Correct, but if auditing is set up to specify the same directories, you would have additional audit events to correlate.
On Sep 25, 2012, at 10:48 AM, dan (ddp) <[email protected]> wrote: > Very nice info. Unfortunately, if I undetstand this correctly, syscheck would > not have access to this data. > > On Sep 25, 2012 1:43 PM, "Scott Klauminzer" <[email protected]> wrote: > This may help in building rules to monitor. Also the Event IDs change based > on OS Version (Vista+) > > http://blogs.msdn.com/b/ericfitz/archive/2006/03/07/545726.aspx > > Events 560, 562, 563, 564, 567, and each of those adding 4096 for Vista+ are > all relevant, and not currently within ossec rule sets. > > This depends on having Windows Auditing set to audit object access, which is > difficult to make sure works according to plan, see this: > > http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx > > I know this info is Windows 7 and 2008 based, but the concepts are the same, > Windows has evolved, and with Domain, Local and auditpol.exe access to Policy > settings, that all have different refresh times and overrides, this can get > clustered quickly. > > Net result is auditpol.exe /get /category:* is the best resource for actual > up to the minute Audit Policy settings, but this will change if you have > competing polices! > > > On Sep 25, 2012, at 7:01 AM, dan (ddp) <[email protected]> wrote: > >> On Tue, Sep 25, 2012 at 8:43 AM, Alejandro Martinez >> <[email protected]> wrote: >>> Thanks Dan. >>> >>> I'll try. >>> >>> My idea is to register the usern logged on a computer that deletes or >>> modifies a file (like windows security log). >>> >>> maybe some mix between them... >>> >> >> There's too much of a chance for false positives. Many systems are >> multi-user these days. I was hoping for a file attribute that possibly >> tracked the last user to modify the file. >> >>> 2012/9/25 dan (ddp) <[email protected]> >>> >>>> On Tue, Sep 25, 2012 at 6:22 AM, Alejandro Martinez >>>> <[email protected]> wrote: >>>>> OK, >>>>> thanks. >>>>> >>>> >>>> If you know a good way to get that info, let us know. We can try to >>>> get it in after 2.7. >>>> >>>>> 2012/9/25 dan (ddp) <[email protected]> >>>>> >>>>>> F we could magically associate a username with a file modification it >>>>>> would be the default. >>>>>> >>>>>> On Sep 25, 2012 6:08 AM, "Alejandro" <[email protected]> wrote: >>>>>>> >>>>>>> Hi. >>>>>>> >>>>>>> I'm using ossec to monitor some windows agents on 2003 server. >>>>>>> >>>>>>> The server is running centos and saving the information in a mysql >>>>>>> database. >>>>>>> >>>>>>> When I receive a syscheck event from windows (file modified, deleted >>>>>>> or >>>>>>> added) the username is empty. >>>>>>> >>>>>>> Is it possible to modify some rule to have that username logged on the >>>>>>> event ? >>>>>>> >>>>>>> Thanks a lot. >>>>> >>>>> >>> >>> >
