The realtime option for Linux might be along those same lines. I haven't looked at the paper you linked to, but from your description it sounds very rootkit like in nature.
On Thu, Jul 9, 2009 at 3:58 PM, Michael Altfield<[email protected]> wrote: > > Hello OSSEC Developers, > > Are there any plans to develop a CFIM feature into future versions of > OSSEC? > > I recently stumbled across Solidcore (now McAfee). They have a number > of products that utilize CFIM (Continuous File Integrity Monitoring). > Basically (as far as I can tell), instead of typical FIM approaches > (which they call PFIM--Periodic File Integrity Monitoring) that keep a > DB of checksums that periodically gets updated, their CFIM listens to > low-level kernel calls to see when a change is made to a file. This > allows for FIM to alert in real time and collect more information > about the change--such as WHEN the change was made (and therefore > providing more data for troubleshooting what _other_ changes were made > at the same time), what user made the change, and what program was > used to make the change. Moreover, unlike CFIM, OSSEC's current FIM > wouldn't detect the number of changes made in between the syscheck > scans (iirc, default 6 hours)--if more than one change was made. > Solidcore also boasts that their CFIM approach has significantly less > performance impacts. > > A more detailed PFIM vs CFIM comparison can be found here: > http://www.solidcore.com/assets/Solidcore-CFIM-WP.pdf > > Has the OSSEC team considered developing a CFIM-style syscheck daemon? > > > Cheers, > Michael Altfield >
