[ossec-list] Re: Syscheck enhancements

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Nick,

Reply inline...

On 10/2/07, Consolo, Nick <nconsolo@xxxxxxxx> wrote:
>
> Hello,
>
> First of all thanks for all the work on ossec.  It's a great product.  I
> have two questions regarding the syscheck portion of the product.

Thanks :) I am glad you are enjoying it.



> 1.        In the syscheck database it is recording the uid and gid of each
> file entered.  Is it possible to modify the notifications to include these
> in file modification and creation notifications?

Currently it is not possible, but it is in our TODO list to add
support for it...Just wait
a few months :)



> 2.       Is it possible to run the syscheck daemon in an active mode so it
> detects new files instantly, instead of running it periodically to detect
> them?

No, it is not possible. It would require some kernel (lkm) changes to
be notified on every new addition to the monitored directories.. I
know it is possible to do on Windows, but on
Linux, BSD's (and similars), it would require kernel hacking... Anyone
interested in taking
such a task? :)


Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net