Jeremy, I am also working on a PCI project and was wondering if you can explain how have you implemented msauth rules and what have you done to get directory level alerts?
Thanks On Thu, Sep 23, 2010 at 2:39 PM, Jeremy Lee <[email protected]> wrote: > NM, I answered my own question - msauth_rules.xml covers a lot of this. As > long as the proper Windows logging is set in conjunction with AD. > > I'm wondering if this is enough to satisfy PCI req 10.2.2 in certain > circumstances - log all admin/root actions. > > > On Thu, Sep 23, 2010 at 11:22 AM, jplee3 <[email protected]> wrote: > >> Or can OSSEC monitor for any changes to Active Directory? >> >> On Sep 22, 3:48 pm, jplee3 <[email protected]> wrote: >> > Hey guys, >> > >> > Sorry in advance - this might be slightly out of reach for OSSEC (or >> > not!). I was wondering if there might be a way for OSSEC to record >> > *every* event a domain or enterprise admin user takes. Of course, if >> > there's not an inherent way in OSSEC, any ideas/recommendations on >> > software that could be used in conjunction [or not] with OSSEC? I've >> > come across tools like ObserveIT, Enterprise Adminguard, etc but >> > nothing FREE :) I know this is partially doable via Windows audit >> > logging but the extent of the trail ends at the application or program >> > that was run by the user(s). I'd want to be able to see what the admin >> > did inside a certain app. Of course, this probably would get into >> > specific application logging, which opens another can of worms. >> > >> > Just wanted to see if there's a way to collectively do it all and if >> > there's a free tool out there that could accomplish this (if OSSEC >> > cannot). Essentially, it would be very much like a keylogger ;) >> > >> > Thanks all! >> > > -- Best Regards, Aamir Niazi Senior Security Analyst
