OSSEC’s policy monitor allows you to verify that all your systems conform to a set of policies regarding configuration settings and applications usage. They are configured centrally on the ossec server and pushed down to the agents. It also checks if a system in in compliance with the CIS Security Benchmarks and VMware security hardening guidelines.
The following systems are tested for the CIS and VMware guidelines:
By default, both the policy auditing and application checks are logged as level 3, so you will not receive any e-mail alerts with the original configuration.
If you wish to receive e-mail alerts for any (or both of the two) types of events, you need to create local rules with a higher severity or with the alert_by_email option set.
Add to your local_rules.xml the following:
<pre>
<rule id="512" level="9" overwrite="yes">
<if_sid>510</if_sid>
<match>^System Audit</match>
<description>System Audit event.</description>
<group>rootcheck,</group>
</rule>
</pre>
To control the policy database, use the ‘’‘rootcheck_control’‘’ tool.
This page was originally authored by Daniel Cid for the OSSEC wiki.