FreeBSD (at least) has a script that does this for select files -- it's one of the periodic checks. Does this for /etc/passwd, etc.
What would be required is to select a list of files that need to be diffed: <diff_files> <archive>/var/ossec/archive</archive> <location>/etc/passwd</location> ... </diff_files>where <archive> specifies the directory/structure that named files will be copied to - their original signatures are already maintained in the integrity check.
and perhaps some configuration directives that are connected to the regular integrity check, which should be more than every 2 hours (IMHO), on certain system files.
I don't think it would be that complex - just tedious weaving it all together. ;-)
_F Erick Kinnee wrote:
This too is a pet peeve of mine. Cool, I'm glad you told me it changed. BUT WHAT CHANGED? I can't think off the top of my head a workable way to do this, other than the entire system, or at least the monitored directories or at least places like /etc in svn or some such.On Sep 7, 2006, at 1:37 PM, Forrest Aldrich wrote:Maybe for text-only files, provide an option to include a contextual diff output, which shows the changes of the monitored file, with that of the known version --- this would require keeping that old version archived somewhere, though. Hmm... may be useful in some situations, knowing not only that the file was changed, but WHAT was changed._F