It's on a long-range TODO list. Along with a million other things :P
On Tue, Dec 20, 2011 at 9:24 AM, alsdks <[email protected]> wrote: > Hi Dan, > > That's what I thought it would need. > > So basically to achieve this, removing general /etc monitoring is the > only option. > > Pity though, it would be nice to have those more granular settings > override the check_all option, or something like that . > > Thank you very much ! > > On Dec 20, 3:56 pm, "dan (ddp)" <[email protected]> wrote: >> On Tue, Dec 20, 2011 at 8:31 AM, alsdks <[email protected]> wrote: >> > Hello list, >> >> > I want to be able to report on what changed for specific files under / >> > etc . >> > ossec.conf monitors /etc recursively for check_all but I would like >> > for example to be able to see what changed in hosts, passwd etc . >> >> > So I have set up an extra entry that looks like this : >> > <directories check_all="yes" realtime="yes" report_changes="yes">/etc/ >> > hosts,/etc/passwd,/etc/group,/etc/resolv.conf,/etc/services</ >> > directories> >> >> Don't duplicate entries. If you have the above, you should remove any >> entries for /etc. >> >> > I don't seem to be getting though what changed , only the regular >> > "Integrity checksum changed for:" with the old and new hash. Realtime >> > option doesn't seem to work too .. >> >> > Am I missing something here ? >> >> > Also what if I want to monitor a file under etc for only permission >> > changes , not size or sum etc.Is this feasible or the parent >> > (check_all="yes" for /etc) will override more granular settings below >> > that. >> >> The check_all would hopefully win, but there may be other issues. It's >> hard to tell. The syscheck db isn't very complicated and doesn't >> always handle duplication well. >> >> >> >> >> >> >> >> >> >> > Thank you
