was meaning to paste this link before sending last email: http://ossec-docs.readthedocs.org/en/latest/manual/rootcheck/manual-rootcheck.html
On Tue, Apr 19, 2016 at 5:06 PM, Santiago Bassett < santiago.bass...@gmail.com> wrote: > Hi Eyal, > > try setting syscheck.debug=2 in internal_options.conf file. It looks like > there are some rootchecks that still run, unless you set those to no, like > check_pids, check_dev, check_ports,... see more info at: > > > On Mon, Apr 18, 2016 at 12:13 PM, <joe.cosgr...@wazuh.com> wrote: > >> Interesting... that should be the only config that you need to update in >> order to disable the root check. I tried it in my lab and disabled it >> properly as well. >> >> >> On Sunday, April 17, 2016 at 4:56:15 AM UTC-4, eyal gershon wrote: >>> >>> I checked again the logs - >>> >>> 2016/04/16 18:37:27 ossec-rootcheck: INFO: Starting rootcheck scan. >>> 2016/04/16 18:37:27 ossec-rootcheck: No rootcheck_files file configured. >>> 2016/04/16 18:37:27 ossec-rootcheck: No rootcheck_trojans file >>> configured. >>> 2016/04/16 18:45:52 ossec-rootcheck: INFO: Ending rootcheck scan. >>> >>> The log says the check did run, >>> Is there another configuration file I might be missing? >>> >>> On Friday, April 15, 2016 at 3:08:23 PM UTC+3, Pedro S wrote: >>>> >>>> I have reproduced your configuration on my labs, rootcheck is not >>>> starting again. Could you re-verify that agent.conf file is right on your >>>> agent? >>>> >>>> On Thursday, April 14, 2016 at 2:38:47 PM UTC+2, eyal gershon wrote: >>>>> >>>>> 2016/04/14 06:03:17 ossec-rootcheck: INFO: Started (pid: 30101). >>>>> 2016/04/14 06:06:05 ossec-rootcheck: INFO: Starting rootcheck scan. >>>>> 2016/04/14 06:06:05 ossec-rootcheck: No rootcheck_files file >>>>> configured. >>>>> 2016/04/14 06:06:05 ossec-rootcheck: No rootcheck_trojans file >>>>> configured. >>>>> 2016/04/14 06:17:38 ossec-rootcheck: INFO: Ending rootcheck scan. >>>>> >>>>> The start of the scan is right after the restart of the ossed-hids >>>>> restart from the original post >>>>> >>>>> On Thursday, April 14, 2016 at 2:57:36 PM UTC+3, dan (ddpbsd) wrote: >>>>>> >>>>>> On Thu, Apr 14, 2016 at 6:27 AM, eyal gershon <gersh...@gmail.com> >>>>>> wrote: >>>>>> > Hey, >>>>>> > >>>>>> > I tried to disabled the rootcheck on one of the servers. >>>>>> > I have added the following line to the agent.conf file - >>>>>> > >>>>>> > <rootcheck> >>>>>> > <disabled>yes</disabled> >>>>>> > </rootcheck> >>>>>> > >>>>>> > and after I am restarting the service I get the following output - >>>>>> > Starting ossec-hids: 2016/04/14 06:16:27 ossec-rootcheck: Rootcheck >>>>>> > disabled. Exiting. >>>>>> > ossec-syscheckd: WARN: Rootcheck module disabled. >>>>>> > >>>>>> > and a few min later I see in the logs that the rootcheck is running >>>>>> again. >>>>>> > any one have an idea why did I miss? >>>>>> > >>>>>> >>>>>> Which log messages are you seeing specifically? >>>>>> >>>>>> > -- >>>>>> > >>>>>> > --- >>>>>> > You received this message because you are subscribed to the Google >>>>>> Groups >>>>>> > "ossec-list" group. >>>>>> > To unsubscribe from this group and stop receiving emails from it, >>>>>> send an >>>>>> > email to ossec-list+...@googlegroups.com. >>>>>> > For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
