> On Dec 12, 2012 2:58 AM, "Vaclav Adamec" > <[email protected]<javascript:>> > wrote: > > > > Hello, > > is there any chance configure OSSEC to make every log only appendable? > Eg. setup automatically chattr -a for active logs and chattr -i for archive > ? Because then If I remove CAP_LINUX_IMMUTABLE rights for root (until > reboot) maybe I could cover more items in PCI scope. Thanks for any > advice/suggestions > > > > Vasek > > There's no option in ossec to do that. But you don't need ossec to do > that, most unixy systems provide those capabilities. >
I can do it on system level, but that means other proces which will check&do change, If ossec proces do that alone than it looks better for auditors.
