Re: [ossec-list] syscheck: monitor directories and some files w/different parameters?

dan (ddp) Thu, 23 Aug 2012 09:56:02 -0700

On Thu, Aug 23, 2012 at 12:52 PM, dkoleary <[email protected]> wrote:
> Hi;
>
> I'm not overly interested in getting alerted every time someone changes
> their password so, I'd like to monitor the shadow file for owner, group and
> permissions only while keeping everything else in /etc monitored for
> everything.
>
> Would the following lines in syscheck do that or is this something that I
> should do via rules updates?
>
> <directories realtime="yes" check_all="yes">/etc, /var/ossec</directories>
> <directories realtime="yes" check_owner="yes" check_group="yes"
> check_perm="yes"> /etc/passwd, /etc/shadow, /etc/shadow-, /etc/gshadow,
> /etc/gshadow- </directories>
>


/etc/{passwd,shadow,gshadow} will be in both directories options, and
will cause issues.

> Lastly, can we have multi-line stanzas?  For instance, could that last line
> be formatted as:
>
> <directories realtime="yes" check_owner="yes" check_group="yes"
> check_perm="yes">
>    /etc/passwd,
>    /etc/shadow,
>    /etc/shadow-,
>    /etc/gshadow,
>    /etc/gshadow-
> </directories>
>
> Thanks.

No idea, try it and report back.

>
> Doug O'Leary

Re: [ossec-list] syscheck: monitor directories and some files w/different parameters?

Reply via email to