ossec group, user accounts change, redundancy

139 views
Skip to first unread message

macker

unread,
Jun 28, 2009, 1:09:53 AM6/28/09
to ossec...@googlegroups.com
Hey folks,

I'm new to the list, im macker. Forgive me if these questions have been asked already, as I didn't see them after going though previous messages. I have also read an ossec book which was great, and still couldn't find the answer.

I am rolling out ossec to a segment of my network (about 55 servers).  These are split between east/west coast and are redundant locations.

1) user accounts: ossec requires 3 seperate user accounts and 1 group account. Due to my internal linux patch management system, it would be preferrable not to need 3 sperate user accounts. Is there a way to have it run as 1 user account, or is that lowering the security/segregation of duty, etc?

2) Is it possible to have redundant ossec central servers set up? Not sure how that would work since you would be sending logs to two seperate locations. Also, if were to move my one management station/central ossecd, to the other coast, culd I just copy the text file w/ the agent keys on it over, or are those keys based off some type of salt/encryption built specific the ossecd box.

3) Anyone have success/horror stories I should be aware about with this amount of servers? Perhaps helpful advice, lessons learned.

Thanks,
- macker

cryogen

unread,
Jul 2, 2009, 11:38:06 AM7/2/09
to ossec...@googlegroups.com
Greetings:

Well, I don't know about your first question, but I asked something
similar to your second question a while back. You can specify
multiple ossec servers in your client config. If you do so, the
agents communicate with them in the order you specify. If the first
server goes down, the agent will communicate with the second server.
If the second server goes down, the agents will switch to the third
server and so on. That is:
<client>
<server-ip>10.11.12.1</server-ip>
<server-ip>10.11.12.2</server-ip>
<server-ip>10.11.12.3</server-ip>
</client>

For the server end, since 1.6 ossec has supported multiple servers.
See:
http://www.ossec.net/main/manual/manual-muti-server-architecture

--cryogen

Michael Starks

unread,
Jul 2, 2009, 12:42:26 PM7/2/09
to ossec...@googlegroups.com
macker wrote:
> Hey folks,
>
> I'm new to the list, im macker.

Hello, Macker. Welcome to the list. You'll find this to be a friendly place.

> 1) user accounts: ossec requires 3 seperate user accounts and 1 group
> account. Due to my internal linux patch management system, it would be
> preferrable not to need 3 sperate user accounts. Is there a way to have
> it run as 1 user account, or is that lowering the security/segregation
> of duty, etc?

It may be possible, but it's not recommended. OSSEC does this as a
matter of proper privilege separation between the daemons. This reduces
the chance of a remote exploit leading to a full compromise. It is
designed to be secure by default and any changes would have to be
weighed very carefully.

> 3) Anyone have success/horror stories I should be aware about with this
> amount of servers? Perhaps helpful advice, lessons learned.

This amount of servers is no problem for OSSEC. It can handle a load
like this with very minimal hardware. My advice would be to implement
with a slow, methodical approach. Tune as you go. You don't want to be
bombarded with alerts and start to mentally tune them out.

Reply all
Reply to author
Forward
0 new messages