<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-CA link=blue vlink=blue>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>We use AIDE for some systems here; it’s
included with recent Red Hat distributions (and possibly others) and can be
compiled for pretty much any other *nix platform. My ISO is quite keen on it.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Cheers<o:p></o:p></span></font></p>
<div>
<p class=MsoNormal><font size=3 color=navy face="Times New Roman"><span
style='font-size:12.0pt;color:navy'> </span></font><o:p></o:p></p>
</div>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span lang=EN-US style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span lang=EN-US
style='font-size:10.0pt;font-family:Tahoma;font-weight:bold'>From:</span></font></b><font
size=2 face=Tahoma><span lang=EN-US style='font-size:10.0pt;font-family:Tahoma'>
Ken Netzorg [mailto:knetzorg@gmail.com] <br>
<b><span style='font-weight:bold'>Sent:</span></b> April 15, 2009 09:17<br>
<b><span style='font-weight:bold'>To:</span></b> nagios-users@lists.sourceforge.net<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [Nagios-users] OS
Change Management Auditing using Nagios?</span></font><span lang=EN-US><o:p></o:p></span></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Thanks, Kevin.<o:p></o:p></span></font></p>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>You do raise a valid point about knowing what is changing in the
general updates vs what is un-authorized and knowing the difference. My,
possibly naive, thought is that I could batch updates/patches and make the
assumption the changes are due to that process, but there is that chance
something changes in that period as well..... If nothing else, changes at 2am
or off hours would hopefully raise an alarm to be investigated.<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>I'll take a look at Tripwire in more depth (I glanced at it briefly and
wasn't sure if it was too involved for what I was looking for or not) as well
as open-audit.<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><br>
Thanks.<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>Ken<o:p></o:p></span></font></p>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>On Wed, Apr 15, 2009 at 8:45 AM, Kevin Keane <<a
href="mailto:subscription@kkeane.com">subscription@kkeane.com</a>> wrote:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>I am not using Nagios for that purpose, but rather Open-Audit. I
believe<br>
there is a way to have changes in OA propagate to Nagios.<br>
<br>
Another tool you may want to look into is tripwire; it generates exactly<br>
the logs based on changes that you were looking for. Then use the<br>
check_log plugin to monitor the tripwire log file.<br>
<br>
The biggest concern with this type of tool that I would have is that<br>
monitoring OS changes is very labor-intensive. For me, to the point of<br>
impracticality. The problem is the sheer volume of patches that come out<br>
on a regular basis makes it all but impossible to keep up with. You'd<br>
have to look at every single patch and find out which files it changes<br>
before you have a way of knowing whether a particular tripwire alert is<br>
legitimate or not.<o:p></o:p></span></font></p>
<div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'><br>
Ken Netzorg wrote:<br>
> Is anyone leveraging Nagios for notification of changes done to<br>
> operating systems?<br>
><br>
> I am looking to deploy a solution that monitors OS changes and<br>
> generates alerts when a configuration or file change is made. Is<br>
> anyone doing this type of thing through a Nagios plug-in? My goal<br>
> would be to know when an OS is being changed and be able to correlate<br>
> that to a scheduled change or potential compromise of the OS that<br>
> needs to be further investigated. (Something more holistic than basic<br>
> log monitoring unless there is a service that generates logs based on<br>
> changes that will then be captured by a log review.)<br>
><br>
> The monitoring would be done on both Windows and Linux platforms.<br>
><br>
> Thanks,<br>
> Ken<o:p></o:p></span></font></p>
</div>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>--<br>
Kevin Keane<br>
Owner<br>
The NetTech<br>
Find the Uncommon: Expert Solutions for a Network You Never Have to Think About<br>
<br>
Office: 866-642-7116<br>
<a href="http://www.4nettech.com" target="_blank">http://www.4nettech.com</a><br>
<br>
This e-mail and attachments, if any, may contain confidential and/or proprietary
information. Please be advised that the unauthorized use or disclosure of the
information is strictly prohibited. The information herein is intended only for
use by the intended recipient(s) named above. If you have received this
transmission in error, please notify the sender immediately and permanently
delete the e-mail and any copies, printouts or attachments thereof.<br>
<br>
<br>
------------------------------------------------------------------------------<br>
This SF.net email is sponsored by:<br>
High Quality Requirements in a Collaborative Environment.<br>
Download a free trial of Rational Requirements Composer Now!<br>
<a href="http://p.sf.net/sfu/www-ibm-com" target="_blank">http://p.sf.net/sfu/www-ibm-com</a><br>
_______________________________________________<br>
Nagios-users mailing list<br>
<a href="mailto:Nagios-users@lists.sourceforge.net">Nagios-users@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/nagios-users"
target="_blank">https://lists.sourceforge.net/lists/listinfo/nagios-users</a><br>
::: Please include Nagios version, plugin version (-v) and OS when reporting
any issue.<br>
::: Messages without supporting info will risk being sent to /dev/null<o:p></o:p></span></font></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</div>
</body>
</html>
<pre>This message and any attachments are intended only for the use of the addressee and
may contain information that is privileged and confidential. If the reader of the
message is not the intended recipient or an authorized representative of the
intended recipient, you are hereby notified that any dissemination of this
communication is strictly prohibited. If you have received this communication in
error, please notify us immediately by e-mail and delete the message and any
attachments from your system.