You just need to make sure the proper level of Windows audit logging is turned on (to record when user/group accounts are deleted/added/disabled/etc) and make sure the OSSEC agent is installed on that server and that the "security" event log is being monitored. I think all the OSSEC stuff is setup by default. You just have to worry about setting the proper level of logging in Windows.
On Thu, Sep 23, 2010 at 9:08 PM, Aamir Niazi <[email protected]> wrote: > Jeremy, > > I am also working on a PCI project and was wondering if you can explain how > have you implemented msauth rules and what have you done to get directory > level alerts? > > Thanks > > > > On Thu, Sep 23, 2010 at 2:39 PM, Jeremy Lee <[email protected]> wrote: > >> NM, I answered my own question - msauth_rules.xml covers a lot of this. As >> long as the proper Windows logging is set in conjunction with AD. >> >> I'm wondering if this is enough to satisfy PCI req 10.2.2 in certain >> circumstances - log all admin/root actions. >> >> >> On Thu, Sep 23, 2010 at 11:22 AM, jplee3 <[email protected]> wrote: >> >>> Or can OSSEC monitor for any changes to Active Directory? >>> >>> On Sep 22, 3:48 pm, jplee3 <[email protected]> wrote: >>> > Hey guys, >>> > >>> > Sorry in advance - this might be slightly out of reach for OSSEC (or >>> > not!). I was wondering if there might be a way for OSSEC to record >>> > *every* event a domain or enterprise admin user takes. Of course, if >>> > there's not an inherent way in OSSEC, any ideas/recommendations on >>> > software that could be used in conjunction [or not] with OSSEC? I've >>> > come across tools like ObserveIT, Enterprise Adminguard, etc but >>> > nothing FREE :) I know this is partially doable via Windows audit >>> > logging but the extent of the trail ends at the application or program >>> > that was run by the user(s). I'd want to be able to see what the admin >>> > did inside a certain app. Of course, this probably would get into >>> > specific application logging, which opens another can of worms. >>> > >>> > Just wanted to see if there's a way to collectively do it all and if >>> > there's a free tool out there that could accomplish this (if OSSEC >>> > cannot). Essentially, it would be very much like a keylogger ;) >>> > >>> > Thanks all! >>> >> >> > > > -- > Best Regards, > > Aamir Niazi > Senior Security Analyst >
