OSSEC Configuration


We are consulting for a firm that is a Top level Merchant provider. This year their PCI Compliance is more strict then in the past. They have reached out to us to help with a couple dozen items including OSSEC.

The exact requirement paraphrased and as posted here:

"Provide OSSEC Configuration for <Server Name>, DC, DC2, and <App Server>. OSSEC must perform at least weekly comparison. Provide 3 Samples of alerts sent to <IT Administrator Name> from OSSEC"

I believe this should be a straightforward issue. Can anybody advise on recommended course of action?
Jason KidmanIT Consultant & CEOAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

R. Toby RichardsNetwork AdministratorCommented:
OSSEC has a crapton of configuration options. Installing it is pretty straightforward. I suggest that you install it on a test computer, and monkey around. Be warned that the administrator is going to get dozens of alerts whenever OS updates are run.

You'll probably want to join the OSSEC mailing list: http://www.ossec.net/?page_id=21#ossec-list

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jason KidmanIT Consultant & CEOAuthor Commented:
Thanks Toby for the response.

I understand OSSEC has alot of configuration options. I dont think thats what we need. We need to provide
1) the OSSEC configuration (I'm not even sure how to find this?)
2) sample/realtime alerts for documentation (where do we find out where to set this up so alerts are sent?)
3) I dont understand the "weekly comparison" and if it is something we need to configure?

R. Toby RichardsNetwork AdministratorCommented:
I'm not sure where Windows keeps the configuration. On Linux it's at /var/ossec/conf. Alerts are configured from there.

I think that "weekly comparison" means comparing that the system files have not changed. OSSEC does that in real time (or at least every few minutes), so it isn't an issue.
btanExec ConsultantCommented:
Suggest you check out this OSSEC wp as it stated how it comply with PCI clauses such as 11.5 that required the file integrity checker (In this case OSSEC) to check the critical file changes at least weekly. The latter files are not supposed to change as often originally. http://www.ossec.net/files/ossec-PCI-Solution-2.0.pdf
How does it help with compliance? (PCI DSS, etc)
It helps with sections 11.5 (install FIM software) and 10.5 (integrity checking of log files) of PCI.

The configuration for such monitoring under FIM is in OSSEC Syscheck features, by default every 6 hours, it run the checks at the frequency or time/day are configurable. But do note this
Real time only works with directories, not individual files. So you can monitor the /etc or C:\program files directory, but not an individual file like /etc/file.txt.
Also specific to monitoring for feedbacks and getting the alert timely, you need OSSEC Syscheck support:
- agent_control tool allows you to query and get information from any agent you have configured on your server and it also allows you to restart (run now) the syscheck/rootcheck scan on any agent.
- syscheck_control provides an interface for managing and viewing the integrity checking database.
Why aren’t new files creating an alert?
By default OSSEC does not alert on new files. To enable this functionlity, <alert_new_files> must be set to yes inside the <syscheck> section of the manager’s ossec.conf. Also, the rule to alert on new files (rule 554) is set to level 0 by default. The alert level will need to be raised in order to see the alert. Alerting on new files does not work in realtime, a full scan will be necessary to detect them.
Jason KidmanIT Consultant & CEOAuthor Commented:
Needed more step by step info, but the information provided was valuable
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.