Hi,
I have a few configuration questions. Can someone help?
1. Can I configure syscheckd to report for new file? It seems only
file change is detected.
2. Can I include part of a ignored directory in syscheck? For example,
would the following config detect change in /var/ossec/bin ?
<syscheck>
<directories check_all="yes">/</directories>
<ignore>/var</ignore>
<directories check_all="yes">/var/ossec/bin</directories>
<directories check_all="yes">/var/ossec/rules</directories>
</syscheck>
3. Why do the rule files in /var/ossec/rules have the execution bit set?
-r-xr-x--- 1 root ossec 4415 Jun 7 10:31 apache_rules.xml
-r-xr-x--- 1 root ossec 2969 Jul 21 03:56 attack_rules.xml
4. I renice syscheckd to priority 19 and keep using the default 2 hrs
run frequency. What would happen if the daemon can't finish scanning
all the files within the period?
Thanks in advance.
Martin
