Hi all Thanks a lot for your input! It's very interesting to hear different opinions. I've learned: Which mtime you need depends really on the type of problem you have. For me, the real mtime would be better.
But this: >> I imagine something like approved updated MD5s, etc. [...] would be the perfect solution, sure. A thin interface for feeding trusted md5/sha1 sums into OSSEC would improve it to a powerful change management solution, more powerful than Tripwire (my opinion, because Tripwire depends only on checksums and is hard to integrate). I played around with updating the metadata in .../queue/syscheck/syscheck but had no success. Michaels idea with hooking into the kernel would also be great, but I think the implementation of this functionality depends too much on the used OS. Correct me if i'm wrong. And - coming back to the <scan_time>-Parameter (sorry...): Last three days I played around with this parameter on several machines. They always perfom syscheck once after restarting ossec, then no longer. Has anyone similar problems? Or is this maybe an OS or timezone dependend problem? Thanks & Regards Matthias
