On 08/12/2013 05:23 PM, Doug Kelly wrote:
I am sorry Michael but I need another push to get me going. You
suggested to “show an alert that happens when someone modifies the
administrator’s group”. My agent is on a Windows 7 machine and I have
tried changing a couple of administrator policies using gpedit.exe.I
have also changed or deleted the adminstrator’s password. It seems that
if an alert is generated with either of these actions it is a “Windows
Logon Success”. This doesn’t help me much. Do I need to create or change
a rule to generate an alert that is more descriptive?
Did you actually add or remove a member of the administrator's group?
It's as simple as that. Rule 18217 should fire.
It seems to me that Ossec should be able to alert on an added, modified,
or deleted file in the Windows\System32 directory and also alert on a
change in administrator policies without a configuration change.
The syscheck configuration is intentionally lean to avoid floods of
alerts. If you can come up with a goof policy for System32 that isn't
too chatty, then by all means please share. Any time I have tried it I
have had to add too many exclusions to make it worthwhile.
If there is a configuration modification that has to be made, it must be
simpler than I am making it out to be. Do I need to add <directories
check_all="yes">%WINDIR%</directories>to the agent’s ossec.conf to make
Ossec check the system32 directory? I thought it was supposed to do that
anyway.
Remember, OSSEC is an open source project and we depend on intel and
contributions from the user community. We're definitely open to
improving the syscheck rules. Try something out and let us know how it
goes.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
