Hi Michael and x509v3, On Sun, Jan 2, 2011 at 10:05 PM, Michael Starks <[email protected]> wrote: > On 01/02/2011 07:55 PM, x509v3 wrote: >> >> Like many folks, I'm using OSSEC to support PCI requirements. I'm >> very, very pleased with OSSEC and it has automated many things more >> efficiently than our previous more manual-methods. There's one PCI >> requirement that I haven't found a way to address with OSSEC: >> monitoring log files for truncation. >> >> >> PCI Requirement 10.5.5: Use file integrity monitoring and change >> detection software on logs to ensure that existing log data cannot be >> changed without generating alerts (although new data being added >> should not cause an alert) > > OSSEC has this feature already. Check out this rule: > > <rule id="592" level="8"> > <if_sid>500</if_sid> > <match>^ossec: File size reduced</match> > <description>Log file size reduced.</description> > <group>attacks,</group> > </rule> > > It does work, but if someone replaces data in logs with the equivalent about > of bytes (e.g. user: bob with user: rob), the rule won't fire. I'm not a QSA > but I doubt this would be a problem. >
This is an interesting one. IIRC, based on previous mailing list discussions, if the inode does NOT change this rule may fire. If the inode changes, OSSEC assumes the logfile has been rotated and re-reads all messages stored in the file (possibly triggering "duplicate" alerts). Relevant thread: http://marc.info/?l=ossec-list&m=127480256610370&w=2 (I think there was another thread that kind of dealt with this in more depth, but I wasn't able to find it quickly.) > One other thing I do in a PCI environment is to make sure my rotated logs > are syschecked, that way, any modifications to those would be noticed, as > well. > That's a good idea, hadn't thought about that.
