2) Does OSSEC syscheck follow symlinks?
In my /etc directory I have a symlink:
lrwxrwxrwx 1 root root 15 Aug 27 2010 rc.sysinit ->
rc.d/rc.sysinit*
In OSSEC syscheck DB I see two entries with the same HASH value:
168:+++27476:33261:0:0:1fb34a90a4c6b5ce98a9b21c655a171c:db56fd8d437ea96069031101d443ba1b45fcd627
!1371851664 /etc/rc.d/rc.sysinit
894:+++15:41471:0:0:1fb34a90a4c6b5ce98a9b21c655a171c:db56fd8d437ea96069031101d443ba1b45fcd627
!1371851761 /etc/rc.sysinit
So this tells us that OSSEC syscheck does follow symlinks.
On Tuesday, July 16, 2013 6:44:05 AM UTC-7, dan (ddpbsd) wrote:
>
> On Tue, Jul 16, 2013 at 8:54 AM, Brian Kozma
> <[email protected]<javascript:>>
> wrote:
> > I have two questions about configuring OSSEC:
> >
> > 1) Can a sub folder in a parent folder be excluded from monitoring. IE
> if I
> > include /srv/www/checkout_app/current in the fim monitoring can I
> exclude
> > /srv/www/checkout_app/log from the fim monitor?
>
> Use ignore.
>
> > 2) Does the fim server follow symlinks?
> >
>
> No idea, haven't tried it. Test it out and report back.
>
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> >
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
