Hi, I'm running OSSEC 2.9.0. I'm unable to get the rootcheck to run the rootcheck_files, rootcheck_trojans,a and system_audit on an agent that has its config pushed out via the server. I'm not sure what I'm doing wrong.
*server: /var/ossec/etc/ossec.conf* <ossec_config> <global> <email_notification>no</email_notification> </global> <!-- The order of these rules is absolutely critical. Failure to order rules correctly will cause daemons to fail. Symptoms are: Invalid 'if_sid' --> <rules> <include>rules_config.xml</include> <include>pam_rules.xml</include> <include>sshd_rules.xml</include> <include>telnetd_rules.xml</include> <include>syslog_rules.xml</include> <include>arpwatch_rules.xml</include> <include>symantec-av_rules.xml</include> <include>symantec-ws_rules.xml</include> <include>pix_rules.xml</include> <include>named_rules.xml</include> <include>smbd_rules.xml</include> <include>vsftpd_rules.xml</include> <include>pure-ftpd_rules.xml</include> <include>proftpd_rules.xml</include> <include>ms_ftpd_rules.xml</include> <include>ftpd_rules.xml</include> <include>hordeimp_rules.xml</include> <include>roundcube_rules.xml</include> <include>wordpress_rules.xml</include> <include>cimserver_rules.xml</include> <include>vpopmail_rules.xml</include> <include>vmpop3d_rules.xml</include> <include>courier_rules.xml</include> <include>web_rules.xml</include> <include>web_appsec_rules.xml</include> <include>apache_rules.xml</include> <include>nginx_rules.xml</include> <include>php_rules.xml</include> <include>mysql_rules.xml</include> <include>postgresql_rules.xml</include> <include>ids_rules.xml</include> <include>squid_rules.xml</include> <include>firewall_rules.xml</include> <include>cisco-ios_rules.xml</include> <include>netscreenfw_rules.xml</include> <include>sonicwall_rules.xml</include> <include>postfix_rules.xml</include> <include>sendmail_rules.xml</include> <include>imapd_rules.xml</include> <include>mailscanner_rules.xml</include> <include>dovecot_rules.xml</include> <include>ms-exchange_rules.xml</include> <include>racoon_rules.xml</include> <include>vpn_concentrator_rules.xml</include> <include>spamd_rules.xml</include> <include>msauth_rules.xml</include> <include>mcafee_av_rules.xml</include> <include>trend-osce_rules.xml</include> <include>ms-se_rules.xml</include> <!-- <include>policy_rules.xml</include> --> <include>zeus_rules.xml</include> <include>solaris_bsm_rules.xml</include> <include>vmware_rules.xml</include> <include>ms_dhcp_rules.xml</include> <include>asterisk_rules.xml</include> <include>ossec_rules.xml</include> <include>attack_rules.xml</include> <include>local_rules.xml</include> </rules> <remote> <connection>secure</connection> </remote> <alerts> <log_alert_level>1</log_alert_level> </alerts> <active-response> <disabled>yes</disabled> </active-response> <!-- Master server local node only --> <syscheck> <!-- Enhanced Alerts --> <auto_ignore>no</auto_ignore> <alert_new_files>yes</alert_new_files> <!-- Scheduling --> <scan_on_start>no</scan_on_start> <frequency>7200</frequency> <!-- Directories to check --> <directories check_all="yes" realtime="yes">/etc</directories> <directories check_all="yes" realtime="yes">/usr/bin,/usr/sbin </directories> <directories check_all="yes" realtime="yes">/bin,/sbin</directories> <directories check_all="yes" realtime="yes">/usr/local/bin</directories> <directories check_all="yes" realtime="yes">/home</directories> <!-- Restrict means only scan the following file --> <directories check_all="yes" realtime="yes" restrict="authorized_keys"> /root/.ssh</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore> <ignore>/etc/hosts.deny</ignore> <ignore>/etc/mail/statistics</ignore> <ignore>/etc/random-seed</ignore> <ignore>/etc/adjtime</ignore> <ignore>/etc/httpd/logs</ignore> <ignore>/etc/utmpx</ignore> <ignore>/etc/wtmpx</ignore> <ignore>/etc/cups/certs</ignore> </syscheck> <!-- Files to monitor (localfiles) --> <localfile> <log_format>syslog</log_format> <location>/var/log/messages</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/secure</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/maillog</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/ossec/logs/active-responses.log</location> </localfile> <!-- Master server local node only --> <rootcheck> <disabled>no</disabled> <frequency>7200</frequency> <check_dev>yes</check_dev> <check_files>yes</check_files> <check_if>yes</check_if> <check_pids>yes</check_pids> <!-- <check_policy>yes</check_policy> Bug in OSSEC 2.9.x --> <check_ports>yes</check_ports> <check_sys>yes</check_sys> <check_trojans>yes</check_trojans> <check_unixaudit>yes</check_unixaudit> <skip_nfs>yes</skip_nfs> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt </rootkit_trojans> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt </system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt </system_audit> </rootcheck> <syslog_output> <server>10.10.11.11</server> <level>1</level> <use_fqdn>yes</use_fqdn> </syslog_output> </ossec_config> *agent: /var/ossec/etc/ossec.conf* <ossec_config> <client> <server-ip>10.10.11.11</server-ip> </client> </ossec_config> *agent: /var/ossec/etc/shared/agent.conf* <agent_config os="Linux"> <syscheck> <!-- Enhanced Alerts --> <auto_ignore>no</auto_ignore> <alert_new_files>yes</alert_new_files> <!-- Scheduling --> <scan_on_start>no</scan_on_start> <frequency>7200</frequency> <!-- Directories to check --> <directories check_all="yes" realtime="yes">/etc</directories> <directories check_all="yes" realtime="yes">/usr/bin,/usr/sbin </directories> <directories check_all="yes" realtime="yes">/bin,/sbin</directories> <directories check_all="yes" realtime="yes">/usr/local/bin</directories> <directories check_all="yes" realtime="yes">/home</directories> <!-- Restrict means only scan the following file --> <directories check_all="yes" realtime="yes" restrict="authorized_keys"> /root/.ssh</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore> <ignore>/etc/hosts.deny</ignore> <ignore>/etc/mail/statistics</ignore> <ignore>/etc/random-seed</ignore> <ignore>/etc/adjtime</ignore> <ignore>/etc/httpd/logs</ignore> <ignore>/etc/utmpx</ignore> <ignore>/etc/wtmpx</ignore> <ignore>/etc/cups/certs</ignore> </syscheck> <!-- Files to monitor (localfiles) --> <localfile> <log_format>syslog</log_format> <location>/var/log/messages</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/secure</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/maillog</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/ossec/logs/active-responses.log</location> </localfile> <rootcheck> <disabled>no</disabled> <frequency>7200</frequency> <check_dev>yes</check_dev> <check_files>yes</check_files> <check_if>yes</check_if> <check_pids>yes</check_pids> <check_policy>yes</check_policy> <check_ports>yes</check_ports> <check_sys>yes</check_sys> <check_trojans>yes</check_trojans> <check_unixaudit>yes</check_unixaudit> <skip_nfs>yes</skip_nfs> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt </rootkit_trojans> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt </system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt </system_audit> </rootcheck> </agent_config> Here are some examples of what I see in the logs. *server: /var/ossec/logs/ossec.log snippet* 12:30:53 rootcheck: INFO: Starting rootcheck scan. 12:30:53 rootcheck: DEBUG: Starting on check_rc_files 12:30:53 rootcheck: DEBUG: Starting on check_rc_trojans 12:30:54 rootcheck: DEBUG: Starting on check_rc_unixaudit 12:30:54 rootcheck: DEBUG: Checking entry: 'PHP - Register globals are enabled'. 12:30:54 rootcheck: DEBUG: Checking file: '/etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini'. *agent: /var/ossec/logs/ossec.log snippet* 13:03:55 rootcheck: INFO: Starting rootcheck scan. 13:03:55 rootcheck: No rootcheck_files file configured. <==== Why?? 13:03:55 rootcheck: No rootcheck_trojans file configured. <==== Why?? 13:03:55 rootcheck: DEBUG: Going into check_rc_dev 13:03:55 rootcheck: DEBUG: Starting on check_rc_dev 13:03:55 rootcheck: DEBUG: Going into check_rc_sys 13:03:55 rootcheck: DEBUG: Starting on check_rc_sys 13:03:56 rootcheck: DEBUG: Going into check_rc_pids 13:09:53 rootcheck: DEBUG: Going into check_rc_ports 13:09:55 rootcheck: DEBUG: Going into check_open_ports 13:09:55 rootcheck: DEBUG: Going into check_rc_if 13:09:55 rootcheck: DEBUG: Completed with all checks. 13:10:00 rootcheck: INFO: Ending rootcheck scan. 13:10:00 rootcheck: DEBUG: Leaving run_rk_check -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.