Very nice info. Unfortunately, if I undetstand this correctly, syscheck would not have access to this data. On Sep 25, 2012 1:43 PM, "Scott Klauminzer" <sklaumin...@gmail.com> wrote:
> This may help in building rules to monitor. Also the Event IDs change > based on OS Version (Vista+) > > http://blogs.msdn.com/b/ericfitz/archive/2006/03/07/545726.aspx > > Events 560, 562, 563, 564, 567, and each of those adding 4096 for Vista+ > are all relevant, and not currently within ossec rule sets. > > This depends on having Windows Auditing set to audit object access, which > is difficult to make sure works according to plan, see this: > > > http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx > > I know this info is Windows 7 and 2008 based, but the concepts are the > same, Windows has evolved, and with Domain, Local and auditpol.exe access > to Policy settings, that all have different refresh times and overrides, > this can get clustered quickly. > > Net result is *auditpol.exe /get /category:* *is the best resource for > actual up to the minute Audit Policy settings, but this will change if you > have competing polices! > > > On Sep 25, 2012, at 7:01 AM, dan (ddp) <ddp...@gmail.com> wrote: > > On Tue, Sep 25, 2012 at 8:43 AM, Alejandro Martinez > <ajm.marti...@gmail.com> wrote: > > Thanks Dan. > > I'll try. > > My idea is to register the usern logged on a computer that deletes or > modifies a file (like windows security log). > > maybe some mix between them... > > > There's too much of a chance for false positives. Many systems are > multi-user these days. I was hoping for a file attribute that possibly > tracked the last user to modify the file. > > 2012/9/25 dan (ddp) <ddp...@gmail.com> > > On Tue, Sep 25, 2012 at 6:22 AM, Alejandro Martinez > <ajm.marti...@gmail.com> wrote: > > OK, > thanks. > > > If you know a good way to get that info, let us know. We can try to > get it in after 2.7. > > 2012/9/25 dan (ddp) <ddp...@gmail.com> > > F we could magically associate a username with a file modification it > would be the default. > > On Sep 25, 2012 6:08 AM, "Alejandro" <ajm.marti...@gmail.com> wrote: > > > Hi. > > I'm using ossec to monitor some windows agents on 2003 server. > > The server is running centos and saving the information in a mysql > database. > > When I receive a syscheck event from windows (file modified, deleted > or > added) the username is empty. > > Is it possible to modify some rule to have that username logged on the > event ? > > Thanks a lot. > > > > > > >
