Introduce Delay with Real-time Syscheck to Avoid Useless Alerts
As discussed on the mailing list..
When a file is changed, it often produces an alert that the permissions have changed when it is perhaps just an artifact of editing the file. This can probably be avoided with a small delay before checking the file. For example, this one could be avoided:
OSSEC HIDS Notification. 2011 Apr 01 15:07:57
Received From: talyn->syscheck Rule: 550 fired (level 7) -> "Integrity checksum changed." Portion of the log(s):
Integrity checksum changed for: '/var/ossec/etc/local_decoder.xml' Permissions changed from 'rw-r-----' to 'r--r-----'
--END OF NOTIFICATION