On Wed, Oct 13, 2010 at 11:35 AM, ItsMikeE <[email protected]> wrote: > I have several situations where I need to monitor directories that > overlap. > > As an example: > > I have an application in /application > Data is in /application/data > Programs are in /application/binaries and /application/scripts > There is also /application/spool, /application/tmp and potentially > other sub-directories under /application > > Suppose I want to monitor changes to ownership and permissions on > everything under /application, and in addition to monitor all changes > to /application/binaries and /application/scripts? > What is the best way to specify this? > > I could do: > check_perm="yes" check_owner="yes" check_group="yes">/application</ > directories> > check_all="yes">/application/binaries</directories> > > but this introduces an overlap (which I suspect is causing other > issues).
What "other issues?" > If I have a limited and known number of sub-directories, then this > would not be difficult, but I need to ensure that I do not miss out > on /application/new_directory_that_wasn't_there_last_time_I_looked > > Is there a method using wildcards? > Or an ignore checksums? > > I am using OSSEC 2.4.1 on RHEL 5 > Plan to go to OSSEC 2.5.1 as soon as it is released > > The following link describes all of the possibilities (last time I checked): http://www.ossec.net/doc/manual/syscheck/index.html I wonder if you could do something like: check_sum="yes" check_size="yes">/application/binaries</directories> check_perm="yes" check_owner="yes" check_group="yes">/application</directories> I'm not sure if the order matters for syscheck or not. I think sum and size are the only other options covered in "check_all" that aren't in the plain /application directories option. It's an interesting idea, but testing it might be a pain. Detailing those other issues would be very helpful.
