You may be able to modify the permissions to accomplish this, but there's no setting in ossec.
-----Original Message----- From: L. Samain Sent: 09/24/2010 6:51:32 AM Subject: [ossec-list] Re: Baselines for syscheck So it's impossible to block changes to the baselines? We can't always have the same baseline? (so no update when a file is modified) Thanks you. On 2 sep, 15:21, "dan (ddp)" <[email protected]> wrote: > On Thu, Sep 2, 2010 at 9:01 AM, ItsMikeE <[email protected]> wrote: > > When syscheck is run for the first time it creates a baseline of files > > to be monitored. > > > In the event of some changes from that baseline an alert is produced. > > As I see it there are two main reasons why files may have changed > > 1) Acceptable change - We are content that this does not indicate a > > breach. In this case the baseline should be updated, and any future > > changes will produce alerts > > 2) Unacceptable change - An unexpected change which may indicate a > > breach. In this case we do not want to update the baseline, but return > > the files to their baseline condition. > > > AFAIK while OSSEC produces alerts which may inform us of a breach, it > > always updates the baseline (as in option 1). > > Is that the case? Is there the functionality to block changes to the > > baseline? > > That is the case. I think it's less of a baseline and more of a "state > of the system at the time of the syscheck run." > If the file is restored you will then be alerted to the fact the > checksum changed, even though it may have reverted to a previous > value.
