OSSEC sends an email when it is started, but not when it is stopped. So, if someone would somehow get access to the server, he could just stop the OSSEC and do whatever he wants without me knowing it. Or am I missing something?
1 Answer
If someone gets access to the server with sufficient privilege to stop OSSEC then she will also be able to prevent OSSEC from emitting an email informing you about its termination.
The proper approach for addressing this scenario is to monitor the OSSEC service from a different system, typically your network monitoring system. Of course there's still a small probability that an attacker might fake a positive response to the monitoring system's check whether OSSEC is still running. But you can make that arbitrarily difficult, depending on your paranoia level.
