OS Change Management Auditing using Nagios?

[Kevin Keane]

All that really depends on exactly how you are working. If you are 
manually applying the patches, and if you can take the machine offline 
for that period of time, your method will work. You'd simply have to 
tell tripwire to update its database. That's not a huge deal.

I am using automatic updates wherever possible, so all the updates are 
expected to happen around 3AM. Since that is the default setting (at 
least in Windows), a hacker might well use the same window to sneak in 
his own changes.

You are right - Tripwire is involved. When you are trying to track some 
tens of thousands of files (the size of most operating systems today) 
that is hardly surprising.

Ken Netzorg wrote:
> Thanks, Kevin.
>
> You do raise a valid point about knowing what is changing in the 
> general updates vs what is un-authorized and knowing the difference. 
> My, possibly naive, thought is that I could batch updates/patches and 
> make the assumption the changes are due to that process, but there is 
> that chance something changes in that period as well..... If nothing 
> else, changes at 2am or off hours would hopefully raise an alarm to be 
> investigated.
>
> I'll take a look at Tripwire in more depth (I glanced at it briefly 
> and wasn't sure if it was too involved for what I was looking for or 
> not) as well as open-audit.
>
> Thanks.
> Ken
>
> On Wed, Apr 15, 2009 at 8:45 AM, Kevin Keane <subscription at kkeane.com 
> <mailto:subscription at kkeane.com>> wrote:
>
>     I am not using Nagios for that purpose, but rather Open-Audit. I
>     believe
>     there is a way to have changes in OA propagate to Nagios.
>
>     Another tool you may want to look into is tripwire; it generates
>     exactly
>     the logs based on changes that you were looking for. Then use the
>     check_log plugin to monitor the tripwire log file.
>
>     The biggest concern with this type of tool that I would have is that
>     monitoring OS changes is very labor-intensive. For me, to the point of
>     impracticality. The problem is the sheer volume of patches that
>     come out
>     on a regular basis makes it all but impossible to keep up with. You'd
>     have to look at every single patch and find out which files it changes
>     before you have a way of knowing whether a particular tripwire
>     alert is
>     legitimate or not.
>
>     Ken Netzorg wrote:
>     > Is anyone leveraging Nagios for notification of changes done to
>     > operating systems?
>     >
>     > I am looking to deploy a solution that monitors OS changes and
>     > generates alerts when a configuration or file change is made. Is
>     > anyone doing this type of thing through a Nagios plug-in? My goal
>     > would be to know when an OS is being changed and be able to
>     correlate
>     > that to a scheduled change or potential compromise of the OS that
>     > needs to be further investigated. (Something more holistic than
>     basic
>     > log monitoring unless there is a service that generates logs
>     based on
>     > changes that will then be captured by a log review.)
>     >
>     > The monitoring would be done on both Windows and Linux platforms.
>     >
>     > Thanks,
>     > Ken
>
>     --
>     Kevin Keane
>     Owner
>     The NetTech
>     Find the Uncommon: Expert Solutions for a Network You Never Have
>     to Think About
>
>     Office: 866-642-7116
>     http://www.4nettech.com
>
>     This e-mail and attachments, if any, may contain confidential
>     and/or proprietary information. Please be advised that the
>     unauthorized use or disclosure of the information is strictly
>     prohibited. The information herein is intended only for use by the
>     intended recipient(s) named above. If you have received this
>     transmission in error, please notify the sender immediately and
>     permanently delete the e-mail and any copies, printouts or
>     attachments thereof.
>
>
>     ------------------------------------------------------------------------------
>     This SF.net email is sponsored by:
>     High Quality Requirements in a Collaborative Environment.
>     Download a free trial of Rational Requirements Composer Now!
>     http://p.sf.net/sfu/www-ibm-com
>     _______________________________________________
>     Nagios-users mailing list
>     Nagios-users at lists.sourceforge.net
>     <mailto:Nagios-users at lists.sourceforge.net>
>     https://lists.sourceforge.net/lists/listinfo/nagios-users
>     ::: Please include Nagios version, plugin version (-v) and OS when
>     reporting any issue.
>     ::: Messages without supporting info will risk being sent to /dev/null
>
>


-- 
Kevin Keane
Owner
The NetTech
Find the Uncommon: Expert Solutions for a Network You Never Have to Think About

Office: 866-642-7116
http://www.4nettech.com

This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and permanently delete the e-mail and any copies, printouts or attachments thereof.


------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null