Here's a thought: you could write an active response script to have ossec write changed files to a subversion repository or similar. You could then use the realtime monitoring functionality and configure active response to have ossec trigger your script when something changes.
Note that I haven't tried doing this: it's just something for your consideration. --cryogen On Jul 6, 2009, at 7:27 AM, Mykola wrote: > Hello. > > Our company is very interested in using OSSEC as part of our PCI > compliance solution. There are obvious advantages in using open > source software: economic and philosophic. OSSEC would give us most > of what we need in keeping change control and providing, among > other things, a host based intrusion detection system. > > OSSEC over all is quite impressive, especially for a free and open > source product. But it lacks a feature that we have seen in the > proprietary competitors. As it stands right now, OSSEC gives you a > way to tell if a file has changed using a hash system, but it does > not give any way to tell what inside a file has changed. The > proprietary models, Tripwire and Solidcore S3, both seem to have > this functionality and we are curious if this sort of system could > ever be implemented in OSSEC. > > [Screenshot excluded b/c of google groups. You can find a good > example at Solidcore's website for their S3 product] > > Solidcore shows the kind of functionality that we are looking for. > The user of this program has selected two files from a stored > database of backups and done a diff using their web interface. This > functionality would not only be across two files, but also between > any two separate servers (checking config files to see if and how > they differ between machines). > > Is there a possibility that OSSEC could have this sort of > functionality in the future? If you think that it is too much for > OSSEC to handle, would have implementation issues, or if you think > that there is a better way to get this feature from an open source > program, then please say so. The question is fairly ambiguous on > both the mailing list and the forums as to whether this sort of > thing would ever be implemented in OSSEC, so any information would > be appreciated. > > Thank you, > > Mykola Labach > Technical Services Group > Datalex (USA), Inc.
