If intruder shut down OSSEC - you will get notification. cron job will defeat the idea of having centralized configuration
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Wednesday, December 08, 2010 4:35 PM To: [email protected] Subject: Re: [ossec-list] Running Integrity Checking at different Instances On Wed, Dec 8, 2010 at 4:31 PM, Vitaly Nikolaev <[email protected]> wrote: > > > cron job on server or agent ? If second then it can be disabled by... > intruder and thus "less secure" > > > It would be on the agent. And an intruder could just shut down OSSEC. > > > From: [email protected] [mailto:[email protected]] > On Behalf Of Christopher Moraes > Sent: Wednesday, December 08, 2010 4:23 PM > To: [email protected] > Subject: Re: [ossec-list] Running Integrity Checking at different > Instances > > > > syscheck has a "-c" option to specify a config file when it is run. > > > > You can try setting up a cron job that will run syscheck every 3 hours > and specify a control file that contains the list of the 3 files you > want to check. Put the other files in the ossec.conf file. > > > > Just a thought, I haven't tried this. > > > > > > On Wed, Dec 8, 2010 at 3:57 PM, tanishk lakhaani > <[email protected]> > wrote: > > Hi People !!! > > Can we tweak OSSEC to run integrity checking for different file fat > different instances. I mean to say: suppose I have 6 files to monitor > for Integrity checking.... I want that the integrity checking on 3 of > them to be in every 3 hours, whereas for the rest to be every 10 hours. > > > > Any idea, if I can tweak it like this. > > > > Regards > > Tanishk > > > > ________________________________ > This message (including attachments) is private and confidential. If > you have received this message in error, please notify us and remove > it from your system. > ________________________________ This message (including attachments) is private and confidential. If you have received this message in error, please notify us and remove it from your system.
