On Sat, Oct 24, 2009 at 10:58 AM, Michael Starks <ossec-l...@michaelstarks.com> wrote: > > Daniel Cid wrote: >> This is an option that I decided to remove after testing the realtime >> notification. The issue >> is that the system creates some temporary files constantly (vi .swp >> files, some .tmp files, >> etc) and removes them a few seconds after. > > Hey Daniel, > > I think this is a useful option if we use default rules to tame it. For > example, new files in system32 on Windows should be more rare (although > subdirectories could be chatty). But the idea is that we use a positive > security model instead of negative. If the user wants to make changes, > then they could just write an overwrite or dependent rule. > > -- > Michael Starks > [I] Immutable Security > http://www.immutablesecurity.com > Information Security, Privacy and Personal Liberty > Week of OSSEC - Every day a new OSSEC post - Oct 25-31 > Speaking on "OSSEC in the Enterprise," Oct 29 2009 > (http://www.immutablesecurity.com/index.php/2009/09/10/ossec-at-the-rochester-security-summit/ >
I wonder if it would be possible to rearrange the monitored directories so that the ones to get frequent temp files can be in different lines than the directories that do not. Silly example: <!--Do not get temp files--> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <!--Dir that get a lot of temp files, do NOT set to realtime--> <directories check_all="yes">/var/run,/var/tmp</directories> I guess we'd have some work to find out which directories get a lot of temp files so they could be arranged properly. And then figure out if not setting them to realtime or allowing a switch for not alerting on new files would be best. Dan
