Thanks for the response.
When you say " is add any other critical files to the list of files to
monitor under the agent.conf", I do have an existing syslog server that
stores files on its local drive. In order to monitor and alert based on
severity, can I simply add this to the agent conf I push out to other agent
machines:
<agent_config name=syslog_server>
<localfile>
<log_format>syslog</log_format>
<location>C:\Program Files\Syslog\Logs</location>
</localfile>
</agent_config>
I guess I might also be able to use the ossec.conf on the syslog server and
add:
<localfile>
<log_format>syslog</log_format>
<location>C:\Program Files\Syslog\Logs</location>
</localfile>
... or do I need to send the logs to the OSSEC server?
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Nick Stephens
Sent: Wednesday, May 28, 2014 11:25 AM
To: [email protected]
Subject: RE: [ossec-list] Monitoring for PCI
By default, the agent.conf file already meets a lot of the requirements for
FIM (Requirement 11) for PCI DSS V3.0.
For example:
- Req 11.5.a: Syscheck needs to run at least once a week minimal and the
OSSEC default is I believe every 20 hours?
- Req 11.5b (Alerts of unauthorized modifications): To satisfy this
requirement, make sure you have emailed alerts set to email you or your IT
admins.
- Req 10.5.5 (Use file-integrity monitoring or change-detection software on
logs to ensure that existing log data cannot be changed without generating
alerts):
If OSSEC is your centralized logging solution, we need to verify the
following configuration item in the ossec.conf:
- <directories realtime="yes"
check_all="yes">/var/ossec/logs</directories>
- <directories realtime="yes"
check_all="yes">/var/ossec/etc/ossec.conf</directories>
Under <!-- Files/directories to ignore -->
- <ignore type="sregex">.log$|.tmp</ignore>
One thing you will need to do is add any other critical files to the list of
files to monitor under the agent.conf that you think are critical to the
system or business.
If you are looking to use OSSEC to satisfy your Centralized logging
requirements (Requirement 10) then there is another list of things to be
done as well.
Nick
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Chris Hughes
Sent: Wednesday, May 28, 2014 8:31 AM
To: [email protected]
Subject: [ossec-list] Monitoring for PCI
Is there a specific set of rules for the agent.conf file that address PCI
requirements? I am looking to use OSSEC for the FIMS requirement as a
start, and after I am comfortable with it, use it to augment my existing
security toolbox.
Can anyone point me in the right direction to answer the PCI FIMS
requirement with OSSEC?
Thank you
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected].
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected].
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
