Hi There, Can someone assist me with PCI requirement 10.5.5 as it relates to configuring of OSSEC?
The requirement says: 10.5.5 - Use file-integrity monitoring or change detection software on logs to ensure that existing log data cannot be changed without generating alerts(although new data being added should not cause an alert). OSSEC says in .pdf (http://www.ossec.net/ossec-docs/ossec-PCI- Solution.pdf): OSSEC's System Integrity Checking module can be configured to monitor file system changes (such as changes to files, new files getting created, new directories being created, files being removed etc) and ... OSSEC will not alert on new additions to log files but instead would only alert if the new entries indicate malicious behavior. The combination of system integrity and logs inspection can help administrators monitor log files without a lot of false alerts. So how is this configuration created? Can someone provide examples or some sort of starting point? thanks for reading!!
