We're implementing PCI DSS and will have to monitor events like this for particular directories or files, so even though I'm not having this issue (yet) I'm very interested in a solution to this issue as well.
Chris Kolb Manager of Information Security GDSX, Ltd. Phone: 972-612-7121 Fax: 972-612-7021 Come see us this summer at NBTA in San Diego August 23 - 26! Booth #3019 Confidentiality Notice: This e-mail contains information that is confidential. It is intended for the exclusive use of the individual or entity to whom it is addressed. If you are not the named recipient, disclosure or distribution of the information transmitted herewith is strictly prohibited and may be subject to legal restriction or sanction. Please notify the sender, by return e-mail or telephone, of any unintended recipients and delete the original message without making any copies. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Rafael Gomes Sent: Thursday, July 23, 2009 5:38 AM To: [email protected] Cc: Kelly Egode Subject: [ossec-list] Re: Windows Audit In my case, I just wanna get this log in ossec server: Event Type: Success Audit Event Source: Security Event Category: Object Access Event ID: 560 Date: 7/20/2009 Time: 4:54:04 PM User: UFBA\user1 Computer: server1 Description: Object Open: Object Server: Security Object Type: File Object Name: F:\foo\path\index.html Handle ID: 51652 Operation ID: {0,2956632565} Process ID: 4 Image File Name: Primary User Name: server1$ Primary Domain: DOMAIN1 Primary Logon ID: (0x0,0x3E7) Client User Name: user1 Client Domain: DOMAIN1 Client Logon ID: (0x0,0xB0216AFA) Accesses: DELETE ReadAttributes Privileges: - Restricted Sid Count: 0 Access Mask: 0x10080 I already get others logs from this server, but I think that there isn't any decoder or rule to handle this type of log in my ossec server. Thank you. -- Rafael Brito Gomes Projeto UFBA LPIC-1 CPM Braxis Tel : +55 71 3283 6102 http://www.cpmbraxis.com
