While that was probably a tongue in cheek response, it is worth exploring.
Would you then turn on auditd file watching for all files under /etc and
then some depending on where applications are installed?
How would you do that? Enumerate each file individually aka auditctl -w
/etc/passwd -p
So how is OSSEC PCI compliant since the requirement is to identify the user
who made a change.
On Tuesday, November 20, 2012 9:51:50 AM UTC-5, stones2125 wrote:
I am new to OSSEC and have been trying to figure out how to do the
following...if possible.
- When a file changes on a Windows
On Tue, Nov 20, 2012 at 9:59 AM, stones2125 m...@mrshenk.com wrote:
So how is OSSEC PCI compliant since the requirement is to identify the user
who made a change.
I didn't think products/projects were PCI compliant, I thought your
processes and systems would have to be PCI compliant.
You can
Here is some info on Windows Auditing:
This may help in building rules to monitor. Also the Event IDs change based on
OS Version (Vista+)
http://blogs.msdn.com/b/ericfitz/archive/2006/03/07/545726.aspx
Events 560, 562, 563, 564, 567, and each of those adding 4096 for Vista+ are
all relevant,
You can try to use Windows Auditing like Scott suggests, but it's a mess
and usually results with gobs of noise in the security log.
My company sells a file auditing product for Windows (and PCI) and if this
is a short-term problem, you might be able to get away with just using the
trial. You
Perhaps you should migrate to Linux?
