[ossec-list] Re: Integrity Checks and Diffs?

["Marty E. Hillman" <mehillman@xxxxxxxxxxxx>]

That brings up a good idea for future enhancement: the ability to gpg
encrypt email so that information is not clear text.  An attacker with
access to the internal network could theoretically poison the arp cache
and intercept packets corresponding to any such reporting email at
present.  The log would remain intact, but the alert could be prevented.

-----Original Message-----
From: ossec-list@xxxxxxxxxxxxxxxx [mailto:ossec-list@xxxxxxxxxxxxxxxx]
On Behalf Of David Vasil
Sent: Thursday, September 07, 2006 1:44 PM
To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Integrity Checks and Diffs?


Forrest Aldrich wrote:
> 
> Maybe for text-only files, provide an option to include a contextual
> diff output, which shows the changes of the monitored file, with that
of
> the known version --- this would require keeping that old version
> archived somewhere, though.  Hmm...     may be useful in some
> situations, knowing not only that the file was changed, but WHAT was
> changed.

That could come back and bite you in some situations where the file that
was changed contained sensitive information (which upon alert would be
sent to you through clear-text email).

-- 
-dave

This electronic mail (including any attachments) may contain information that 
is privileged, confidential, and/or otherwise protected from disclosure to 
anyone other than its intended recipient(s). Any dissemination or use of this 
electronic email or its contents (including any attachments) by persons other 
than the intended recipient(s) is strictly prohibited. If you have received 
this message in error, please notify us immediately by reply email so that we 
may correct our internal records. Please then delete the original message 
(including any attachments) in its entirety. Thank you.