OSSEC supports realtime (continuous) file integrity monitoring on Linux systems (since v2.2) and on the latest snapshot we added support for Windows too.
The configuration is very simple. In the <directories> option where you specify what files or directories to monitor, you just need to add the realtime=”yes” attribute. For example:
<syscheck>
<directories realtime=”yes” check_all=”yes”>/etc,/usr/bin,/usr/sbin</directories>
<directories check_all=”yes”>/bin,/sbin</directories>
</syscheck>In this case, the directories /etc/, /usr/bin and /usr/sbin will be monitored in real time. The same applies to Windows too. A few notes:
- The real time monitoring will not start right away. First OSSEC needs to scan the file system and adds each sub-directory to the realtime queue. It can take up to 30 minutes for that (wait for the log “ossec-syscheckd: INFO: Starting real time file monitoring” ).
- It only works with directories, not individual files. So you can monitor the /etc or C:program files directory, but not an individual file like /etc/file.txt.
If you are interested in this feature, please try it out on both Linux and Windows.