Here is some info on Windows Auditing: This may help in building rules to monitor. Also the Event IDs change based on OS Version (Vista+)
http://blogs.msdn.com/b/ericfitz/archive/2006/03/07/545726.aspx Events 560, 562, 563, 564, 567, and each of those adding 4096 for Vista+ are all relevant, and not currently within ossec rule sets. This depends on having Windows Auditing set to audit object access, which is difficult to make sure works according to plan, see this: http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx I know this info is Windows 7 and 2008 based, but the concepts are the same, Windows has evolved, and with Domain, Local and auditpol.exe access to Policy settings, that all have different refresh times and overrides, this can get clustered quickly. Net result is auditpol.exe /get /category:* is the best resource for actual up to the minute Audit Policy settings, but this will change if you have competing polices! Scott Klauminzer Director of Information Technology & Security Sent from my iPad On Nov 20, 2012, at 7:15 AM, "dan (ddp)" <ddp...@gmail.com> wrote: > On Tue, Nov 20, 2012 at 9:59 AM, stones2125 <m...@mrshenk.com> wrote: >> So how is OSSEC PCI compliant since the requirement is to identify the user >> who made a change. >> > > I didn't think products/projects were PCI compliant, I thought your > processes and systems would have to be PCI compliant. > > You can identify who changed the files, if your OS supports auditing > that information. You could probably write a rule to alert you when a > change is made and by whom when that information is logged. > >> On Tuesday, November 20, 2012 9:51:50 AM UTC-5, stones2125 wrote: >>> >>> I am new to OSSEC and have been trying to figure out how to do the >>> following...if possible. >>> >>> - When a file changes on a Windows server, how do I see the username of >>> the person who changed it. >>> - How do I see the actual changes (lines of text) >>> >>> I get the alert that shows the file checksum changed, but need more info.