NM, I answered my own question - msauth_rules.xml covers a lot of this. As long as the proper Windows logging is set in conjunction with AD.
I'm wondering if this is enough to satisfy PCI req 10.2.2 in certain circumstances - log all admin/root actions. On Thu, Sep 23, 2010 at 11:22 AM, jplee3 <[email protected]> wrote: > Or can OSSEC monitor for any changes to Active Directory? > > On Sep 22, 3:48 pm, jplee3 <[email protected]> wrote: > > Hey guys, > > > > Sorry in advance - this might be slightly out of reach for OSSEC (or > > not!). I was wondering if there might be a way for OSSEC to record > > *every* event a domain or enterprise admin user takes. Of course, if > > there's not an inherent way in OSSEC, any ideas/recommendations on > > software that could be used in conjunction [or not] with OSSEC? I've > > come across tools like ObserveIT, Enterprise Adminguard, etc but > > nothing FREE :) I know this is partially doable via Windows audit > > logging but the extent of the trail ends at the application or program > > that was run by the user(s). I'd want to be able to see what the admin > > did inside a certain app. Of course, this probably would get into > > specific application logging, which opens another can of worms. > > > > Just wanted to see if there's a way to collectively do it all and if > > there's a free tool out there that could accomplish this (if OSSEC > > cannot). Essentially, it would be very much like a keylogger ;) > > > > Thanks all! >
