The <frequency> tells ossec to wait at least that long. It's not an exact time. Also I haven't looked very much at rootcheck, but it's possible it takes longer than 2 minutes for it to complete a run.
On Tue, Aug 16, 2011 at 6:21 AM, Demmy Adeyemo <[email protected]> wrote: > Hi All. > > in a server -agent configuration, I am trying to get rootcheck to run > every 1 minute or so, in order to detect prohibited application with > the win_application_rcl.txt file and ultimately shut this applications > down with a cmd script killing the processes via active-response. > > > I have achieved this with the exception of the rootcheck runtime. My > current rootcheck config is as below > > server > <rootcheck> > <frequency>120</frequency> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</ > rootkit_files> > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</ > rootkit_trojans> > <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</ > system_audit> > <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</ > system_audit> > <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</ > system_audit> > <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</ > system_audit> > </rootcheck> > > > client > > <rootcheck> > <frequency>120</frequency> > <windows_audit>./shared/win_audit_rcl.txt</windows_audit> > <windows_apps>./shared/win_applications_rcl.txt</windows_apps> > <windows_malware>./shared/win_malware_rcl.txt</windows_malware> > </rootcheck> > > with this frequency time set instead of running every 2minutes it runs > every 5mins. If i take the time lower than that it still runs every > 5mins > > My question is how do i make rootcheck run every minute. Please i need > you help ASAP.
