We have a directory structure for our application that involves a handful
of symlinks. Every time a file being monitored is modified, we receive an
OSSEC notification for the file itself, as well as one notification for
every symlink to that file.
i.e. If we have a directory structure like:
/opt/app/
builds/
1.0/conf/
component.conf -> /opt/app/shared/component.conf
1.1/conf/
component.conf -> /opt/app/shared/component.conf
1.5/conf/
component.conf -> /opt/app/shared/component.conf
2.0/conf/
component.conf -> /opt/app/shared/component.conf
2.2/conf/
component.conf -> /opt/app/shared/component.conf
shared/
component.conf
And our syscheck is set to watch both /opt/app/builds/*/conf and
/opt/app/shared, we'll receive a total of six notifications every time
/opt/app/shared/component.conf is updated.
Is there a way to have OSSEC not resolve symlinks when monitoring?
Ideally, we'd be notified if the destination for a symlink
(/opt/app/builds/*/conf/component.conf) is updated, but not if the contents
of the destination are updated. For now, we're just adding 'ignore' rules
in for each of the symlinks, but that means we're unaware if the link
itself is changed.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
