Get OSSEC syscheck to alert on change to directory but not its contents

Question

We are running OSSEC 3.2 on some Debian servers. We are using OSSEC's syscheck to alert us when certain files and directories change.

I want syscheck to generate an alert when the directory /tmp changes. Now, I don't care about any of /tmp's content, but I do care about the directory itself. For example, if the permissions on /tmp change, or its group or owner changes, I want to know.

How do I tell syscheck to alert me on changes to /tmp but not to its contents?

score 0 · Answer 1 · answered Oct 29 '19 at 03:20

0

You can try like below:

<directories check_owner="yes" check_group="yes" check_perm="yes">/tmp</directories>

answered Oct 29 '19 at 03:20

asktyagi

2,401
1
5
19

Get OSSEC syscheck to alert on change to directory but not its contents

1 Answers1