If an attacker has gotten privileged access to the system there should be a log somewhere detailing this. Hopefully there's a rule for that log message...
What do you mean by "use a directory or file not monitored to carry out the attack"? You mean monitored by syscheckd? As soon as they change something of consequence there should be a syscheckd alert triggered. And there should be alerts when the OSSEC processes are stopped, so that's another reason to investigate. Whenever possible, export logs to a hardened/remote host. Installing a local OSSEC instance should be a last resort. On Thu, Mar 22, 2012 at 5:52 PM, Michel Henrique Aquino Santos <[email protected]> wrote: > If an attacker managed to enter the machine and gain privileged access, it > can read the configuration files if the OSSEC installed as local. Thus, you > can use a directory or file not monitored to carry out the attack, or even > modify the file rules. > > Em 22-03-2012 18:16, Nelson, James escreveu: > > The vast majority of log data is not encrypted to begin with, so how do you > figure it’s a vulnerability? At most, transmission between agent and master > could be considered vulnerable but you can set it up to use secure > transmission which would be encrypted. > > > > James > > ________________________________ > > From: [email protected] [mailto:[email protected]] On > Behalf Of Michel Henrique Aquino Santos > Sent: Thursday, March 22, 2012 3:54 PM > To: [email protected] > Subject: Re: [ossec-list] Database and File rules encrypted? > > > > Thanks for the reply. This is not good because it creates a vulnerability in > the system. > > Att. > > Em 22-03-2012 17:33, dan (ddp) escreveu: > > Neither are encrypted in OSSEC. > > > > On Thu, Mar 22, 2012 at 4:22 PM, Michel Henrique Aquino Santos > > <[email protected]> wrote: > > Hello, > > > > I'm doing an paper on university study (Federal University of Lavras - UFLA > > - www.ufla.br), comparing four tools for checking integrity of files > > (Tripwire, OSSEC, AIDE and Samhain). > > I need some information about the tool OSSEC. > > The generated database (snapshot) is encrypted? The rules file is encrypted? > > > > > > Sorry my english, I can not write correctly. > > I await response. > > Thank you! > > > > -- > > Att, > > > > Michel Henrique Aquino Santos > > Bacharelado em Ciência da Computação > > Universidade Federal de Lavras - UFLA > > Skype: michel_has > > Gtalk: michel.has > > [email protected] > > > > Linux User # 496756 > > > > http://resolvidoslinux.blogspot.com/ > > > > > > -- > Att, > > Michel Henrique Aquino Santos > Bacharelado em Ciência da Computação > Universidade Federal de Lavras - UFLA > Skype: michel_has > Gtalk: michel.has > [email protected] > > Linux User # 496756 > > http://resolvidoslinux.blogspot.com/ > > > -- > Att, > > Michel Henrique Aquino Santos > Bacharelado em Ciência da Computação > Universidade Federal de Lavras - UFLA > Skype: michel_has > Gtalk: michel.has > [email protected] > > Linux User # 496756 > > http://resolvidoslinux.blogspot.com/
