On 01/02/2011 07:55 PM, x509v3 wrote:
Like many folks, I'm using OSSEC to support PCI requirements. I'm
very, very pleased with OSSEC and it has automated many things more
efficiently than our previous more manual-methods. There's one PCI
requirement that I haven't found a way to address with OSSEC:
monitoring log files for truncation.
PCI Requirement 10.5.5: Use file integrity monitoring and change
detection software on logs to ensure that existing log data cannot be
changed without generating alerts (although new data being added
should not cause an alert)
OSSEC has this feature already. Check out this rule:
<rule id="592" level="8">
<if_sid>500</if_sid>
<match>^ossec: File size reduced</match>
<description>Log file size reduced.</description>
<group>attacks,</group>
</rule>
It does work, but if someone replaces data in logs with the equivalent
about of bytes (e.g. user: bob with user: rob), the rule won't fire. I'm
not a QSA but I doubt this would be a problem.
One other thing I do in a PCI environment is to make sure my rotated
logs are syschecked, that way, any modifications to those would be
noticed, as well.
