Evereyone

Adebabay
New Forum User
New Forum User
Posts: 2
Joined: Thu May 06, 2021 9:31 am

Evereyone

Unread post by Adebabay »

Could we add new files to monitor(FIM) in ossec 3.6 open sourse???
User avatar
cponton
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 24
Joined: Fri Oct 09, 2020 9:41 am

Re: Evereyone

Unread post by cponton »

Yes! You will need to vim into /var/ossec/etc/ossec.conf and modify the file to include what directories you would like to watch:

<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
Adebabay
New Forum User
New Forum User
Posts: 2
Joined: Thu May 06, 2021 9:31 am

Re: Evereyone

Unread post by Adebabay »

This is default directories(C directory in windows ), but I want to add new directories or folders (D)

<directories report_changes="yes" realtime="yes" check_all="yes">D:/logo</directories>

Is this possible??
User avatar
cponton
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 24
Joined: Fri Oct 09, 2020 9:41 am

Re: Evereyone

Unread post by cponton »

OSSEC supports sending diffs when changes are made to text files on Linux and unix systems.

Configuring syscheck to show diffs is simple, add report_changes="yes" to the <directories option. For example:

<syscheck>
<directories report_changes="yes" check_all="yes">/etc</directories>
<directories check_all="yes">/bin,/sbin</directories>
</syscheck>

Note
Report Changes can only work with text files, and the changes are stored on the agent inside /var/ossec/queue/diff/local/dir/file.

If OSSEC has not been compiled with libmagic support, report_changes will copy any file designated, e.g. mp3, iso, executable, /chroot/dev/urandom (which would fill your hard drive). So unless libmagic is used, be very careful on which directory you enable report_changes.
Post Reply