improve the web interface is a goal for ossec suceed

ossec web interface could make ossec power easy of understand for people out there looking for systems like this

Auditd provides a *ton* of valuable audit logs for user & process accounting purposes. Adding an auditd decoder (and corresponding a set of rules) to OSSEC would be invaluable to the OSSEC project.

With this addition, OSSEC would be able to support much more granular rules. For example, alerts could be issued whenever X user(s) issue X command(s) at X time.

It would be extremely useful if--when OSSEC detected a change via a hash change in files--OSSEC would also recored the actual, textual change that was made to the file (excluding binary files, I would imagine).

With this functionality in place, it would then be possible for the community to develop custom scripts/queries to diff previous versions to see what changes have been preformed on systems over the past X time period.

Which is kqueue for Realtime monitoring.

Right now it is possible to know what changed, but without correlation it is difficult to say with a high degree of certainty who made the change. It would be nice if OSSEC could tie users to changes.

Work with the debian developers to get ossec packaged for debian (and derivatives).

Ref bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=361954

Allow full confirguration of SMTP service in ossec.conf for SMTP auth including SMTP port

Currently its there, its just not being used.

At the moment new files are reported only periodically. Extend realtime checking to monitor new file creation.

Resolve the error messages when try to "Dump database" on "Integrity Checking", appears these:

Warning: arsort() expects parameter 1 to be array, null given in /var/www/monitorizacion.locolandia.net/ossec/lib/os_lib_syscheck.php on line 97

Warning: Invalid argument supplied for foreach() in /var/www/monitorizacion.locolandia.net/ossec/lib/os_lib_syscheck.php on line 98

Enterprises often need long release cycles between rollouts. On the other hand, they also need bug fixes. I suggest that a stable branch with only bug fixes be maintained for an extended period and a new branch be maintained with all of the new stuff. Perhaps this could be modeled after Ubuntu or something else that works well.

Extend the syslog_output configuration to allow the output confguration.
- Field severity configurable depending on alert level
- format of message defined by user with ossec variables (rule ID, Location, ...)

Separating the decoders and rules from the main OSSEC distribution would enable more frequent updates and better community participation. See the Snort project and related programs like Oinkmaster / Pulled-Pork for how this might work.

It could be interesting to use both glob and strtime in the localfile location in ossec.conf.

For exemple it's actually impossible to use this king of configuration:

/var/log/%Y/%m/%d/*/auth.log

Where * will represent servers delivering logs via syslog-ng !

OSSEC lacks rules to generate alerts from Oracle audit trails. Oracle is a critical system in most of datacentre and its security is must be taken into account.

I have been working on the Cisco configuration change audit. I find the idea of getting the configuration change by an snmptrap notification much more convinient and useful since it will only send the change (no need for diff) and it is also real-time

So it can be read by external applications, like a web interface or command line utilities.

Alert messages are rejected from my postfix server :

450 4.7.1 <notify.ossec.net>: Helo command rejected: Host not found;

Because of security settings, it checks and refuse invalid hostnames.
It should be configurable to what the user wants, not notify.ossec.net.