Syscheck: File Deleted events are not generated without realtime

[jrossi]

I never seen file deleted event triggered without realtime="yes". This can be reproduced in 2 ways:

Reproduce sequence #1

have a simple agent-server setup with a simple syscheck config on agent:

<syscheck>
        <auto_ignore>no</auto_ignore>
        <scan_on_start>yes</scan_on_start>
        <frequency>3600</frequency>
        <alert_new_files>yes</alert_new_files>
        <directories check_all="yes" realtime="yes">/etc</directories>
</syscheck>

make sure alerts are triggered - delete a test file from /etc/fimtest/111

Now change the line to :

<directories check_all="yes" realtime="no">/etc</directories>

delete another test file /etc/fimtest/222

no events are triggered after a full scan.

Reproduce Sequence #2

• Have a working setup with realtime="yes"
• perform a file deletion and see the event in realtime
• shut down ossec agent
• delete another file
• start ossec agent again

Event will never be fired - even after full scan.

Note: This issue has been automatically migrated from Bitbucket Created by froyke on 2013-10-01 18:32:15+00:00, last updated: 2013-11-14 13:19:40+00:00

[jrossi]

Fixed by PR 19 (https://bitbucket.org/jbcheng/ossec-hids/pull-request/19/several-improvements-corrections-in/diff)

Note: This comment has been automatically migrated from Bitbucket Created by gaelmuller on 2013-11-14 13:19:40+00:00, last updated: 2013-11-14 13:19:58+00:00