Hi, I have to say I'm particularly unfortunate with the rootcheck daemon...am I the only one who keeps running into those problems?
On my manager I was checking against the system_audit_ssh.txt that checks the sshd_config. I first started with the following unresolved issues [root@manager bin]# ./rootcheck_control -q -i 000 Policy and auditing events for local system 'manager - 127.0.0.1': Outstanding events: 2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43) System Audit: System Audit: SSH Hardening - 5: Password Authentication { PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 5 . 2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43) System Audit: System Audit: SSH Hardening - 7: Rhost or shost used for authentication {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 7 . 2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43) System Audit: System Audit: SSH Hardening - 8: Wrong Grace Time {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 8 . 2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43) System Audit: System Audit: SSH Hardening - 9: Wrong Maximum number of authentication attempts {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 9 . So far, so good. I set the correct values inside sshd_config, restarted the sshd service and waited until the rootcheck run ran again... For the troubleshooting sake I set the interval to 5 minutes. But for some reason it didn't update the Outstanding events..... only updated the time. [root@manager bin]# ./rootcheck_control -q -i 000 Policy and auditing events for local system 'manager - 127.0.0.1': Outstanding events: 2016 Apr 02 18:56:36 (first time detected: 2016 Apr 02 18:31:43) System Audit: System Audit: SSH Hardening - 5: Password Authentication { PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 5 . 2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43) System Audit: System Audit: SSH Hardening - 7: Rhost or shost used for authentication {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 7 . 2016 Apr 02 18:56:36 (first time detected: 2016 Apr 02 18:31:43) System Audit: System Audit: SSH Hardening - 8: Wrong Grace Time {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 8 . 2016 Apr 02 18:31:43 (first time detected: 2016 Apr 02 18:31:43) System Audit: System Audit: SSH Hardening - 9: Wrong Maximum number of authentication attempts {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 9 . I checked the syntax of the system_audit_ssh.txt but this seemed good to me For instance the MaxAuthTries has this syntax # MaxAuthTries 3 # The MaxAuthTries parameter specifices the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. # This should be set to 3. [SSH Hardening - 9: Wrong Maximum number of authentication attempts {PCI_DSS : 2.2.4}] [any] [9] f:$sshd_file -> !r:^# && r:MaxAuthTries && !r:3\s*$; f:$sshd_file -> r:^#\s*MaxAuthTries; f:$sshd_file -> !r:MaxAuthTries; my sshd_config has exact this value set "MaxAuthTries 3" At the end I simply ran [root@manager bin]# ./rootcheck_control -u 000 and waited for another rootcheck run. Unfortunately it needed a full ossec restart, because simply running returned nothing except an empty database [root@manager bin]# ./rootcheck_control -L -i 000 Policy and auditing events for local system 'manager - 127.0.0.1': Can someone maybe explain this behavior to me? Why does it need an ossec restart, when a regular rootcheck run is not able to update the Outstanding events successfully or in other words: Why is OSSEC not able to update the database even after it was flushed using rootcheck_control - u 000 leaving the database empty until I restart OSSEC completely?? Maybe this is just another "Pebkac" error and me being just too stupid to get it properly working... anyway, I would love to hear your experiences with rootcheckd and rootcheck_control I'm using VERSION="v2.9.0" at the moment, pulled from github. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.