If you’re familiar with SEIM tools or OSSEC, then you know syscheck. Syscheck is the integrity checking daemon within OSSEC. It’s purpose is simple, identify and report on changes within the system files.  Once the baseline is set, syscheck is able to perform change detection by comparing all the checksums on each scan. If it’s not a 1 for 1 match, it reports it as a change. If new files are added, it identifies it as new, and reports it. Syscheck options are available in the server, local and agent installation.

In /var/ossec/etc/ossec.conf we can find the Syscheck config. The frequency option is in seconds and is defaulted to 22 hours (or 79,200 seconds). You have added below for new file adding.

<alert_new_files>yes</alert_new_files>

Syscheck in OSSEC is also leveraged the inotify system calls as its detection engine.

You can ignore files in directory using below rules, with rules level 0 or using 'ignore' tag

<rule id="100000" level="0" >

or

<ignore>foo/test/</ignore>

Option attributes

• realtime
• check_all
• check_sum
• frequency
• scan_day
• auto_ignore
• refilter_cmd
  - This option can potentially impact performance negatively

By default when a file has changed three times, new changes will be automatically ignored. Handy but it could be improved. When I’m deploying security tools and control, my goal is to reduce the “noise” as much as possible. A side effect of file integrity monitoring is the number of false positive alerts generated.

[1] https://blog.rootshell.be/2013/05/13/improving-file-integrity-monitoring-with-ossec/