Introduce Delay with Real-time Syscheck to Avoid Useless Alerts

Issue #2 wontfix
created an issue

As discussed on the mailing list..

When a file is changed, it often produces an alert that the permissions have changed when it is perhaps just an artifact of editing the file. This can probably be avoided with a small delay before checking the file. For example, this one could be avoided:

OSSEC HIDS Notification. 2011 Apr 01 15:07:57

Received From: talyn->syscheck Rule: 550 fired (level 7) -> "Integrity checksum changed." Portion of the log(s):

Integrity checksum changed for: '/var/ossec/etc/local_decoder.xml' Permissions changed from 'rw-r-----' to 'r--r-----'


Comments (2)

  1. jbcheng

    This might be controlled by inotify, which produces multiple events to the syscheck realtime queue and ossec syscheck process is simply processing the queued events one by one.

  2. Log in to comment