Thank you Michael. Adding or removing a member of the administrator's group worked perfectly. And I am sure with files constantly changing in the Windows\System32 directory, it would be nearly impossible to put in all the exclusions to make it work reliably. Is there another simple test that a novice like me could run to show a different Ossec capability? Maybe a Window's Registry change or some other system change?
On Monday, August 12, 2013 7:02:38 PM UTC-7, Michael Starks wrote: > > On 08/12/2013 05:23 PM, Doug Kelly wrote: > > I am sorry Michael but I need another push to get me going. You > > suggested to “show an alert that happens when someone modifies the > > administrator’s group”. My agent is on a Windows 7 machine and I have > > tried changing a couple of administrator policies using gpedit.exe.I > > have also changed or deleted the adminstrator’s password. It seems that > > if an alert is generated with either of these actions it is a “Windows > > Logon Success”. This doesn’t help me much. Do I need to create or change > > a rule to generate an alert that is more descriptive? > > Did you actually add or remove a member of the administrator's group? > It's as simple as that. Rule 18217 should fire. > > > It seems to me that Ossec should be able to alert on an added, modified, > > or deleted file in the Windows\System32 directory and also alert on a > > change in administrator policies without a configuration change. > > The syscheck configuration is intentionally lean to avoid floods of > alerts. If you can come up with a goof policy for System32 that isn't > too chatty, then by all means please share. Any time I have tried it I > have had to add too many exclusions to make it worthwhile. > > > If there is a configuration modification that has to be made, it must be > > simpler than I am making it out to be. Do I need to add <directories > > check_all="yes">%WINDIR%</directories>to the agent’s ossec.conf to make > > Ossec check the system32 directory? I thought it was supposed to do that > > anyway. > > Remember, OSSEC is an open source project and we depend on intel and > contributions from the user community. We're definitely open to > improving the syscheck rules. Try something out and let us know how it > goes. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
