You could configure *auditd* to monitor for reads/writes to /var/ossec/logs and included a filter to exclude the OSSEC UID.
On Mon, Jan 12, 2015 at 11:27 AM, dan (ddp) <ddp...@gmail.com> wrote: > On Mon, Jan 12, 2015 at 11:23 AM, <ch...@rhris.com> wrote: > > All other log files aggregate into OSSEC. The auditor wants these logs on > > the OSSEC server to be logged as well. I just cannot find anyone else > that > > could do this. > > > > So no other logs have this requirement? That's kinda silly. > Have you tried contacting your mystery OS's vendor? Perhaps they know > of a solution. > > > On Monday, January 12, 2015 at 10:22:05 AM UTC-6, dan (ddpbsd) wrote: > >> > >> On Mon, Jan 12, 2015 at 11:17 AM, <ch...@rhris.com> wrote: > >> > Sadly no they did not. They just want notices if the files change. But > >> > to > >> > log access to said files causes a infinite loop of alerts. > >> > > >> > >> How is this handled for other log files? > >> > >> > On Monday, January 12, 2015 at 9:55:48 AM UTC-6, dan (ddpbsd) wrote: > >> >> > >> >> On Mon, Jan 12, 2015 at 10:36 AM, Christopher Dangerfield > >> >> <ch...@rhris.com> wrote: > >> >> > After going through a security audit with my current employer > >> >> > something > >> >> > came > >> >> > up that I cannot figure out how to solve. No one online seems to > have > >> >> > ran > >> >> > into this. The auditor wants us to log and alert access to the > >> >> > /var/ossec/logs folder. I can do this, but every alert creates a > log > >> >> > change > >> >> > thus creates another alert and log change, etc, etc, etc. Has > anyone > >> >> > ever > >> >> > had to do this and cold help me? > >> >> > > >> >> > >> >> Did the auditors have any suggestions? > >> >> > >> >> > -- > >> >> > Chris > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to ossec-list+...@googlegroups.com. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
