Add option for new files added to queue/syscheck/syscheck to be added as "changed" #1831
Comments
|
For the above to work, syscheckd only adds new files as "dirty" if it is not in the middle of an initial database scan. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When the syscheck scanner runs and it finds a new file it adds it to the integrity checking database (typically at
/var/ossec/queue/syscheck/syscheck). Currently, it adds it with a line similar to this:+++4219:33188:0:0:46f58c23838f1d054e4517b42046f1e7:592a4e2fb2c3e0cb855564f741b02567a565d2d8 !1580414084 /etc/ssl/certs/trusted-cert.pemThe problem with this is that when the command to list modified files is run (e.g.,
/var/ossec/bin/syscheck_control -i 000) this new file does not get listed.It would be very helpful if there were a configuration option that would cause the new line added to the integrity checking database to be added with a "
!" like so:!+++4219:33188:0:0:46f58c23838f1d054e4517b42046f1e7:592a4e2fb2c3e0cb855564f741b02567a565d2d8 !1580414084 /etc/ssl/certs/trusted-cert.pemThis way,
/var/ossec/bin/syscheck_control -i 000would show the new file as changed.The text was updated successfully, but these errors were encountered: