I have several situations where I need to monitor directories that overlap.
As an example: I have an application in /application Data is in /application/data Programs are in /application/binaries and /application/scripts There is also /application/spool, /application/tmp and potentially other sub-directories under /application Suppose I want to monitor changes to ownership and permissions on everything under /application, and in addition to monitor all changes to /application/binaries and /application/scripts? What is the best way to specify this? I could do: check_perm="yes" check_owner="yes" check_group="yes">/application</ directories> check_all="yes">/application/binaries</directories> but this introduces an overlap (which I suspect is causing other issues). If I have a limited and known number of sub-directories, then this would not be difficult, but I need to ensure that I do not miss out on /application/new_directory_that_wasn't_there_last_time_I_looked Is there a method using wildcards? Or an ignore checksums? I am using OSSEC 2.4.1 on RHEL 5 Plan to go to OSSEC 2.5.1 as soon as it is released
