Could you remind me the command to check permissions/owner/group? Also I just noticed ossec.conf file; agent side. I noticed that the agent.conf file's updates are not being applied here - is this normal? What is the purpose of the ossec.conf file; agent side?
On Thursday, June 20, 2013 11:14:30 AM UTC-4, dan (ddpbsd) wrote: > > On Thu, Jun 20, 2013 at 10:53 AM, David Blanton > <[email protected] <javascript:>> wrote: > > The rootcheck files? Yes, they are. # pwd shows that all of them exist > in > > the /shared > > > > I feel like I've seen those errors before, but I can't remember if > there was a solution. I was not able to recreate the errors using a > smaller version of your agent.conf. > > What does the <rootcheck> section of the agent's ossec.conf consist of? > What are the permissions/owner/group of the rootcheck files? Mine > appear to be 0400 root:ossec. > > > > The # /var/adm do not - those are geared torwards Solaris Sun boxes and > the > > agent I am testing it on is RHEL5. > > > > Not sure what the rootkit messages are. > > > > > > On Wednesday, June 19, 2013 5:08:22 PM UTC-4, David Blanton wrote: > >> > >> If I have a <directories > >> check_all="yes">/usr/local/bin,/sbin</directories> > >> > >> and <ignore>/opt/lampp</ignore> within my ossec.conf file (for > example), > >> does that mean that my agents will > >> > >> not abide by these rules? Are they only local rules for my OSSEC > Server? > >> > >> Do these have to be specifically addressed for each agent, with their > OS, > >> name, ect. within agent.conf in order > >> > >> for agents to either ignore certain directories or check certain files > and > >> directories? > >> > >> > >> The OSSEC 2.7 documentation and book does not specifically make any of > >> these things clear. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
