Hello list, I want to be able to report on what changed for specific files under / etc . ossec.conf monitors /etc recursively for check_all but I would like for example to be able to see what changed in hosts, passwd etc .
So I have set up an extra entry that looks like this : <directories check_all="yes" realtime="yes" report_changes="yes">/etc/ hosts,/etc/passwd,/etc/group,/etc/resolv.conf,/etc/services</ directories> I don't seem to be getting though what changed , only the regular "Integrity checksum changed for:" with the old and new hash. Realtime option doesn't seem to work too .. Am I missing something here ? Also what if I want to monitor a file under etc for only permission changes , not size or sum etc.Is this feasible or the parent (check_all="yes" for /etc) will override more granular settings below that. Thank you
