I noticed that OSSEC v2.1 now has support for "Real time integrity checking" for Linux systems. However, I'm not really sure what this is. Is there any documentation out there describing the functionality of this real time integrity checker?
Thanks, Michael On Fri, Jul 10, 2009 at 7:58 AM, ddp <[email protected]> wrote: > > The realtime option for Linux might be along those same lines. I > haven't looked at the paper you linked to, but from your description > it sounds very rootkit like in nature. > > On Thu, Jul 9, 2009 at 3:58 PM, Michael Altfield<[email protected]> wrote: > > > > Hello OSSEC Developers, > > > > Are there any plans to develop a CFIM feature into future versions of > > OSSEC? > > > > I recently stumbled across Solidcore (now McAfee). They have a number > > of products that utilize CFIM (Continuous File Integrity Monitoring). > > Basically (as far as I can tell), instead of typical FIM approaches > > (which they call PFIM--Periodic File Integrity Monitoring) that keep a > > DB of checksums that periodically gets updated, their CFIM listens to > > low-level kernel calls to see when a change is made to a file. This > > allows for FIM to alert in real time and collect more information > > about the change--such as WHEN the change was made (and therefore > > providing more data for troubleshooting what _other_ changes were made > > at the same time), what user made the change, and what program was > > used to make the change. Moreover, unlike CFIM, OSSEC's current FIM > > wouldn't detect the number of changes made in between the syscheck > > scans (iirc, default 6 hours)--if more than one change was made. > > Solidcore also boasts that their CFIM approach has significantly less > > performance impacts. > > > > A more detailed PFIM vs CFIM comparison can be found here: > > http://www.solidcore.com/assets/Solidcore-CFIM-WP.pdf > > > > Has the OSSEC team considered developing a CFIM-style syscheck daemon? > > > > > > Cheers, > > Michael Altfield > >
