It may be a good compromise (for now) to have a simple solution to this, such as stashing copies of files somewhere for later diff. Sure, it's not secure -- but it can be developed further.
I loath the thought of having to augment OSSEC's processes with something like Puppet or CFEngine - which of course defeats the purpose to begin with.
It's nice to know when a file changes, but even more *useful* to know what that change was - possibly some other info like by whom (logins on system) etc.
_F
