[osiris] Osiris monitoring of log files

Jason Haar Jason.Haar at trimble.co.nz
Fri Jan 18 02:11:54 EST 2008 

Joel Duckworth wrote:
> Part of the PCI DSS requirements is as follows:
>
>         10.5.5 Use file integrity monitoring and change detection 
> software on logs to ensure that existing log data cannot be changed 
> without generating alerts (although new data being added should not 
> cause an alert).
>
> Given this requirement is there a way to configure Osiris to perform 
> file scanning that will not report a file being appended to, but will 
> report on changes to existing data?
>   

Some (Unix) OSes allow you to set a file as append-only. e.g. under 
Linux as root a
"chattr +a /var/log/messages" will make the file append-only for any 
process - even root ones. However, a "chattr -a" would reverse such a 
setting...

> If this is possible then Osiris should satisfy the file integrity 
> portion of the PCI DSS requirements... I've investigated Tripwire 
> Enterprise and found that it does perform this type of scan, by the 
> following steps:
>
> - The baseline scan is created which has the file size and checksum of 
> the log file.
> - The new scan will read the log file up to the size of the baseline 
> scan size and verify the checksum against the baseline to that point also.
> - If the data is the same then the file is not flagged and a new file 
> size and checksum is created for the entire file (this will have the 
> effect that appending new data is allowed)
> - If the checksum fails the file is flagged.
>   

Clever :-) You are right, if Osiris had (say) an "AllowAppend yes" 
option, then when it was re-checking a file, it could use the last known 
filesize and checksum to seek through the file, and confirm that part 
hasn't been changed? I must say we'd use it in a flash if we had such a 
figure. We deliberately don't monitor /var/log because there is no 
point. However, some of our systems have up to 20G of syslog data per 
week - I still don't think we'd want to run such a feature on them ;-)

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the osiris mailing list