Hi Dan,
This is what I have done so far.
rule id=550 level=8
categoryossec/category
decoded_assyscheck_integrity_changed/decoded_as
*check_diff /*
*optionsalert_by_email/options*
descriptionIntegrity checksum changed./description
groupsyscheck,/group
/rule
But still
Hi Dan,
So this is what I have in my rule configuration on OSSEC server side.
rule id=550 level=8
categoryossec/category
decoded_assyscheck_integrity_changed/decoded_as
check_diff /
optionsalert_by_email/options
descriptionIntegrity checksum changed./description
Hello
I think the question is pretty self-explainatory, but let me elaborate :
regarding of PCIDSS requirement about File Monitoring Integrity,
I set syscheck to monitor my application logfiles. Problem is that these
files are rotated once in a while, causing ossec to trigger an Integrity
On Fri, Apr 17, 2015 at 8:50 AM, calvin...@gmail.com wrote:
Hello
I think the question is pretty self-explainatory, but let me elaborate :
regarding of PCIDSS requirement about File Monitoring Integrity,
I set syscheck to monitor my application logfiles. Problem is that these
files are
On Fri, Apr 17, 2015 at 10:23 AM, srikanth kalangi
srikanthkala...@gmail.com wrote:
Sure Dan, thank you for clarification.
Can you please confirm if the below settings are correct ? as we have
already enabled this before.
!-- Directories to check (perform all possible verifications) --
Hi Dan,
yes tried all possibilities but still not working.
Can you please confirm if the rule is correct for check_diff ?
Rule: 551 fired (level 8) - Integrity checksum changed again (2nd time).
Portion of the log(s):
Integrity checksum changed for: '/etc/sysctl.conf'
Size changed from '1178'
On Fri, Apr 17, 2015 at 9:17 AM, srikanth kalangi
srikanthkala...@gmail.com wrote:
Hi Dan,
yes tried all possibilities but still not working.
Can you please confirm if the rule is correct for check_diff ?
Without testing, no. But it looks correct.
Rule: 551 fired (level 8) - Integrity
On Fri, Apr 17, 2015 at 2:57 AM, srikanth kalangi
srikanthkala...@gmail.com wrote:
Hi Dan,
This is what I have done so far.
rule id=550 level=8
categoryossec/category
decoded_assyscheck_integrity_changed/decoded_as
check_diff /
optionsalert_by_email/options
Hi Dan,
I have tried to enable check_diff for rules 550, 551, 552 and 553.
Tested but somehow still not working.
*Here are the rules info.*
rule id=550 level=8
categoryossec/category
decoded_assyscheck_integrity_changed/decoded_as
check_diff /
optionsalert_by_email/options
Sure Dan, thank you for clarification.
Can you please confirm if the below settings are correct ? as we have
already enabled this before.
!-- Directories to check (perform all possible verifications) --
directories report_changes=yes realtime=yes
On Fri, Apr 17, 2015 at 10:09 AM, srikanth kalangi
srikanthkala...@gmail.com wrote:
Hi Dan,
I have tried to enable check_diff for rules 550, 551, 552 and 553.
Tested but somehow still not working.
Ok, I think I got this one wrong. You need the report_changes option
in the directories
IANA QSA. The way I interpret 10.5.5 is you should monitor ARCHIVED log files
to ensure no one tampers with them. Monitoring live log files is arguably
pointless, as they are (usually) constantly changing. You should monitor your
archived logs and your security sensitive program files. It
Hi Dan,
We have /var/ossec/queue/diff on both agent and manager. We see directories
based on agent host names and files under those folder on ossec manager
under /var/ossec/queue/diff/. We dont see any files/directories under
/var/ossec/queue/diff on agents.
Thanks,
Sriman
On Friday, April
13 matches
Mail list logo