Hello,
The "OSSEC PCI Solution" pdf says that ossec can help with, among other
sections, section 10.5.
>From PCI:
"10.5.5 Use file-integrity monitoring or change-detection software on logs
to ensure that existing log data cannot be changed without generating alerts
(although new data being added should not cause an alert). "
the syscheck section of my test host:
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours
(79200 seconds)-->
<!-- frequency>3600</frequency -->
<!-- Directories to check (perform all possible verifications) -->
<directories realtime="yes"
check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories realtime="yes" check_all="yes">/bin,/sbin</directories>
<directories realtime="yes" check_all="yes">/var/log</directories>
...
</syscheck>
After restarting ossec, I'm getting ossec alerts about files changing in
/var/log/.
Question: Does ossec take into account the changing nature of logs? It
looks like a flat hash check. If so, how would ossec help with monitoring
log file integrity(PCI 10.5.5)?
Also, about an hour ago I modified /bin/login with hexedit, verified that
the hash had changed, and ossec did not generate an alert.... any ideas?
Thanks
--
Richard Geddes
BlueGolf - www.BlueGolf.com
[email protected] | 610-293-0998 | 610-293-0987 (fax)
