Daniel Cid wrote: > This is an option that I decided to remove after testing the realtime > notification. The issue > is that the system creates some temporary files constantly (vi .swp > files, some .tmp files, > etc) and removes them a few seconds after.
Hey Daniel, I think this is a useful option if we use default rules to tame it. For example, new files in system32 on Windows should be more rare (although subdirectories could be chatty). But the idea is that we use a positive security model instead of negative. If the user wants to make changes, then they could just write an overwrite or dependent rule. -- Michael Starks [I] Immutable Security http://www.immutablesecurity.com Information Security, Privacy and Personal Liberty Week of OSSEC - Every day a new OSSEC post - Oct 25-31 Speaking on "OSSEC in the Enterprise," Oct 29 2009 (http://www.immutablesecurity.com/index.php/2009/09/10/ossec-at-the-rochester-security-summit/
