I am running OSSEC version 2.4.1 on RHEL installed in the default /var/
ossec directory
In my ossec.conf and agent.conf files I am monitoring ossec itself
<directories check_all="yes">/var/ossec/bin</directories>
<directories check_all="yes">/var/ossec/etc</directories>
<directories check_perm="yes" check_owner="yes" check_group="yes">/
var/ossec</directories>
For both the server and the agents I am getting integrity checksum
alerts such that various files are having their size changed to 0, and
then subsequently back.
This not only happens on files I might expect to change (such as /var/
ossec/etc/shared/agent.conf) on an agent, but others I would not
expect to change such as /var/ossec/bin/ossec-syscheckd on both the
master and on agents.
Obviously I want to be informed if these files have changed, but in
most cases they are changing from an initial size, down to zero and
then back to the initial size, producing 2 alerts for no actual
change.
Can anyone suggest why this is happening and if there is a
workaround?
