Hello everybody, I'm quite new to ossec so I hope I didn't miss the solution while searching for it.
My question is in the title, is it possible for OSSEC, when he alerts for a file modification, to tell which user made it? My first thought was: no. So I thought about using auditd but the logformat is just a mess, I get informations about the modification on 3 different lines and get uids instead of real usernames: type=SYSCALL msg=audit(1310482288.083:28): arch=40000003 syscall=5 success=yes exit=3 a0=8443608 a1=8241 a2=1ff a3=0 items=1 ppid=30262 pid=24904 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 comm="vim" exe="/usr/bin/vim.basic" key="test" type=CWD msg=audit(1310482288.083:28): cwd="/home/ablanchard" type=PATH msg=audit(1310482288.083:28): item=0 name="test_audit.txt" inode=4719748 dev=08:01 mode=0100777 ouid=1000 ogid=1000 rdev=00:00 As you can see, we can find UID of the user modifying the file in the first line and the actual file on the third line... Does anybody have any lead or even a solution to my problem? Thank you! Alex.
