Hi Dan,
So this is what I have in my rule configuration on OSSEC server side.
ossec
syscheck_integrity_changed
alert_by_email
Integrity checksum changed.
syscheck,
But unfortunately , the alert didn't reported about output of differences
between old and new file.
Hi Dan,
This is what I have done so far.
ossec
syscheck_integrity_changed
**
*alert_by_email*
Integrity checksum changed.
syscheck,
But still in the email alert, output diff is not showing up.
Please let me know if you are looking for more info on this.
Thanks
Srika
On Fri, Apr 17, 2015 at 2:57 AM, srikanth kalangi
wrote:
> Hi Dan,
> This is what I have done so far.
>
>
> ossec
> syscheck_integrity_changed
>
> alert_by_email
> Integrity checksum changed.
> syscheck,
>
>
> But still in the email alert, output diff is not showing
Hello
I think the question is pretty self-explainatory, but let me elaborate :
regarding of PCIDSS requirement about File Monitoring Integrity,
I set syscheck to monitor my application logfiles. Problem is that these
files are rotated once in a while, causing ossec to trigger an "Integrity
Chec
On Fri, Apr 17, 2015 at 8:50 AM, wrote:
> Hello
>
> I think the question is pretty self-explainatory, but let me elaborate :
> regarding of PCIDSS requirement about File Monitoring Integrity,
> I set syscheck to monitor my application logfiles. Problem is that these
> files are rotated once in a
Hi Dan,
yes tried all possibilities but still not working.
Can you please confirm if the rule is correct for check_diff ?
Rule: 551 fired (level 8) -> "Integrity checksum changed again (2nd time)."
Portion of the log(s):
Integrity checksum changed for: '/etc/sysctl.conf'
Size changed from '1178'
On Fri, Apr 17, 2015 at 9:17 AM, srikanth kalangi
wrote:
> Hi Dan,
> yes tried all possibilities but still not working.
>
> Can you please confirm if the rule is correct for check_diff ?
>
Without testing, no. But it looks correct.
> Rule: 551 fired (level 8) -> "Integrity checksum changed again
Hi Dan,
I have tried to enable check_diff for rules 550, 551, 552 and 553.
Tested but somehow still not working.
*Here are the rules info.*
ossec
syscheck_integrity_changed
alert_by_email
Integrity checksum changed.
syscheck,
ossec
alert_by_email
On Fri, Apr 17, 2015 at 10:09 AM, srikanth kalangi
wrote:
> Hi Dan,
>
> I have tried to enable check_diff for rules 550, 551, 552 and 553.
> Tested but somehow still not working.
>
Ok, I think I got this one wrong. You need the report_changes option
in the setting.
http://ossec-docs.readthedocs
Sure Dan, thank you for clarification.
Can you please confirm if the below settings are correct ? as we have
already enabled this before.
/usr/bin,/usr/sbin
/bin,/sbin,/etc
Thanks
Srikanth
On Friday, April 17, 2015 at 7:15:09 AM UTC-7, dan (ddpbsd) wrote:
>
> On Fri, Apr 17, 2
On Fri, Apr 17, 2015 at 10:23 AM, srikanth kalangi
wrote:
> Sure Dan, thank you for clarification.
>
> Can you please confirm if the below settings are correct ? as we have
> already enabled this before.
>
>
> check_all="yes">/usr/bin,/usr/sbin
> check_all="yes">/bin,/sbin,/etc
>
T
IANA QSA. The way I interpret 10.5.5 is you should monitor ARCHIVED log files
to ensure no one tampers with them. Monitoring live log files is arguably
pointless, as they are (usually) constantly changing. You should monitor your
archived logs and your security sensitive program files. It wouldn
Hi Dan,
We have /var/ossec/queue/diff on both agent and manager. We see directories
based on agent host names and files under those folder on ossec manager
under /var/ossec/queue/diff/. We dont see any files/directories under
/var/ossec/queue/diff on agents.
Thanks,
Sriman
On Friday, April 1
13 matches
Mail list logo
