We have change control installed on Solaris server & it is configured in enabled mode,we have write protected some path.
We are getting the solidcore events for the path which is write protected but we are also getting the solidcore events which are accepted.For eg.in screenshot we are getting the events for the path starting with /etc though we have not write protected the path.
Do anyone have an idea???
You should not see events due to these policies. The events are raised due to the monitoring policies.
Please check if the right folders are being monitored in your Integrity monitoring Policy.
I have seen my ruleset & found the same thing as mentioned in your screenshot, but content change tracking is disabled for all paths mentioned in Solaris rule group.Then how come events are generated