have the agents dynamically register their info
(perhaps by remotely editing the client.keys file and restart the
server manager to re-read the file and begin monitoring the new agent
in addition to any already-existing agents.

Many thanks.

dan (ddp)

unread,
Dec 16, 2009, 9:44:32 AM12/16/09
to ossec...@googlegroups.com
The keys should be unique. If they are not, the data for multiple
systems will be mixed together making reporting and remediation
difficult. If all of the alerts come from a common key it would be
difficult to determine which host actually sent the event.
dan

Bernard Golden

unread,
Dec 16, 2009, 5:16:45 PM12/16/09
to ossec-list
Our issue is that the clients are not persistent, so need to be able
to register automatically and get talking to the server. Given that
the keys need to be unique, I have a couple of other thoughts:

Can the agent creation program (manage_agents) on the server be
automated so that we could remotely kick it off with a set of command
line variables (agent number and ip address) and have it update the
client.keys file, which we could then copy to the agent host?

Is it critical that the key creation functionality be part of the
manage_agents program, or could we use another program to create the
key and add an agent number, ip address, and our self-generated key
into the client.keys file, which we could then copy to the agent host?

Many thanks.

On Dec 16, 6:44 am, "dan (ddp)" <ddp...@gmail.com> wrote:
> The keys should be unique. If they are not, the data for multiple
> systems will be mixed together making reporting and remediation
> difficult. If all of the alerts come from a common key it would be
> difficult to determine which host actually sent the event.
> dan
>
> On Wed, Dec 16, 2009 at 8:48 AM, Bernard Golden
>

Dave S

unread,
Dec 18, 2009, 9:24:39 AM12/18/09
to ossec-list
Can you clarify what you mean by "not persistent"?

If you mean they are dynamically addressed, I've already had a brief
discussion on this topic here
http://groups.google.com/group/ossec-list/browse_thread/thread/0f761c77e89600a9/fe51117368a8f816

If you mean they are a bunch of "guest" PCs that come and go randomly,
the problem would be getting the agent installed on them.
But once that was done, then you have to decide if you want the data
collected from them to be differentiated or not.
If you install the same key on all the machines using a netmasked
address, they will all look like one client to the server. (Correct
me if I'm wrong here dcid)
Maybe this matters to you, maybe not.

Reply all
Reply to author
Forward
0 new messages