OSSEC Configuration


We are consulting for a firm that is a Top level Merchant provider. This year their PCI Compliance is more strict then in the past. They have reached out to us to help with a couple dozen items including OSSEC.

The exact requirement paraphrased and as posted here:

"Provide OSSEC Configuration for <Server Name>, DC, DC2, and <App Server>. OSSEC must perform at least weekly comparison. Provide 3 Samples of alerts sent to <IT Administrator Name> from OSSEC"

I believe this should be a straightforward issue. Can anybody advise on recommended course of action?
Jason KidmanIT Consultant & CEOAsked:
Who is Participating?
R. Toby RichardsNetwork AdministratorCommented:
OSSEC has a crapton of configuration options. Installing it is pretty straightforward. I suggest that you install it on a test computer, and monkey around. Be warned that the administrator is going to get dozens of alerts whenever OS updates are run.

You'll probably want to join the OSSEC mailing list: http://www.ossec.net/?page_id=21#ossec-list
Jason KidmanIT Consultant & CEOAuthor Commented:
Thanks Toby for the response.

I understand OSSEC has alot of configuration options. I dont think thats what we need. We need to provide
1) the OSSEC configuration (I'm not even sure how to find this?)
2) sample/realtime alerts for documentation (where do we find out where to set this up so alerts are sent?)
3) I dont understand the "weekly comparison" and if it is something we need to configure?

R. Toby RichardsNetwork AdministratorCommented:
I'm not sure where Windows keeps the configuration. On Linux it's at /var/ossec/conf. Alerts are configured from there.

I think that "weekly comparison" means comparing that the system files have not changed. OSSEC does that in real time (or at least every few minutes), so it isn't an issue.
btanExec ConsultantCommented:
Suggest you check out this OSSEC wp as it stated how it comply with PCI clauses such as 11.5 that required the file integrity checker (In this case OSSEC) to check the critical file changes at least weekly. The latter files are not supposed to change as often originally. http://www.ossec.net/files/ossec-PCI-Solution-2.0.pdf
How does it help with compliance? (PCI DSS, etc)
It helps with sections 11.5 (install FIM software) and 10.5 (integrity checking of log files) of PCI.

The configuration for such monitoring under FIM is in OSSEC Syscheck features, by default every 6 hours, it run the checks at the frequency or time/day are configurable. But do note this
Real time only works with directories, not individual files. So you can monitor the /etc or C:\program files directory, but not an individual file like /etc/file.txt.
Also specific to monitoring for feedbacks and getting the alert timely, you need OSSEC Syscheck support:
- agent_control tool allows you to query and get information from any agent you have configured on your server and it also allows you to restart (run now) the syscheck/rootcheck scan on any agent.
- syscheck_control provides an interface for managing and viewing the integrity checking database.
Why aren’t new files creating an alert?
By default OSSEC does not alert on new files. To enable this functionlity, <alert_new_files> must be set to yes inside the <syscheck> section of the manager’s ossec.conf. Also, the rule to alert on new files (rule 554) is set to level 0 by default. The alert level will need to be raised in order to see the alert. Alerting on new files does not work in realtime, a full scan will be necessary to detect them.
Jason KidmanIT Consultant & CEOAuthor Commented:
Needed more step by step info, but the information provided was valuable
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.