[ossec-dev] Windows policy monitoring

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hey guys (ossec-list and ossec-dev),

I posted in the ossec blog about the Windows policy monitoring that is
going to be
available on ossec v1.3.

If you are interested, take a look at:
http://www.ossec.net/dcid/?p=99

For our beta versions of v1.3, look at (we need beta testers):
http://www.ossec.net/dcid/?p=97


>From the blog:

"
OSSEC v1.3 will come with support for Windows policy monitoring,
allowing you to verify that all your systems conform to a set of
policies regarding configuration settings, applications usage, etc.
They are configured centrally on the ossec server and pushed down to
all your agents.

With the Windows policy monitoring, you can get alerts like the
following (detecting Skype and Yahoo):

    2007 Jul 22 17:42:57 Rule Id: 514 level: 2
    Location: (winhome) 192.168.2.190->rootcheck
    Windows application monitor event.

    Application Found: Chat/IM - Yahoo.


    2007 Jul 22 17:42:57 Rule Id: 514 level: 2
    Location: (winhome) 192.168.2.190->rootcheck
    Windows application monitor event.

    Application Found: Chat/IM/VoIP - Skype.


And compliance alerts like the following:

    2007 Jul 23 13:44:54 Rule Id: 512 level: 3
    Location: (winhome) 192.168.2.190->rootcheck
    Windows Audit event.

    Windows Audit: Null sessions allowed.


    2007 Jul 23 13:44:54 Rule Id: 512 level: 3
    Location: (winhome) 192.168.2.190->rootcheck
    Windows Audit event.

    Windows Audit: LM authentication allowed (weak passwords).


Read more: http://www.ossec.net/wiki/index.php/Know_How:WindowsPolicy
"

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net