Hi, I would like to learn more about how OSSEC implement the real time monitoring.
Like many FIM, for the period checking, OSSEC will first build a signature database on certain directories and files and then retrieve the information of them periodically and compare to the initial signature. So in essence, period checking is a lot of IO operations. But I don't quite follow how the real time monitoring is implemented. Does OSSEC store the information of initial file system signature into memory and then OSSEC intercept each OS operations made on the file system device driver to trigger to comparison? If the answer is yes, then does real time monitoring will cost lot of system resources? Best, Hugo
