Page 1 of 1


Posted: Thu Jun 10, 2021 3:49 am
by Adebabay
Could we add new files to monitor(FIM) in ossec 3.6 open sourse???

Re: Evereyone

Posted: Thu Jun 10, 2021 9:11 am
by cponton
Yes! You will need to vim into /var/ossec/etc/ossec.conf and modify the file to include what directories you would like to watch:

<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>

Re: Evereyone

Posted: Mon Jun 14, 2021 2:49 am
by Adebabay
This is default directories(C directory in windows ), but I want to add new directories or folders (D)

<directories report_changes="yes" realtime="yes" check_all="yes">D:/logo</directories>

Is this possible??

Re: Evereyone

Posted: Mon Jun 14, 2021 8:16 am
by cponton
OSSEC supports sending diffs when changes are made to text files on Linux and unix systems.

Configuring syscheck to show diffs is simple, add report_changes="yes" to the <directories option. For example:

<directories report_changes="yes" check_all="yes">/etc</directories>
<directories check_all="yes">/bin,/sbin</directories>

Report Changes can only work with text files, and the changes are stored on the agent inside /var/ossec/queue/diff/local/dir/file.

If OSSEC has not been compiled with libmagic support, report_changes will copy any file designated, e.g. mp3, iso, executable, /chroot/dev/urandom (which would fill your hard drive). So unless libmagic is used, be very careful on which directory you enable report_changes.