Argument `path` of the module file_integrity enhancement?

krakz · January 6, 2022, 3:35pm

Hi,

The module file_integrity takes a list of file path, which is useful for binary and configuration file monitoring, but generic users file cannot be monitored otherwise than with the option recursive enable.

Is there, any chance that argument path can be interpreted as a regular expression to ease file under /home/<username> to be monitored or is there another way to monitor these file (without the full file path)?

For example, monitoring file such as: ~/.ssh/authorized_keys for all users would take the following configuration:

- module: file_integrity
  paths:
  - /bin
  - /etc
  - \/home\/.*\/\.ssh\/authorized_keys

PCRE2 regexp format used above...

Thank in advance for your support.

samuel.john · January 19, 2022, 9:05am

paths Globs are not supported. The specified paths should exist when the metricset is started. Paths should be absolute, although the file integrity module will attempt to resolve relative path events to their absolute file path.

- module: file_integrity
  paths:
  - /bin
  - /etc
  - /home/user1/.ssh/authorized_keys
  - /home/user2/.ssh/authorized_keys

system · February 16, 2022, 11:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.