On Mon, Nov 28, 2011 at 10:08 AM, Valentin Avram <[email protected]> wrote: > Hello. > > I run a ossec 2.5.1 deployment and recently ran into a small problem I'm > trying to fix. > > Long story short: > - /etc is monitored with realtime="yes", report_changes="all" and > check_all="yes" (for obvious reasons) > - i have a subdirectory in /etc (let's call it /etc/special) that needs to > be monitored for changes but since all files in it are chown root:root and > chmod 400, i don't like the idea of having a copy of the files there in > /var/ossec/queue/diff/local/etc/special even if all the folders ossec > created in there are chmod 750 and chown ossec:ossec. > > I tries adding a new line under the /etc one, but ossec still created the > files in queue/diff/local/etc/special. > > At this point the config section in ossec.conf looks like this: > <syscheck> > <directories realtime="yes" report_changes="yes" > check_all="yes">/etc</directories> > <directories realtime="yes" check_all="yes">/etc/special</directories> > ... > </syscheck> > > Any idea how to configure ossec so that it will keep monitoring for changes > in /etc/special but without keeping a copy of the files there in > /var/ossec/queue/diff/local/etc/special ? > > Thanks. > >
Unfortunately, I don't think there's a way to do this at the moment.
