On Mon, Nov 26, 2012 at 12:48 PM, Sue <susan.hes...@gmail.com> wrote: > Thanks for your consideration. Without the report_changes option can I still > get an alert if there is a diff in a file? Using a rule perhaps? If so, how > do I go about seeing what the change was? >
You will still get alerts that a file has changed, but will not get the diff. In order to get the diff, a copy of the file has to be kept somewhere. I guess your other option (besides modifying the source), would be to use an appropriately sized partition. > On Monday, November 26, 2012 7:44:23 AM UTC-6, dan (ddpbsd) wrote: >> >> On Fri, Nov 23, 2012 at 3:46 PM, Sue <susan....@gmail.com> wrote: >> > The ignores are just the defaults; I am under the impression that an >> > ignore >> > doesn't stop the check, but only the reporting of the check. so I am >> > guessing that wouldn't keep the files from being copied... >> > >> > <syscheck> >> > <!-- Frequency that syscheck is executed - default to every 22 hours >> > --> >> > <frequency>79200</frequency> >> > >> > <alert_new_files>yes</alert_new_files> >> > >> > <!-- Directories to check (perform all possible verifications) --> >> > <directories report_changes="yes" realtime="yes" >> > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> > <directories report_changes="yes" realtime="yes" >> > check_all="yes">/bin,/sbin</directories> >> > <directories report_changes="yes" realtime="yes" >> > check_all="yes">/var/www,/home</directories> >> > >> >> I think the report_changes option is what is causing this. >> >> > <!-- Files/directories to ignore --> >> > <ignore>/etc/mtab</ignore> >> > <ignore>/etc/mnttab</ignore> >> > <ignore>/etc/hosts.deny</ignore> >> > <ignore>/etc/mail/statistics</ignore> >> > <ignore>/etc/random-seed</ignore> >> > <ignore>/etc/adjtime</ignore> >> > <ignore>/etc/httpd/logs</ignore> >> > <ignore>/etc/utmpx</ignore> >> > <ignore>/etc/wtmpx</ignore> >> > <ignore>/etc/cups/certs</ignore> >> > <ignore>/etc/dumpdates</ignore> >> > <ignore>/etc/svc/volatile</ignore> >> > >> > <!-- Windows files to ignore --> >> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> >> > <ignore>C:\WINDOWS/Debug</ignore> >> > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> >> > <ignore>C:\WINDOWS/iis6.log</ignore> >> > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> >> > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> >> > <ignore>C:\WINDOWS/Prefetch</ignore> >> > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> >> > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> >> > <ignore>C:\WINDOWS/Temp</ignore> >> > <ignore>C:\WINDOWS/system32/config</ignore> >> > <ignore>C:\WINDOWS/system32/spool</ignore> >> > <ignore>C:\WINDOWS/system32/CatRoot</ignore> >> > </syscheck> >> > >> >> >> >> What's your syscheck configuration?
