On Tue, Jun 22, 2010 at 2:46 PM, Richard Geddes <[email protected]> wrote: > Hello, > > The "OSSEC PCI Solution" pdf says that ossec can help with, among other > sections, section 10.5. > > From PCI: > "10.5.5 Use file-integrity monitoring or change-detection software on logs > to ensure that existing log data cannot be changed without generating alerts > (although new data being added should not cause an alert). " > > > the syscheck section of my test host: > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours > (79200 seconds)--> > <!-- frequency>3600</frequency --> > > <!-- Directories to check (perform all possible verifications) --> > <directories realtime="yes" > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories realtime="yes" check_all="yes">/bin,/sbin</directories> > <directories realtime="yes" check_all="yes">/var/log</directories> > ... > > </syscheck> > > > After restarting ossec, I'm getting ossec alerts about files changing in > /var/log/. > > Question: Does ossec take into account the changing nature of logs? It > looks like a flat hash check. If so, how would ossec help with monitoring > log file integrity(PCI 10.5.5)? > > Also, about an hour ago I modified /bin/login with hexedit, verified that > the hash had changed, and ossec did not generate an alert.... any ideas? > > Thanks > > -- > Richard Geddes > BlueGolf - www.BlueGolf.com > [email protected] | 610-293-0998 | 610-293-0987 (fax) >
It looks to me (and I don't deal with PCI) that 10.5.5 is not exactly covered by OSSEC. OSSEC does not hash the entries in the log files or anything, so if you add /var/log to syscheck, you will get alerts every time an event is written to the log file. If the inode of the log file changes, OSSEC may re-open the log file from the beginning (thinking the old one was rotated away). Not all editors will write the file to a new inode though (there was a thread about this a while back). Do you have syscheck setup to ignore files after 3 changes? If so, login may be in that ignored state. syscheck_control might be able to give you more information.
