Hi Michael, This functionality is very similar to what you described. We use the inotify on Linux to be alerted as soon as a file is changed. The only disadvantage right now is that we are not tracking who made the change.
I will post some documentation later about the real time integrity checking. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Jul 10, 2009 at 11:16 AM, Michael Altfield<[email protected]> wrote: > > I noticed that OSSEC v2.1 now has support for "Real time integrity > checking" for Linux systems. However, I'm not really sure what this > is. Is there any documentation out there describing the functionality > of this real time integrity checker? > > > Thanks, > Michael > > On Fri, Jul 10, 2009 at 7:58 AM, ddp <[email protected]> wrote: >> >> The realtime option for Linux might be along those same lines. I >> haven't looked at the paper you linked to, but from your description >> it sounds very rootkit like in nature. >> >> On Thu, Jul 9, 2009 at 3:58 PM, Michael Altfield<[email protected]> wrote: >> > >> > Hello OSSEC Developers, >> > >> > Are there any plans to develop a CFIM feature into future versions of >> > OSSEC? >> > >> > I recently stumbled across Solidcore (now McAfee). They have a number >> > of products that utilize CFIM (Continuous File Integrity Monitoring). >> > Basically (as far as I can tell), instead of typical FIM approaches >> > (which they call PFIM--Periodic File Integrity Monitoring) that keep a >> > DB of checksums that periodically gets updated, their CFIM listens to >> > low-level kernel calls to see when a change is made to a file. This >> > allows for FIM to alert in real time and collect more information >> > about the change--such as WHEN the change was made (and therefore >> > providing more data for troubleshooting what _other_ changes were made >> > at the same time), what user made the change, and what program was >> > used to make the change. Moreover, unlike CFIM, OSSEC's current FIM >> > wouldn't detect the number of changes made in between the syscheck >> > scans (iirc, default 6 hours)--if more than one change was made. >> > Solidcore also boasts that their CFIM approach has significantly less >> > performance impacts. >> > >> > A more detailed PFIM vs CFIM comparison can be found here: >> > http://www.solidcore.com/assets/Solidcore-CFIM-WP.pdf >> > >> > Has the OSSEC team considered developing a CFIM-style syscheck daemon? >> > >> > >> > Cheers, >> > Michael Altfield >> > >
