OSSEC sends an email when it is started, but not when it is stopped. So, if someone would somehow get access to the server, he could just stop the OSSEC and do whatever he wants without me knowing it. Or am I missing something?
Asked
Active
Viewed 16 times
1 Answers
1
If someone gets access to the server with sufficient privilege to stop OSSEC then she will also be able to prevent OSSEC from emitting an email informing you about its termination.
The proper approach for addressing this scenario is to monitor the OSSEC service from a different system, typically your network monitoring system. Of course there's still a small probability that an attacker might fake a positive response to the monitoring system's check whether OSSEC is still running. But you can make that arbitrarily difficult, depending on your paranoia level.
Tilman Schmidt
- 3,778
- 10
- 23
-
Yeah, would need to monitor it from another server/service. – Mika Feb 23 '22 at 08:31