Sorry, that's probably better:
<command>
<name>immutable</name>
<executable>immutable.sh</executable> (this script contains calling of
chattr)
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>immutable</command>
<location>local</location>
<rules_id>510010</rules_id>
<timeout>600</timeout>
</active-response>
<rule id="200000" level="0">
<if_sid>550</if_sid>
<match>/var/ossec/logs/*</match>
<description>Logs immutable rights setup</description
</rule>
Dne středa, 12. prosince 2012 9:27:41 UTC+1 Vaclav Adamec napsal(a):
>
> I was thinking about something like this, it's quite stupid but better
> than nothing. What do you think ?
>
> <active-response>
> <command>chattr -R +a /var/ossec/logs/</command>
> <location>local</location>
> <rules_id>200000</rules_id>
> </active-response>
>
> <rule id="200000" level="0">
> <if_sid>550</if_sid>
> <match>/var/ossec/logs/*</match>
> <description>Logs immutable rights setup</description>
> </rule>
>
> Dne středa, 12. prosince 2012 9:05:54 UTC+1 dan (ddpbsd) napsal(a):
>>
>>
>> On Dec 12, 2012 2:58 AM, "Vaclav Adamec" <[email protected]> wrote:
>> >
>> > Hello,
>> > is there any chance configure OSSEC to make every log only
>> appendable? Eg. setup automatically chattr -a for active logs and chattr
>> -i for archive ? Because then If I remove CAP_LINUX_IMMUTABLE rights for
>> root (until reboot) maybe I could cover more items in PCI scope. Thanks for
>> any advice/suggestions
>> >
>> > Vasek
>>
>> There's no option in ossec to do that. But you don't need ossec to do
>> that, most unixy systems provide those capabilities.
>>
>
