Well, OSSEC actually knows a file is changed only after it changed. If you want/need to keep a copy of critical files you could simply add a cron job. That's it, and you won't have to wait for ossec to implement something existing already.
Maddler On 14/06/2009 04:29, Eric Gearhart wrote: > On Thu, Jun 11, 2009 at 5:07 AM, William Maddler<[email protected]> wrote: >> That's right. OSSEC can't tell what changed, nor it could. >> Basicly a "critical" file isn't supposed to change unless there is a >> good reason for that (e.g. an upgrade). > > Welll.... OSSEC *could* keep copies of certain critical files and diff > against them... it's technically possible, even if it's not > implemented yet > > -- > Eric > http://nixwizard.net >
