OSSEC Realtime file integrity monitoring

OSSEC supports realtime (continuous) file integrity monitoring on Linux (kernels 2.6) and Windows systems.
The configuration is very simple. In the <directories> option where you specify what files or directories to monitor, you just need to add the realtime=”yes” attribute. For example:

<syscheck>
<directories realtime=”yes” check_all=”yes”>/etc,/usr/bin,/usr/sbin</directories>
<directories check_all=”yes”>/bin,/sbin</directories>
</syscheck>

In this case, the directories /etc/, /usr/bin and /usr/sbin will be monitored in real time. The same applies to Windows too. A few notes:

1. The real time monitoring will not start right away. First ossec needs to scan the file system and adds each sub-directory to the realtime queue. It can take up    to 30 minutes for that (wait for the log “ossec-syscheckd: INFO: Starting real time file monitoring” ).

2. It only works with directories, not individual files. So you can monitor the /etc or C:\program files directory, but not an individual file like /etc/file.txt.

Advertisements