Hello. Our company is very interested in using OSSEC as part of our PCI compliance solution. There are obvious advantages in using open source software: economic and philosophic. OSSEC would give us most of what we need in keeping change control and providing, among other things, a host based intrusion detection system.
OSSEC over all is quite impressive, especially for a free and open source product. But it lacks a feature that we have seen in the proprietary competitors. As it stands right now, OSSEC gives you a way to tell if a file has changed using a hash system, but it does not give any way to tell what inside a file has changed. The proprietary models, Tripwire and Solidcore S3, both seem to have this functionality and we are curious if this sort of system could ever be implemented in OSSEC. [Screenshot excluded b/c of google groups. You can find a good example at Solidcore's website for their S3 product] Solidcore shows the kind of functionality that we are looking for. The user of this program has selected two files from a stored database of backups and done a diff using their web interface. This functionality would not only be across two files, but also between any two separate servers (checking config files to see if and how they differ between machines). Is there a possibility that OSSEC could have this sort of functionality in the future? If you think that it is too much for OSSEC to handle, would have implementation issues, or if you think that there is a better way to get this feature from an open source program, then please say so. The question is fairly ambiguous on both the mailing list and the forums as to whether this sort of thing would ever be implemented in OSSEC, so any information would be appreciated. Thank you, Mykola Labach Technical Services Group Datalex (USA), Inc.
