I've successfully deployed ossec agent on a RedHat server. In fact, I am
collecting audit events related to the apache I've Installed on RH, mainly
about /etc/php.ini.
Ok this is all good but I have another apache installed on the RH server
with a diiferent php.ini (not in /etc) that I want ossec to monitor.
Anyone has an idea how to configure ossec to audit a php.ini that is not
located under /etc ?
Inside /var/ossec/etc/shared/system_audit_rcl.txt you will find the
viarable $php.ini= with all the locations that syscheck will attempted to
look for php.ini files. Their is a catch with this system in that once i
finds a positive match for an audit it will not check the next possible
file. So you should duplicate this file and make sure it audits your
second php.ini file.
--
Jeremy Rossi
e: look at the headers people
t: http://twitter.com/jrossi
