By default, the agent.conf file already meets a lot of the requirements for FIM
(Requirement 11) for PCI DSS V3.0.
For example:
- Req 11.5.a: Syscheck needs to run at least once a week minimal and the OSSEC
default is I believe every 20 hours?
- Req 11.5b (Alerts of unauthorized modifications): To satisfy this
requirement, make sure you have emailed alerts set to email you or your IT
admins.
- Req 10.5.5 (Use file-integrity monitoring or change-detection software on
logs to ensure that existing log data cannot be changed without generating
alerts):
If OSSEC is your centralized logging solution, we need to verify the
following configuration item in the ossec.conf:
- <directories realtime="yes"
check_all="yes">/var/ossec/logs</directories>
- <directories realtime="yes"
check_all="yes">/var/ossec/etc/ossec.conf</directories>
Under <!-- Files/directories to ignore -->
- <ignore type="sregex">.log$|.tmp</ignore>
One thing you will need to do is add any other critical files to the list of
files to monitor under the agent.conf that you think are critical to the system
or business.
If you are looking to use OSSEC to satisfy your Centralized logging
requirements (Requirement 10) then there is another list of things to be done
as well.
Nick
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Chris Hughes
Sent: Wednesday, May 28, 2014 8:31 AM
To: [email protected]
Subject: [ossec-list] Monitoring for PCI
Is there a specific set of rules for the agent.conf file that address PCI
requirements? I am looking to use OSSEC for the FIMS requirement as a start,
and after I am comfortable with it, use it to augment my existing security
toolbox.
Can anyone point me in the right direction to answer the PCI FIMS requirement
with OSSEC?
Thank you
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
--- Begin Message ---
Is there a specific set of rules for the agent.conf file that address PCI
requirements? I am looking to use OSSEC for the FIMS requirement as a start,
and after I am comfortable with it, use it to augment my existing security
toolbox.
Can anyone point me in the right direction to answer the PCI FIMS requirement
with OSSEC?
Thank you
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
--- End Message ---
