On Aug 9, 11:41 pm, Jeff Schroeder wrote: > > Does ossec-hids allow for any signing of its integrity database, or is > > this planned in the near future?
> http://www.ossec.net/dcid/?p=74 Yes As far as I can tell that only signs/checksums the *logs*, not the database containing system file properties. So if you've already set up email alerting for messages from syscheck this doesn't gain you much more (unless the email fails to reach you)... In fact looking in /var/ossec I can't see anywhere where syscheck does store the data it collects about system files. Am I missing something, or is this data only kept in memory? If so I suppose this prevents an intruder from altering it to hide a modification to system files, but on the downside if the intruder shuts down ossec to prevent the modification being noticed then all the admin is left with is an email alert warning that ossec was shutdown and no means to test the integrity of the system files --- forcing a complete reinstall of all system files, rather than a selective reinstall of only the modified files. Can anyone confirm/refute this? Thanks, J Bromley
