Questions about OSSEC deployment

kaplan71 · 12-12-2014, 11:12 AM

Hello --

I am planning on deploying OSSEC in our environment. Due to the limited availability of hardware, my plan is to deploy the software on the system that is to be monitored rather than having a separate system for the server, and installing the agent on the target system. I had several questions concerning this:

1. Can this type of deployment be implemented?
2. If the server software is already present on the target system, does the agent also need to be installed?

Thanks.

unSpawn · 12-14-2014, 02:10 AM

Quote:

Originally Posted by kaplan71

Can this type of deployment be implemented?

Yes. However you should note that there are valid reasons for keeping agents separate from the central management server. It is the place where integrity databases and audit trails reside. They are stored, collected and processed there so having the machine perform any unrelated functions means opening potentially it up for unauthorized access, potentially affecting integrity and potentially adding performance drains. Or in short, think: eggs, basket.

Quote:

Originally Posted by kaplan71

If the server software is already present on the target system, does the agent also need to be installed?

I assert you haven't read the OSSEC documentation completely. Please do so.

sudowtf · 12-15-2014, 11:28 AM

Quote:

Originally Posted by kaplan71

[...]Due to the limited availability of hardware[...]

Sounds like a good opportunity to play with Virtual Machines.