Hello OSSEC Developers, Are there any plans to develop a CFIM feature into future versions of OSSEC?
I recently stumbled across Solidcore (now McAfee). They have a number of products that utilize CFIM (Continuous File Integrity Monitoring). Basically (as far as I can tell), instead of typical FIM approaches (which they call PFIM--Periodic File Integrity Monitoring) that keep a DB of checksums that periodically gets updated, their CFIM listens to low-level kernel calls to see when a change is made to a file. This allows for FIM to alert in real time and collect more information about the change--such as WHEN the change was made (and therefore providing more data for troubleshooting what _other_ changes were made at the same time), what user made the change, and what program was used to make the change. Moreover, unlike CFIM, OSSEC's current FIM wouldn't detect the number of changes made in between the syscheck scans (iirc, default 6 hours)--if more than one change was made. Solidcore also boasts that their CFIM approach has significantly less performance impacts. A more detailed PFIM vs CFIM comparison can be found here: http://www.solidcore.com/assets/Solidcore-CFIM-WP.pdf Has the OSSEC team considered developing a CFIM-style syscheck daemon? Cheers, Michael Altfield
