Directories for Ossec FIM

Question

I am new to Ossec, and have recently installed it on a server forthe company I am currently working for.

This server monitors 80 Windows 7 agent machines. The main purpose for setting up Ossec on these agent machines was so we could deploy file integrity monitoring.

Now to my question; What sort of directories should I be monitoring? So far I only have the default directories provided by default from Ossec. I have also added FIM to the 'System' and 'System32' directories. Are there any more directories or files you would recommend I monitor?

Kind regards,

Alex

Answer 1

In part, the answer depends on why you installed OSSEC. If you installed it to be compliant with a regulation (like GDPR) you probably need it to monitor any files that relate to policies. For example, if you have a policy that all passwords must be 10 characters long and you have a settings file that enforces the 10 characters you should monitor that file.

You should have OSSEC monitor any configuration files. You might also want it to monitor user files and data files.

Think about what you need to protect. If a bad actor were to get access to one of those computers what would they likely change? With the answer to that question you'll know what to protect.