[ossec-list] Re: how to get an alert. the user, whom modified a file

Wed, 11 Apr 2018 08:14:29 -0700 

Sure thing. There are three steps involved:

1. Enable Windows Audit Policy for File System Objects
2. Configure the server's audit policy appropriately for the files and/or 
directories that need to be watched
3. Configure custom rules in OSSEC to trigger on file add/change/delete 
events

I attached a Word doc that contains the details that I copied/pasted from 
my own OSSEC procedures.  Once completed and assuming you have email 
notifications enabled, you'll see real-time email alerts like this, which 
will give you the user account name:

OSSEC HIDS Notification.
2018 Apr 11 09:57:22


Received From: ([SERVER]) any->WinEvtLog
Rule: 100221 fired (level 7) -> "FIM: Audited file has been DELETED."
User: [USER_ACCOUNT]
Portion of the log(s):


2018 Apr 11 09:57:17 WinEvtLog: Security: AUDIT_SUCCESS(4659): Microsoft-
Windows-Security-Auditing: (no user): no domain: [SERVEDR]: A handle to an 
object was requested with intent to delete. Subject:  Security ID:  [SID]  
Account Name:  [USER_ACCOUNT]  Account Domain:  [DOMAIN]  Logon ID:  
0xa4dbac32  Object:  Object Server: Security  Object Type: File  Object Name
: [FULL_PATH_AND_FILE_NAME]  Handle ID: 0x0  Process Information:  Process 
ID: 0x4  Access Request Information:  Transaction ID: {00000000-0000-0000-
0000-000000000000}  Accesses: %%1537      %%4423        Access Mask: 0x10080 
 Privileges Used for Access Check: -


Hope that works for what you need!

- Bruce


On Wednesday, April 11, 2018 at 10:27:17 AM UTC-4, 
dee...@information-secure.com wrote:
>
>
> Yes Bruce,
> this is for windows agent. can u let me know about that.
>
> - Deepak.
>
> On Wednesday, April 11, 2018 at 7:52:35 PM UTC+5:30, Bruce Westbrook wrote:
>>
>> Is this for a Windows agent or Linux agent?  
>>
>> If Windows I can let you know what I've done to accomplish this, which 
>> doesn't use OSSEC sycheck but rather a combination of Windows File Auditing 
>> and customized OSSEC rules.
>>
>> - Bruce
>>
>>
>> On Wednesday, April 11, 2018 at 10:18:10 AM UTC-4, 
>> dee...@information-secure.com wrote:
>>>
>>> I'm using OSSEC HIDS
>>>
>>> from this i'm getting the alerts based on all events. but, i need to 
>>> know a *user whom modified the specific file*.
>>> is this possible? 
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Attachment: File Integrity Monitoring -- SANITIZED.docx
Description: MS-Word 2007 document

Reply via email to