ossec
File operations logging
Not much an issue as a question.
I'm thinking about setting up a poor version of DLP. I want computers to log file operations (especially copying files to external storages and maybe, if possible, uploading files on websites. For now I'm thinking about it regarding Windows but in the future I would like to do the same for Linux (I think that would be easier).
So there is Object Audit in Windows Security Policies but I don't think that's gonna help. I was thinking if there are some kind of syscheck rules that might do the trick? There are some new_file alerts that I think might work. The question is, is it possible to set that kind of alert only for external storages.
Of course I know that setting "new_file" alerts for external storages might produce a lot of false positives (although there are no external storages in use in our company) but that's the only thing I can think of and I don;t know how to set it up.
In linux I can see how you'd do it by looking at the mount type. Is that even something you can get from windows?
