Hi; I have a client who's looking to install ossec, primarily for the integrity checking. I'm setting up the directories now and pondering the directories that get monitored. By default, it's the bin directories. I'm thinking of changing those as listed below and was hoping for some feedback.
* /usr (all of it) instead of just /usr/bin, /usr/sbin. Unless getting patched, /usr should be a completely static filesystem and I think the client needs to know if someone's in there mucking with their libraries. * /var/ossec and ignoring /var/ossec/logs, /var/ossec/stats, /var/ossec/var, and /var/ossec/queue. Same logic as above: if something in there changes outside of the change control system, it should be alerted. * /lib64 and /lib: same logic * /boot * /root ignoring *_history, .Xauthority, and /root/.ssh/known_hosts * application directories as I find them. This first iteration is a pilot program; however, eventually, this will get rolled out to an environment that's PCI/SOX related. While it's important to ensure these directories are monitored, I don't want to have so many alerts generated that people get in the habit of ignoring them. Has anyone modified the defaults in any significant way and have any feedback on the quantity/quality of the resulting alerts? Thanks. Doug O'Leary
