[osiris] Osiris monitoring of log files
Joel Duckworth
joel.duckworth at paycorp.com.au
Thu Jan 17 23:07:23 EST 2008
Part of the PCI DSS requirements is as follows:
10.5.5 Use file integrity monitoring and change detection
software on logs to ensure that existing log data cannot be changed
without generating alerts (although new data being added should not
cause an alert).
Given this requirement is there a way to configure Osiris to perform
file scanning that will not report a file being appended to, but will
report on changes to existing data?
If this is possible then Osiris should satisfy the file integrity
portion of the PCI DSS requirements... I've investigated Tripwire
Enterprise and found that it does perform this type of scan, by the
following steps:
- The baseline scan is created which has the file size and checksum of
the log file.
- The new scan will read the log file up to the size of the baseline
scan size and verify the checksum against the baseline to that point also.
- If the data is the same then the file is not flagged and a new file
size and checksum is created for the entire file (this will have the
effect that appending new data is allowed)
- If the checksum fails the file is flagged.
It may also be useful to build into the checking some automatic handling
of log files that are archived into *.1 *.2 *.3 etc or even *.1.gz
*.2.gz etc
Regards,
Joel Duckworth
More information about the osiris
mailing list