On 10/26/2011 10:46 AM, sami zimbra wrote:
Hi,
I have noticed a problem when i was looking if OSSEC can meet PCI-DSS
requirements on detecting malicious modifications of log files 10.5.5.
The problem is that ossec-logcollector do it automatically and randomly
without any user contrĂ´l over this behavior.
It will be appreciated to add some more contrĂ´l over the way log file
are checked against malicious modifications like size reduction or
deletion. for example: adding an option in the <localfile> section:
<localfile>
<log_format>syslog</log_format>
<check_type>[SIZE_REDUCTION | DELETION]</check_type>
<check_interval>60</check_interval>
<location>/var/log/auth.log</location>
</localfile>
OSSEC will already alert on running logs that are reduced in size. You
can also set up checksums on rotated log directories. I believe these
two will meet the requirements.
