Hello All
I was wondering by chance does anyone have something like this for Linux and if they do please can you share the config ? Thank you in advance Respectfully Yours Charles McKee *Decisiv**E**dge**, LLC* *O:* 302.299.1570 x43 <(302)%20299-1570>2 *|* *C:* 302.3 <(302)%20299-0406>20.6968 *|* *F:* 302.299.1578 <(302)%20299-1578> 131 Continental Dr | Suite 409 | Newark, DE 19713 <https://maps.google.com/?q=131+Continental+Dr+%7C+%C2%A0Suite+409+%C2%A0%7C+%C2%A0Newark,+DE+19713&entry=gmail&source=g> [email protected] *|* www.DecisivEdge.com <http://www.decisivedge.com/> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Bruce Westbrook *Sent:* Wednesday, April 11, 2018 11:14 AM *To:* ossec-list <[email protected]> *Subject:* [ossec-list] Re: how to get an alert. the user, whom modified a file Sure thing. There are three steps involved: 1. Enable Windows Audit Policy for File System Objects 2. Configure the server's audit policy appropriately for the files and/or directories that need to be watched 3. Configure custom rules in OSSEC to trigger on file add/change/delete events I attached a Word doc that contains the details that I copied/pasted from my own OSSEC procedures. Once completed and assuming you have email notifications enabled, you'll see real-time email alerts like this, which will give you the user account name: OSSEC HIDS Notification. 2018 Apr 11 09:57:22 Received From: ([SERVER]) any->WinEvtLog Rule: 100221 fired (level 7) -> "FIM: Audited file has been DELETED." User: [USER_ACCOUNT] Portion of the log(s): 2018 Apr 11 09:57:17 WinEvtLog: Security: AUDIT_SUCCESS(4659): Microsoft- Windows-Security-Auditing: (no user): no domain: [SERVEDR]: A handle to an object was requested with intent to delete. Subject: Security ID: [SID] Account Name: [USER_ACCOUNT] Account Domain: [DOMAIN] Logon ID: 0xa4dbac32 Object: Object Server: Security Object Type: File Object Name : [FULL_PATH_AND_FILE_NAME] Handle ID: 0x0 Process Information: Process ID: 0x4 Access Request Information: Transaction ID: {00000000-0000-0000- 0000-000000000000} Accesses: %%1537 %%4423 Access Mask: 0x10080 Privileges Used for Access Check: - Hope that works for what you need! - Bruce On Wednesday, April 11, 2018 at 10:27:17 AM UTC-4, [email protected] wrote: Yes Bruce, this is for windows agent. can u let me know about that. - Deepak. On Wednesday, April 11, 2018 at 7:52:35 PM UTC+5:30, Bruce Westbrook wrote: Is this for a Windows agent or Linux agent? If Windows I can let you know what I've done to accomplish this, which doesn't use OSSEC sycheck but rather a combination of Windows File Auditing and customized OSSEC rules. - Bruce On Wednesday, April 11, 2018 at 10:18:10 AM UTC-4, [email protected] wrote: I'm using OSSEC HIDS from this i'm getting the alerts based on all events. but, i need to know a *user whom modified the specific file*. is this possible? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- This email and any files transmitted with it are considered privileged and confidential unless otherwise explicitly stated otherwise. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. All email data and contents may be monitored to ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized use, and to verify security procedures, survivability and operational security. Under no circumstance should the user of this email have an expectation of privacy for this correspondence. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
