Daniel Cid wrote: > Because of that, within OSSEC we use the time that the integrity > checking process ran as the > change time. Note, that this is open to discussion, if people find > useful to have the real > change time being used we can add that as a config option.
In theory, hooking into the file system or kernel would allow for immediate alerts, would it not?
