how to get an alert. the user, whom modified a file
61 views
Skip to first unread message
dee...@information-secure.com
Apr 11, 2018, 10:18:10 AM4/11/18
to ossec-list
I'm using OSSEC HIDS
from this i'm getting the alerts based on all events. but, i need to know a user whom modified the specific file.
is this possible?
from this i'm getting the alerts based on all events. but, i need to know a user whom modified the specific file.
is this possible?
dan (ddp)
Apr 11, 2018, 10:21:36 AM4/11/18
to ossec...@googlegroups.com
It's still not possible out of the box. You might be able to setup some specific auditing for specific files, but I haven't seen anyone do this.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Bruce Westbrook
Apr 11, 2018, 10:22:35 AM4/11/18
to ossec-list
Is this for a Windows agent or Linux agent?
If Windows I can let you know what I've done to accomplish this, which doesn't use OSSEC sycheck but rather a combination of Windows File Auditing and customized OSSEC rules.
- Bruce
dee...@information-secure.com
Apr 11, 2018, 10:27:17 AM4/11/18
to ossec-list
Yes Bruce,
this is for windows agent. can u let me know about that.
- Deepak.
Vicente Munoz
Apr 11, 2018, 10:28:41 AM4/11/18
to ossec...@googlegroups.com
Was about to say what Bruce said regarding Windows auditing and customization although I had never tried it before, would be very interested in knowing how to do it!
Regards,
Vicente Muñoz
--
Bruce Westbrook
Apr 11, 2018, 11:13:55 AM4/11/18
to ossec-list
Sure thing. There are three steps involved:
1. Enable Windows Audit Policy for File System Objects
2. Configure the server's audit policy appropriately for the files and/or directories that need to be watched
3. Configure custom rules in OSSEC to trigger on file add/change/delete events
I attached a Word doc that contains the details that I copied/pasted from my own OSSEC procedures. Once completed and assuming you have email notifications enabled, you'll see real-time email alerts like this, which will give you the user account name:
OSSEC HIDS Notification.
2018 Apr 11 09:57:22
Received From: ([SERVER]) any->WinEvtLog
Rule: 100221 fired (level 7) -> "FIM: Audited file has been DELETED."
User: [USER_ACCOUNT]
Portion of the log(s):
2018 Apr 11 09:57:17 WinEvtLog: Security: AUDIT_SUCCESS(4659): Microsoft-Windows-Security-Auditing: (no user): no domain: [SERVEDR]: A handle to an object was requested with intent to delete. Subject: Security ID: [SID] Account Name: [USER_ACCOUNT] Account Domain: [DOMAIN] Logon ID: 0xa4dbac32 Object: Object Server: Security Object Type: File Object Name: [FULL_PATH_AND_FILE_NAME] Handle ID: 0x0 Process Information: Process ID: 0x4 Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: %%1537 %%4423 Access Mask: 0x10080 Privileges Used for Access Check: -
Hope that works for what you need!
- Bruce
dee...@information-secure.com
Apr 12, 2018, 6:19:05 AM4/12/18
to ossec-list
Thanks Bruce,
let me try and update u.
-Deepak.
let me try and update u.
-Deepak.
Charles Mckee
Apr 12, 2018, 8:17:39 AM4/12/18
to ossec...@googlegroups.com
Hello All
I was wondering by chance does anyone have something like this for Linux and if they do please can you share the config ?
Thank you in advance
Respectfully Yours
Charles McKee
DecisivEdge, LLC
O: 302.299.1570 x432 | C: 302.320.6968 | F: 302.299.1578
131 Continental Dr | Suite 409 | Newark, DE 19713
charle...@decisivedge.com | www.DecisivEdge.com
From: ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] On Behalf Of Bruce Westbrook
Sent: Wednesday, April 11, 2018 11:14 AM
To: ossec-list <ossec...@googlegroups.com>
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
This email and any files transmitted with it are considered privileged and confidential unless otherwise explicitly stated otherwise. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. All email data and contents may be monitored to ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized use, and to verify security procedures, survivability and operational security. Under no circumstance should the user of this email have an expectation of privacy for this correspondence.
dee...@information-secure.com
Apr 12, 2018, 9:46:13 AM4/12/18
to ossec-list
Thanks a lot Bruce,
Its working great...
-Deepak.
Its working great...
-Deepak.
Bruce Westbrook
Apr 12, 2018, 10:00:16 AM4/12/18
to ossec...@googlegroups.com
You're welcome. Glad to hear it works for someone else and not just me! :-)
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages