1

Being fairly new to both AIDE and OSSEC I've been trying to find out if there are any potential conflicts in having them both installed on one host (CentOS 7.5). It seems like they could work as a multi-layered approach, but I haven't been able to find much about running the in tandem. And of course would there be a difference in running them OSSEC locally vs. an agent on the machine with AIDE? Thanks.

jfran3
  • 111
  • 9

1 Answers1

0

I have used AIDE in past and it does only file integrity monitoring. It creates a database when you first install the same, probably mapping hashes along with the respective file names. This comes handy when you want to see any Malware/Program changes which files.

Said that, OSSEC is more superset. Read "AIDE only does file integrity checks. It does not check for rootkits or parse logfiles for suspicious activity, like some other HIDS (such as OSSEC) do." from this site

I don't see any issue with both of them running on same system, but I don't see value in having both unless you find anything which proves OSSEC prone to hash-collision.

To answer the second part of your question, decision of deploying the OSSEC in Manager/Agent mode or standalone mode depends on the requirement. If there are hundreds of hosts, you want centralized management where all the database is stored on server side.

Krishna Pandey
  • 1,497
  • 1
  • 16
  • 26
  • Thanks for the input on the first part of the question. I should clarify on the second part, I was curious more about running both in host mode. I know you can use just the agent and have the server instance running elsewhere managing a large implementation. But would running host mode (just the local instance) work differently? The first part of your answer would seem to suggest not though. Thanks and I appreciate the thoughts. – jfran3 Aug 22 '18 at 10:49
  • @jfran3 Yes, there is no difference in terms of functionality, it's just different deployment design. – Krishna Pandey Aug 22 '18 at 11:05
  • Just to follow up... I understand the deployment design differences at the system level, but I think what I'm trying to get at (and I apologize if I wasn't clear) is whether at the host level the full local install of OSSEC would be more problematic with AIDE than a simple agent, while running in tandem. Thanks again for all your help. – jfran3 Aug 23 '18 at 01:47
  • not to mention AIDE is light in memory because it is a file monitoring system. – MaXi32 Jul 03 '20 at 04:39