Hi; I'm not overly interested in getting alerted every time someone changes their password so, I'd like to monitor the shadow file for owner, group and permissions only while keeping everything else in /etc monitored for everything.
Would the following lines in syscheck do that or is this something that I should do via rules updates? <directories realtime="yes" check_all="yes">/etc, /var/ossec</directories> <directories realtime="yes" check_owner="yes" check_group="yes" check_perm="yes"> /etc/passwd, /etc/shadow, /etc/shadow-, /etc/gshadow, /etc/gshadow- </directories> Lastly, can we have multi-line stanzas? For instance, could that last line be formatted as: <directories realtime="yes" check_owner="yes" check_group="yes" check_perm="yes"> /etc/passwd, /etc/shadow, /etc/shadow-, /etc/gshadow, /etc/gshadow- </directories> Thanks. Doug O'Leary
