Hello list, I have several syscheck rules activated with report_changes="yes" . Sometimes changes could disclose passwords or other sensitive information for example for /etc/passwd or other configuration files.
It is really useful to me seeing the changes made instead of just knowing that the text file has changed. Do you have any idea how to sanitize / avoid password information in those cases? ** *Alert* *1422454723.8087643:* *mail* *-* *ossec*,*syscheck*,*2015* *Jan* *28* *15:18:43* (*agent)* *IP_xxx -*>*syscheck**Rule:* *552* (*level* *7*) *-*> '*Integrity* *checksum* *changed* *again* (*3rd* *time*)*.*'*Integrity* *checksum* *changed* *for:* '*/opt/application/tomcat/conf/Catalina/localhost/otl.xml*'*[...]* > *jdbcUrl=*"*jdbc:oracle:thin:@soraclerac.rac.int/scproca*" > *driverClass=*"*oracle.jdbc.driver.OracleDriver*" > *user=*"*DB_CD_PRO*" > *password=*"*[PASSWORD]*" [...] Regards -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
