On Mon, 12 Jan 2015, Christopher Dangerfield wrote:
After going through a security audit with my current employer something
came up that I cannot figure out how to solve. No one online seems to have
ran into this. The auditor wants us to log and alert access to the
/var/ossec/logs folder. I can
-w /var/ossec/logs/ -F euid!=XXX -p wa -k auditlog
So something like that ^^^?
On Monday, January 12, 2015 at 1:13:04 PM UTC-6, Chris Decker wrote:
>
> You'd want to add a filter to the end of the rule. For example:
> -F euid!=505 (or whatever the appropriate UID is for your OSSEC account)
>
>
Also there are three ossec users 'ossec', 'ossecm', and 'ossecr'. Which one
is the writing done under?
On Monday, January 12, 2015 at 1:13:04 PM UTC-6, Chris Decker wrote:
>
> You'd want to add a filter to the end of the rule. For example:
> -F euid!=505 (or whatever the appropriate UID is for
You'd want to add a filter to the end of the rule. For example:
-F euid!=505 (or whatever the appropriate UID is for your OSSEC account)
On Mon, Jan 12, 2015 at 1:48 PM, wrote:
> I am looking into auditd and that seems to be the route I want to go. What
> would the rule be for the folder /var
I am looking into auditd and that seems to be the route I want to go. What
would the rule be for the folder /var/ossec/logs/ that excludes the OSSEC
user?
On Monday, January 12, 2015 at 12:43:55 PM UTC-6, Chris Decker wrote:
>
> Yes - I currently monitor a few log files for 'writes' using auditd
Yes - I currently monitor a few log files for 'writes' using auditd and I
have OSSEC configured to generate alerts. Be aware, though, that the
auditd logs are multiline logs with a variable number of lines, thus OSSEC
cannot stitch 'events' together using the common ID (though from the
placeholder
The OS that OSSEC is running on is Gentoo Linux
On Monday, January 12, 2015 at 10:27:52 AM UTC-6, dan (ddpbsd) wrote:
>
> On Mon, Jan 12, 2015 at 11:23 AM, > wrote:
> > All other log files aggregate into OSSEC. The auditor wants these logs
> on
> > the OSSEC server to be logged as well. I just
Would auditd also send its logs to the OSSEC alert system?
On Monday, January 12, 2015 at 10:52:25 AM UTC-6, Chris Decker wrote:
>
> You could configure *auditd* to monitor for reads/writes to
> /var/ossec/logs and included a filter to exclude the OSSEC UID.
>
> On Mon, Jan 12, 2015 at 11:27 AM,
I had audits of the same kind (PCI-DSS).
It is necessary to make sure that the logs / alerts of OSSEC are not
corrupted.
I set up the following configuration in ossec:
/var/ossec/etc
/var/ossec/logs/ossec.log
/var/ossec/logs/alerts/alerts.log
It assures that nobody modifies the configu
You could configure *auditd* to monitor for reads/writes to /var/ossec/logs
and included a filter to exclude the OSSEC UID.
On Mon, Jan 12, 2015 at 11:27 AM, dan (ddp) wrote:
> On Mon, Jan 12, 2015 at 11:23 AM, wrote:
> > All other log files aggregate into OSSEC. The auditor wants these logs o
Nothing, really. We are getting ready to move away from 2008 to 2012 and it
isn't listed on http://www.ossec.net/?page_id=36
I know the agent currently works on 2012, its just not on the officially
supported list.
On Monday, January 12, 2015 at 9:55:30 AM UTC-6, Chris Bertsch wrote:
>
> Is the
On Mon, Jan 12, 2015 at 11:23 AM, wrote:
> All other log files aggregate into OSSEC. The auditor wants these logs on
> the OSSEC server to be logged as well. I just cannot find anyone else that
> could do this.
>
So no other logs have this requirement? That's kinda silly.
Have you tried contacti
All other log files aggregate into OSSEC. The auditor wants these logs on
the OSSEC server to be logged as well. I just cannot find anyone else that
could do this.
On Monday, January 12, 2015 at 10:22:05 AM UTC-6, dan (ddpbsd) wrote:
>
> On Mon, Jan 12, 2015 at 11:17 AM, > wrote:
> > Sadly no
On Mon, Jan 12, 2015 at 11:17 AM, wrote:
> Sadly no they did not. They just want notices if the files change. But to
> log access to said files causes a infinite loop of alerts.
>
How is this handled for other log files?
> On Monday, January 12, 2015 at 9:55:48 AM UTC-6, dan (ddpbsd) wrote:
>>
On Mon, Jan 12, 2015 at 10:55 AM, Chris Bertsch wrote:
> Is there any timeframe for official support of Server 2012?
>
What's missing?
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receivin
Sadly no they did not. They just want notices if the files change. But to
log access to said files causes a infinite loop of alerts.
On Monday, January 12, 2015 at 9:55:48 AM UTC-6, dan (ddpbsd) wrote:
>
> On Mon, Jan 12, 2015 at 10:36 AM, Christopher Dangerfield
> > wrote:
> > After going thro
Is there any timeframe for official support of Server 2012?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For mo
On Mon, Jan 12, 2015 at 10:36 AM, Christopher Dangerfield
wrote:
> After going through a security audit with my current employer something came
> up that I cannot figure out how to solve. No one online seems to have ran
> into this. The auditor wants us to log and alert access to the
> /var/ossec/
After going through a security audit with my current employer something
came up that I cannot figure out how to solve. No one online seems to have
ran into this. The auditor wants us to log and alert access to the
/var/ossec/logs folder. I can do this, but every alert creates a log change
thus crea
After going through a security audit with my current employer something
came up that I cannot figure out how to solve. No one online seems to have
ran into this. The auditor wants us to log and alert access to the
/var/ossec/logs folder. I can do this, but every alert creates a log change
thus
20 matches
Mail list logo