From OSSEC Wiki

Contents 1 Understanding the Unix policy auditing on OSSEC 1.1 Receiving Audit and Application alerts via Email 1.1.1 Example1: Sending e-mail for every Audit event 1.2 Listing entries per agent

Understanding the Unix policy auditing on OSSEC

• by Daniel Cid

OSSEC's policy monitor allows you to verify that all your systems conform to a set of policies regarding
configuration settings and applications usage. They are configured centrally on the ossec server
and pushed down to the agents. It also checks if a system in in compliance with the CIS Security Benchmarks
and VMware security hardening guidelines.

The following systems are tested for the CIS and VMware guidelines:

• Debian and Ubuntu
• Red Hat and Fedora
• Red Hat EL 5
• VMware ESX 3.0 and 3.5

Receiving Audit and Application alerts via Email

By default, both the policy auditing and application checks are logged as level "3", so you will not
receive any e-mail alerts with the original configuration.

If you wish to receive e-mail alerts for any (or both of the two) types of events, you need to create
local rules with a higher severity or with the "alert_by_email" option set.

More information on local rules here.

Example1: Sending e-mail for every Audit event

Add to your local_rules.xml the following:

  <rule id="512" level="9" overwrite="yes">
    <if_sid>510</if_sid>
    <match>^System Audit</match>
    <description>System Audit event.</description>
    <group>rootcheck,</group>
  </rule>

Listing entries per agent

To control the policy database, use the rootcheck_control tool.