On Mar 7, 2011, at 2:31 PM, Nate Woodward wrote: > I'll give this a try, but assuming the rule does work (it's one of the > rules that ships with OSSEC, after all), how do I make sure log > tampering will be detected no matter what? The OSSEC book says the time > between syschecks has a minimum frequency of an hour, and I can't > exactly ask crackers to only tamper with my logs X minutes after the top > of the hour.
I don't believe these are syscheck rules, but are, instead, rules for the ossec.log file. They reference rule 500 which is a log message decoded as ossec. syscheck rules specifically reference syscheck in the rules themselves. --------------------------- Jason 'XenoPhage' Frisvold [email protected] --------------------------- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
