Scott Speirs wrote:
> carlopmart wrote:
>> Hi all,
>>
>> I have install ossec 1.3 on two rhel5 servers. On both servers ossec
>> generates this alert??
>>
>> OSSEC HIDS Notification.
>> 2007 Sep 12 09:51:32
>>
>> Received From: xenhost->rootcheck
>> Rule: 510 fired (level 7) -> "Host-based anomaly detection event
>> (rootcheck)."
>> Portion of the log(s):
>>
>> File '/sys/module/sbs/parameters/capacity_mode' is owned by root and has
>> written permissions to anyone.
>>
>>
>> What does it means???
>>
>>
> Ah, I expect, if you check the permissions on that file, you will find
> that the owner is root and the everyone has write permissions. Not being
> that familiar with RHEL per se, I would guess that's a system file and
> giving everyone write permissions invites, er, damage. :-)
>
But it isn't correct:
[EMAIL PROTECTED] parameters]$ pwd
/sys/module/sbs/parameters
[EMAIL PROTECTED] parameters]$ ls -la
total 0
drwxr-xr-x 2 root root 0 Sep 13 09:14 .
drwxr-xr-x 4 root root 0 Sep 13 09:14 ..
--------wx 1 root root 4096 Sep 13 09:14 capacity_mode
--------w- 1 root root 4096 Sep 13 09:14 update_mode
----rwxr-- 1 root root 4096 Sep 13 09:14 update_time
[EMAIL PROTECTED] parameters]$
As a user I can't manipulate this file:
[EMAIL PROTECTED] parameters]$ cat capacity_mode
cat: capacity_mode: Permission denied
[EMAIL PROTECTED] parameters]$
Somebody knows how can I do about this alert?
--
CL Martinez
carlopmart {at} gmail {d0t} com
