Hi,
I'm running OSSEC 2.9.0. I'm unable to get the rootcheck to run the
rootcheck_files, rootcheck_trojans,a and system_audit on an agent that has
its config pushed out via the server. I'm not sure what I'm doing wrong.
*server: /var/ossec/etc/ossec.conf*
<ossec_config>
<global>
<email_notification>no</email_notification>
</global>
<!--
The order of these rules is absolutely critical.
Failure to order rules correctly will cause daemons
to fail. Symptoms are: Invalid 'if_sid'
-->
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>symantec-ws_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>roundcube_rules.xml</include>
<include>wordpress_rules.xml</include>
<include>cimserver_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>vmpop3d_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
<include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>nginx_rules.xml</include>
<include>php_rules.xml</include>
<include>mysql_rules.xml</include>
<include>postgresql_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>cisco-ios_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>sonicwall_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>dovecot_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<include>mcafee_av_rules.xml</include>
<include>trend-osce_rules.xml</include>
<include>ms-se_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>zeus_rules.xml</include>
<include>solaris_bsm_rules.xml</include>
<include>vmware_rules.xml</include>
<include>ms_dhcp_rules.xml</include>
<include>asterisk_rules.xml</include>
<include>ossec_rules.xml</include>
<include>attack_rules.xml</include>
<include>local_rules.xml</include>
</rules>
<remote>
<connection>secure</connection>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
</alerts>
<active-response>
<disabled>yes</disabled>
</active-response>
<!-- Master server local node only -->
<syscheck>
<!-- Enhanced Alerts -->
<auto_ignore>no</auto_ignore>
<alert_new_files>yes</alert_new_files>
<!-- Scheduling -->
<scan_on_start>no</scan_on_start>
<frequency>7200</frequency>
<!-- Directories to check -->
<directories check_all="yes" realtime="yes">/etc</directories>
<directories check_all="yes" realtime="yes">/usr/bin,/usr/sbin
</directories>
<directories check_all="yes" realtime="yes">/bin,/sbin</directories>
<directories check_all="yes" realtime="yes">/usr/local/bin</directories>
<directories check_all="yes" realtime="yes">/home</directories>
<!-- Restrict means only scan the following file -->
<directories check_all="yes" realtime="yes" restrict="authorized_keys">
/root/.ssh</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
</syscheck>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<!-- Master server local node only -->
<rootcheck>
<disabled>no</disabled>
<frequency>7200</frequency>
<check_dev>yes</check_dev>
<check_files>yes</check_files>
<check_if>yes</check_if>
<check_pids>yes</check_pids>
<!-- <check_policy>yes</check_policy> Bug in OSSEC 2.9.x -->
<check_ports>yes</check_ports>
<check_sys>yes</check_sys>
<check_trojans>yes</check_trojans>
<check_unixaudit>yes</check_unixaudit>
<skip_nfs>yes</skip_nfs>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt
</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
</system_audit>
</rootcheck>
<syslog_output>
<server>10.10.11.11</server>
<level>1</level>
<use_fqdn>yes</use_fqdn>
</syslog_output>
</ossec_config>
*agent: /var/ossec/etc/ossec.conf*
<ossec_config>
<client>
<server-ip>10.10.11.11</server-ip>
</client>
</ossec_config>
*agent: /var/ossec/etc/shared/agent.conf*
<agent_config os="Linux">
<syscheck>
<!-- Enhanced Alerts -->
<auto_ignore>no</auto_ignore>
<alert_new_files>yes</alert_new_files>
<!-- Scheduling -->
<scan_on_start>no</scan_on_start>
<frequency>7200</frequency>
<!-- Directories to check -->
<directories check_all="yes" realtime="yes">/etc</directories>
<directories check_all="yes" realtime="yes">/usr/bin,/usr/sbin
</directories>
<directories check_all="yes" realtime="yes">/bin,/sbin</directories>
<directories check_all="yes" realtime="yes">/usr/local/bin</directories>
<directories check_all="yes" realtime="yes">/home</directories>
<!-- Restrict means only scan the following file -->
<directories check_all="yes" realtime="yes" restrict="authorized_keys">
/root/.ssh</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
</syscheck>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<rootcheck>
<disabled>no</disabled>
<frequency>7200</frequency>
<check_dev>yes</check_dev>
<check_files>yes</check_files>
<check_if>yes</check_if>
<check_pids>yes</check_pids>
<check_policy>yes</check_policy>
<check_ports>yes</check_ports>
<check_sys>yes</check_sys>
<check_trojans>yes</check_trojans>
<check_unixaudit>yes</check_unixaudit>
<skip_nfs>yes</skip_nfs>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt
</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
</system_audit>
</rootcheck>
</agent_config>
Here are some examples of what I see in the logs.
*server: /var/ossec/logs/ossec.log snippet*
12:30:53 rootcheck: INFO: Starting rootcheck scan.
12:30:53 rootcheck: DEBUG: Starting on check_rc_files
12:30:53 rootcheck: DEBUG: Starting on check_rc_trojans
12:30:54 rootcheck: DEBUG: Starting on check_rc_unixaudit
12:30:54 rootcheck: DEBUG: Checking entry: 'PHP - Register globals are
enabled'.
12:30:54 rootcheck: DEBUG: Checking file:
'/etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini'.
*agent: /var/ossec/logs/ossec.log snippet*
13:03:55 rootcheck: INFO: Starting rootcheck scan.
13:03:55 rootcheck: No rootcheck_files file configured. <====
Why??
13:03:55 rootcheck: No rootcheck_trojans file configured. <====
Why??
13:03:55 rootcheck: DEBUG: Going into check_rc_dev
13:03:55 rootcheck: DEBUG: Starting on check_rc_dev
13:03:55 rootcheck: DEBUG: Going into check_rc_sys
13:03:55 rootcheck: DEBUG: Starting on check_rc_sys
13:03:56 rootcheck: DEBUG: Going into check_rc_pids
13:09:53 rootcheck: DEBUG: Going into check_rc_ports
13:09:55 rootcheck: DEBUG: Going into check_open_ports
13:09:55 rootcheck: DEBUG: Going into check_rc_if
13:09:55 rootcheck: DEBUG: Completed with all checks.
13:10:00 rootcheck: INFO: Ending rootcheck scan.
13:10:00 rootcheck: DEBUG: Leaving run_rk_check
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
