Hello.
I run a ossec 2.5.1 deployment and recently ran into a small problem I'm
trying to fix.
Long story short:
- /etc is monitored with realtime="yes", report_changes="all" and
check_all="yes" (for obvious reasons)
- i have a subdirectory in /etc (let's call it /etc/special) that needs to
be monitored for changes but since all files in it are chown root:root and
chmod 400, i don't like the idea of having a copy of the files there in
/var/ossec/queue/diff/local/etc/special even if all the folders ossec
created in there are chmod 750 and chown ossec:ossec.
I tries adding a new line under the /etc one, but ossec still created the
files in queue/diff/local/etc/special.
At this point the config section in ossec.conf looks like this:
<syscheck>
<directories realtime="yes" report_changes="yes"
check_all="yes">/etc</directories>
<directories realtime="yes" check_all="yes">/etc/special</directories>
...
</syscheck>
Any idea how to configure ossec so that it will keep monitoring for changes
in /etc/special but without keeping a copy of the files there in
/var/ossec/queue/diff/local/etc/special ?
Thanks.
