I was thinking about something like this, it's quite stupid but better than nothing. What do you think ?
<active-response> <command>chattr -R +a /var/ossec/logs/</command> <location>local</location> <rules_id>200000</rules_id> </active-response> <rule id="200000" level="0"> <if_sid>550</if_sid> <match>/var/ossec/logs/*</match> <description>Logs immutable rights setup</description> </rule> Dne středa, 12. prosince 2012 9:05:54 UTC+1 dan (ddpbsd) napsal(a): > > > On Dec 12, 2012 2:58 AM, "Vaclav Adamec" > <[email protected]<javascript:>> > wrote: > > > > Hello, > > is there any chance configure OSSEC to make every log only appendable? > Eg. setup automatically chattr -a for active logs and chattr -i for archive > ? Because then If I remove CAP_LINUX_IMMUTABLE rights for root (until > reboot) maybe I could cover more items in PCI scope. Thanks for any > advice/suggestions > > > > Vasek > > There's no option in ossec to do that. But you don't need ossec to do > that, most unixy systems provide those capabilities. >
