We need file integrity monitoring on our windows servers (a webserver and a database server) and before we drop money on Tripwire, I'm checking out OSSEC. I installed a local installation to test with on my ubuntu laptop, and it appears to be working. I received some email alerts about it being the first time I've logged in with that account, used sudo, etc.
My question now: what are some common tasks I should try next? I would like to go in and change some file that OSSEC is monitoring to see if it alerts on that, but I don't know what the default rules are monitoring.
Best Answer
OSSEC has default rules to perform log analysis, file integrity checking, rootkit detection, ...
You can try some common tasks such as:
ossec.conf
:/var/ossec/rules/local_rules.xml
:and overwrite some rules:
You can search the keyword
integrity
inrules
folder:It's rule ID 550: