0

OSSEC sends an email when it is started, but not when it is stopped. So, if someone would somehow get access to the server, he could just stop the OSSEC and do whatever he wants without me knowing it. Or am I missing something?

1 Answer 1

1

If someone gets access to the server with sufficient privilege to stop OSSEC then she will also be able to prevent OSSEC from emitting an email informing you about its termination.

The proper approach for addressing this scenario is to monitor the OSSEC service from a different system, typically your network monitoring system. Of course there's still a small probability that an attacker might fake a positive response to the monitoring system's check whether OSSEC is still running. But you can make that arbitrarily difficult, depending on your paranoia level.

1
  • Yeah, would need to monitor it from another server/service.
    – Mika
    Commented Feb 23, 2022 at 8:31

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .