Andreas, I am not a QSA, but have worked with enough to know that there has to be reasonable control. Log integrity can be ensured in several ways. 1. Send logs in real time to a third party for archiving. 2. Write logs in real time to an mysql archive table. 3. Add rules to generate email alerts on agent restart and monitor ossec configuration files for change. The reasonable precaution also ensuring that only Information Security has access to the logs that are outside the monitored system. The key is to think of every previous event as untrusted on the monitored system. Regards Ash Kumar
On Wednesday, September 19, 2012 6:59:37 AM UTC-4, Andreas Lang wrote: > Hello, > > We have some questions regarding analysing log files with OSSEC referring > to the log file requirements in PCI-DSS 10.5.5. > > PCI DSS 10.5.5.: > *Use file-integrity monitoring or change-detection software on logs to > ensure that existing log data cannot be changed without generating alerts > (although new data being added should not cause an alert).* > > To cover this issue we wanted to enable real-time monitoring on our log > file directories. Unfortunately we are getting this error: > Ignoring flag for real time monitoring on directory: '/data/' > > Our servers are based on Ubuntu 10.04, 11.04 and 11.10, all x64 systems. > We are using OSSEC 2.5 for clients and server. I know, that for real-time > monitoring the tool inotify-tools must be installed, but unfortunately this > didn’t resolve the issue. > Do you have any suggestions have we can make the real-time monitoring of > growing log files working correctly? > > Thank you very much in advantage > > Regards. > > Andreas Lang > >
