subject:"\[ossec\-list\] Re\: how to get an alert. the user, whom modified a file"

Re: [ossec-list] Re: how to get an alert. the user, whom modified a file

2018-04-12 Thread Bruce Westbrook

You're welcome.  Glad to hear it works for someone else and not just me!
:-)


On Thu, Apr 12, 2018 at 9:46 AM,  wrote:

> Thanks a lot Bruce,
>
> Its working great...
>
> -Deepak.
>
>
> On Wednesday, April 11, 2018 at 8:43:55 PM UTC+5:30, Bruce Westbrook wrote:
>>
>> Sure thing. There are three steps involved:
>>
>> 1. Enable Windows Audit Policy for File System Objects
>> 2. Configure the server's audit policy appropriately for the files and/or
>> directories that need to be watched
>> 3. Configure custom rules in OSSEC to trigger on file add/change/delete
>> events
>>
>> I attached a Word doc that contains the details that I copied/pasted from
>> my own OSSEC procedures.  Once completed and assuming you have email
>> notifications enabled, you'll see real-time email alerts like this, which
>> will give you the user account name:
>>
>> OSSEC HIDS Notification.
>> 2018 Apr 11 09:57:22
>>
>>
>> Received From: ([SERVER]) any->WinEvtLog
>> Rule: 100221 fired (level 7) -> "FIM: Audited file has been DELETED."
>> User: [USER_ACCOUNT]
>> Portion of the log(s):
>>
>>
>> 2018 Apr 11 09:57:17 WinEvtLog: Security: AUDIT_SUCCESS(4659): Microsoft-
>> Windows-Security-Auditing: (no user): no domain: [SERVEDR]: A handle to
>> an object was requested with intent to delete. Subject:  Security ID:  [
>> SID]  Account Name:  [USER_ACCOUNT]  Account Domain:  [DOMAIN]  Logon ID:
>>  0xa4dbac32  Object:  Object Server: Security  Object Type: File  Object
>> Name: [FULL_PATH_AND_FILE_NAME]  Handle ID: 0x0  Process Information:
>> Process ID: 0x4  Access Request Information:  Transaction ID: {-
>> ---}  Accesses: %%1537  %%4423Access
>> Mask: 0x10080  Privileges Used for Access Check: -
>>
>>
>> Hope that works for what you need!
>>
>> - Bruce
>>
>>
>> On Wednesday, April 11, 2018 at 10:27:17 AM UTC-4,
>> dee...@information-secure.com wrote:
>>>
>>>
>>> Yes Bruce,
>>> this is for windows agent. can u let me know about that.
>>>
>>> - Deepak.
>>>
>>> On Wednesday, April 11, 2018 at 7:52:35 PM UTC+5:30, Bruce Westbrook
>>> wrote:

 Is this for a Windows agent or Linux agent?

 If Windows I can let you know what I've done to accomplish this, which
 doesn't use OSSEC sycheck but rather a combination of Windows File Auditing
 and customized OSSEC rules.

 - Bruce


 On Wednesday, April 11, 2018 at 10:18:10 AM UTC-4,
 dee...@information-secure.com wrote:
>
> I'm using OSSEC HIDS
>
> from this i'm getting the alerts based on all events. but, i need to
> know a *user whom modified the specific file*.
> is this possible?
>
 --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: how to get an alert. the user, whom modified a file

2018-04-12 Thread deepak

Thanks a lot Bruce,

Its working great...

-Deepak.

On Wednesday, April 11, 2018 at 8:43:55 PM UTC+5:30, Bruce Westbrook wrote:
>
> Sure thing. There are three steps involved:
>
> 1. Enable Windows Audit Policy for File System Objects
> 2. Configure the server's audit policy appropriately for the files and/or 
> directories that need to be watched
> 3. Configure custom rules in OSSEC to trigger on file add/change/delete 
> events
>
> I attached a Word doc that contains the details that I copied/pasted from 
> my own OSSEC procedures.  Once completed and assuming you have email 
> notifications enabled, you'll see real-time email alerts like this, which 
> will give you the user account name:
>
> OSSEC HIDS Notification.
> 2018 Apr 11 09:57:22
>
>
> Received From: ([SERVER]) any->WinEvtLog
> Rule: 100221 fired (level 7) -> "FIM: Audited file has been DELETED."
> User: [USER_ACCOUNT]
> Portion of the log(s):
>
>
> 2018 Apr 11 09:57:17 WinEvtLog: Security: AUDIT_SUCCESS(4659): Microsoft-
> Windows-Security-Auditing: (no user): no domain: [SERVEDR]: A handle to 
> an object was requested with intent to delete. Subject:  Security ID:  [
> SID]  Account Name:  [USER_ACCOUNT]  Account Domain:  [DOMAIN]  Logon ID: 
>  0xa4dbac32  Object:  Object Server: Security  Object Type: File  Object 
> Name: [FULL_PATH_AND_FILE_NAME]  Handle ID: 0x0  Process Information:  
> Process ID: 0x4  Access Request Information:  Transaction ID: {-
> ---}  Accesses: %%1537  %%4423Access 
> Mask: 0x10080  Privileges Used for Access Check: -
>
>
> Hope that works for what you need!
>
> - Bruce
>
>
> On Wednesday, April 11, 2018 at 10:27:17 AM UTC-4, 
> dee...@information-secure.com wrote:
>>
>>
>> Yes Bruce,
>> this is for windows agent. can u let me know about that.
>>
>> - Deepak.
>>
>> On Wednesday, April 11, 2018 at 7:52:35 PM UTC+5:30, Bruce Westbrook 
>> wrote:
>>>
>>> Is this for a Windows agent or Linux agent?  
>>>
>>> If Windows I can let you know what I've done to accomplish this, which 
>>> doesn't use OSSEC sycheck but rather a combination of Windows File Auditing 
>>> and customized OSSEC rules.
>>>
>>> - Bruce
>>>
>>>
>>> On Wednesday, April 11, 2018 at 10:18:10 AM UTC-4, 
>>> dee...@information-secure.com wrote:

 I'm using OSSEC HIDS

 from this i'm getting the alerts based on all events. but, i need to 
 know a *user whom modified the specific file*.
 is this possible? 

>>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

RE: [ossec-list] Re: how to get an alert. the user, whom modified a file

2018-04-12 Thread Charles Mckee

Hello All



I was wondering by chance does anyone have something like this for Linux
and if they do please can you share the config ?



Thank you in advance



Respectfully Yours

Charles McKee



*Decisiv**E**dge**, LLC*

*O:*  302.299.1570 x43 <(302)%20299-1570>2  *|*  *C:*  302.3
<(302)%20299-0406>20.6968  *|*  *F:*  302.299.1578 <(302)%20299-1578>

131 Continental Dr |  Suite 409  |  Newark, DE 19713


charles.mc...@decisivedge.com  *|*  www.DecisivEdge.com




*From:* ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] *On
Behalf Of *Bruce Westbrook
*Sent:* Wednesday, April 11, 2018 11:14 AM
*To:* ossec-list 
*Subject:* [ossec-list] Re: how to get an alert. the user, whom modified a
file



Sure thing. There are three steps involved:



1. Enable Windows Audit Policy for File System Objects

2. Configure the server's audit policy appropriately for the files and/or
directories that need to be watched

3. Configure custom rules in OSSEC to trigger on file add/change/delete
events



I attached a Word doc that contains the details that I copied/pasted from
my own OSSEC procedures.  Once completed and assuming you have email
notifications enabled, you'll see real-time email alerts like this, which
will give you the user account name:



OSSEC HIDS Notification.
2018 Apr 11 09:57:22


Received From: ([SERVER]) any->WinEvtLog
Rule: 100221 fired (level 7) -> "FIM: Audited file has been DELETED."
User: [USER_ACCOUNT]
Portion of the log(s):


2018 Apr 11 09:57:17 WinEvtLog: Security: AUDIT_SUCCESS(4659): Microsoft-
Windows-Security-Auditing: (no user): no domain: [SERVEDR]: A handle to an
object was requested with intent to delete. Subject:  Security ID:  [SID]
Account Name:  [USER_ACCOUNT]  Account Domain:  [DOMAIN]  Logon ID:
0xa4dbac32  Object:  Object Server: Security  Object Type: File  Object Name
: [FULL_PATH_AND_FILE_NAME]  Handle ID: 0x0  Process Information:  Process
ID: 0x4  Access Request Information:  Transaction ID: {---
-}  Accesses: %%1537  %%4423Access Mask: 0x10080
 Privileges Used for Access Check: -





Hope that works for what you need!



- Bruce




On Wednesday, April 11, 2018 at 10:27:17 AM UTC-4,
dee...@information-secure.com wrote:


Yes Bruce,
this is for windows agent. can u let me know about that.

- Deepak.

On Wednesday, April 11, 2018 at 7:52:35 PM UTC+5:30, Bruce Westbrook wrote:

Is this for a Windows agent or Linux agent?



If Windows I can let you know what I've done to accomplish this, which
doesn't use OSSEC sycheck but rather a combination of Windows File Auditing
and customized OSSEC rules.



- Bruce



On Wednesday, April 11, 2018 at 10:18:10 AM UTC-4,
dee...@information-secure.com wrote:

I'm using OSSEC HIDS

from this i'm getting the alerts based on all events. but, i need to
know a *user
whom modified the specific file*.
is this possible?

-- 

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 
This email and any files transmitted with it are considered privileged and 
confidential unless otherwise explicitly stated otherwise. If you are not 
the intended recipient you are notified that disclosing, copying, 
distributing or taking any action in reliance on the contents of this 
information is strictly prohibited. All email data and contents may be 
monitored to ensure that their use is authorized, for management of the 
system, to facilitate protection against unauthorized use, and to verify 
security procedures, survivability and operational security. Under no 
circumstance should the user of this email have an expectation of privacy 
for this correspondence.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: how to get an alert. the user, whom modified a file

2018-04-12 Thread deepak

Thanks Bruce,

let me try and update u.

-Deepak.

On Wednesday, April 11, 2018 at 8:43:55 PM UTC+5:30, Bruce Westbrook wrote:
>
> Sure thing. There are three steps involved:
>
> 1. Enable Windows Audit Policy for File System Objects
> 2. Configure the server's audit policy appropriately for the files and/or 
> directories that need to be watched
> 3. Configure custom rules in OSSEC to trigger on file add/change/delete 
> events
>
> I attached a Word doc that contains the details that I copied/pasted from 
> my own OSSEC procedures.  Once completed and assuming you have email 
> notifications enabled, you'll see real-time email alerts like this, which 
> will give you the user account name:
>
> OSSEC HIDS Notification.
> 2018 Apr 11 09:57:22
>
>
> Received From: ([SERVER]) any->WinEvtLog
> Rule: 100221 fired (level 7) -> "FIM: Audited file has been DELETED."
> User: [USER_ACCOUNT]
> Portion of the log(s):
>
>
> 2018 Apr 11 09:57:17 WinEvtLog: Security: AUDIT_SUCCESS(4659): Microsoft-
> Windows-Security-Auditing: (no user): no domain: [SERVEDR]: A handle to 
> an object was requested with intent to delete. Subject:  Security ID:  [
> SID]  Account Name:  [USER_ACCOUNT]  Account Domain:  [DOMAIN]  Logon ID: 
>  0xa4dbac32  Object:  Object Server: Security  Object Type: File  Object 
> Name: [FULL_PATH_AND_FILE_NAME]  Handle ID: 0x0  Process Information:  
> Process ID: 0x4  Access Request Information:  Transaction ID: {-
> ---}  Accesses: %%1537  %%4423Access 
> Mask: 0x10080  Privileges Used for Access Check: -
>
>
> Hope that works for what you need!
>
> - Bruce
>
>
> On Wednesday, April 11, 2018 at 10:27:17 AM UTC-4, 
> dee...@information-secure.com wrote:
>>
>>
>> Yes Bruce,
>> this is for windows agent. can u let me know about that.
>>
>> - Deepak.
>>
>> On Wednesday, April 11, 2018 at 7:52:35 PM UTC+5:30, Bruce Westbrook 
>> wrote:
>>>
>>> Is this for a Windows agent or Linux agent?  
>>>
>>> If Windows I can let you know what I've done to accomplish this, which 
>>> doesn't use OSSEC sycheck but rather a combination of Windows File Auditing 
>>> and customized OSSEC rules.
>>>
>>> - Bruce
>>>
>>>
>>> On Wednesday, April 11, 2018 at 10:18:10 AM UTC-4, 
>>> dee...@information-secure.com wrote:

 I'm using OSSEC HIDS

 from this i'm getting the alerts based on all events. but, i need to 
 know a *user whom modified the specific file*.
 is this possible? 

>>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: how to get an alert. the user, whom modified a file

2018-04-11 Thread Bruce Westbrook

Sure thing. There are three steps involved:

1. Enable Windows Audit Policy for File System Objects
2. Configure the server's audit policy appropriately for the files and/or 
directories that need to be watched
3. Configure custom rules in OSSEC to trigger on file add/change/delete 
events

I attached a Word doc that contains the details that I copied/pasted from 
my own OSSEC procedures.  Once completed and assuming you have email 
notifications enabled, you'll see real-time email alerts like this, which 
will give you the user account name:

OSSEC HIDS Notification.
2018 Apr 11 09:57:22


Received From: ([SERVER]) any->WinEvtLog
Rule: 100221 fired (level 7) -> "FIM: Audited file has been DELETED."
User: [USER_ACCOUNT]
Portion of the log(s):


2018 Apr 11 09:57:17 WinEvtLog: Security: AUDIT_SUCCESS(4659): Microsoft-
Windows-Security-Auditing: (no user): no domain: [SERVEDR]: A handle to an 
object was requested with intent to delete. Subject:  Security ID:  [SID]  
Account Name:  [USER_ACCOUNT]  Account Domain:  [DOMAIN]  Logon ID:  
0xa4dbac32  Object:  Object Server: Security  Object Type: File  Object Name
: [FULL_PATH_AND_FILE_NAME]  Handle ID: 0x0  Process Information:  Process 
ID: 0x4  Access Request Information:  Transaction ID: {---
-}  Accesses: %%1537  %%4423Access Mask: 0x10080 
 Privileges Used for Access Check: -


Hope that works for what you need!

- Bruce


On Wednesday, April 11, 2018 at 10:27:17 AM UTC-4, 
dee...@information-secure.com wrote:
>
>
> Yes Bruce,
> this is for windows agent. can u let me know about that.
>
> - Deepak.
>
> On Wednesday, April 11, 2018 at 7:52:35 PM UTC+5:30, Bruce Westbrook wrote:
>>
>> Is this for a Windows agent or Linux agent?  
>>
>> If Windows I can let you know what I've done to accomplish this, which 
>> doesn't use OSSEC sycheck but rather a combination of Windows File Auditing 
>> and customized OSSEC rules.
>>
>> - Bruce
>>
>>
>> On Wednesday, April 11, 2018 at 10:18:10 AM UTC-4, 
>> dee...@information-secure.com wrote:
>>>
>>> I'm using OSSEC HIDS
>>>
>>> from this i'm getting the alerts based on all events. but, i need to 
>>> know a *user whom modified the specific file*.
>>> is this possible? 
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


File Integrity Monitoring -- SANITIZED.docx
Description: MS-Word 2007 document

RE: [EXTERNAL] [ossec-list] Re: how to get an alert. the user, whom modified a file

2018-04-11 Thread Vicente Munoz

Was about to say what Bruce said regarding Windows auditing and customization 
although I had never tried it before, would be very interested in knowing how 
to do it!

 

Regards,

Vicente Muñoz

 

From: ossec-list@googlegroups.com  On Behalf Of 
Bruce Westbrook
Sent: Wednesday, April 11, 2018 7:23 AM
To: ossec-list 
Subject: [EXTERNAL] [ossec-list] Re: how to get an alert. the user, whom 
modified a file

 

Is this for a Windows agent or Linux agent?  

 

If Windows I can let you know what I've done to accomplish this, which doesn't 
use OSSEC sycheck but rather a combination of Windows File Auditing and 
customized OSSEC rules.

 

- Bruce



On Wednesday, April 11, 2018 at 10:18:10 AM UTC-4, 
dee...@information-secure.com   wrote:

I'm using OSSEC HIDS

from this i'm getting the alerts based on all events. but, i need to know a 
user whom modified the specific file.
is this possible? 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com 
 .
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME cryptographic signature

[ossec-list] Re: how to get an alert. the user, whom modified a file

2018-04-11 Thread deepak


Yes Bruce,
this is for windows agent. can u let me know about that.

- Deepak.

On Wednesday, April 11, 2018 at 7:52:35 PM UTC+5:30, Bruce Westbrook wrote:
>
> Is this for a Windows agent or Linux agent?  
>
> If Windows I can let you know what I've done to accomplish this, which 
> doesn't use OSSEC sycheck but rather a combination of Windows File Auditing 
> and customized OSSEC rules.
>
> - Bruce
>
>
> On Wednesday, April 11, 2018 at 10:18:10 AM UTC-4, 
> dee...@information-secure.com wrote:
>>
>> I'm using OSSEC HIDS
>>
>> from this i'm getting the alerts based on all events. but, i need to know 
>> a *user whom modified the specific file*.
>> is this possible? 
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: how to get an alert. the user, whom modified a file

2018-04-11 Thread Bruce Westbrook

Is this for a Windows agent or Linux agent?  

If Windows I can let you know what I've done to accomplish this, which 
doesn't use OSSEC sycheck but rather a combination of Windows File Auditing 
and customized OSSEC rules.

- Bruce


On Wednesday, April 11, 2018 at 10:18:10 AM UTC-4, 
dee...@information-secure.com wrote:
>
> I'm using OSSEC HIDS
>
> from this i'm getting the alerts based on all events. but, i need to know 
> a *user whom modified the specific file*.
> is this possible? 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: how to get an alert. the user, whom modified a file

[ossec-list] Re: how to get an alert. the user, whom modified a file

RE: [ossec-list] Re: how to get an alert. the user, whom modified a file

[ossec-list] Re: how to get an alert. the user, whom modified a file

[ossec-list] Re: how to get an alert. the user, whom modified a file

RE: [EXTERNAL] [ossec-list] Re: how to get an alert. the user, whom modified a file

[ossec-list] Re: how to get an alert. the user, whom modified a file

[ossec-list] Re: how to get an alert. the user, whom modified a file

8 matches

Site Navigation

Mail list logo

Footer information