Hi, I would like to learn more about how OSSEC implement the real time monitoring.
Like many FIM, for the period checking, OSSEC will first build a signature database on certain directories and files and then retrieve the information of them periodically and compare to the initial signature. So in essence, period checking is a lot of IO operations. But I don't quite follow how the real time monitoring is implemented. *Does OSSEC store the information of initial file system signature into memory and then OSSEC intercept each OS operations made on the file system device driver to trigger to comparison? *If the answer is yes, then does real time monitoring will cost lot of system resources? Best, Hugo
