On Tue, Dec 20, 2011 at 8:31 AM, alsdks <[email protected]> wrote: > Hello list, > > I want to be able to report on what changed for specific files under / > etc . > ossec.conf monitors /etc recursively for check_all but I would like > for example to be able to see what changed in hosts, passwd etc . > > So I have set up an extra entry that looks like this : > <directories check_all="yes" realtime="yes" report_changes="yes">/etc/ > hosts,/etc/passwd,/etc/group,/etc/resolv.conf,/etc/services</ > directories> >
Don't duplicate entries. If you have the above, you should remove any entries for /etc. > I don't seem to be getting though what changed , only the regular > "Integrity checksum changed for:" with the old and new hash. Realtime > option doesn't seem to work too .. > > Am I missing something here ? > > Also what if I want to monitor a file under etc for only permission > changes , not size or sum etc.Is this feasible or the parent > (check_all="yes" for /etc) will override more granular settings below > that. > The check_all would hopefully win, but there may be other issues. It's hard to tell. The syscheck db isn't very complicated and doesn't always handle duplication well. > > Thank you > >
