Hi All, many thanks for the info so far.
Some further googling has given me some extra info too. * it seems that the basic rootcheck configuration already exists via the existing ossec client install * I found this link https://www.hivelocity.net/kb/how-to-install-rootcheck-on-the-server/ This suggests that a binary (amongst others) "rootcheck" needs installing. Is the second part ie rootcheck etc actually install needed, or is this some further step that isn't needed in order for OSSEC to be doing its stuff. And is there some "safe" test that can be performed to check that ossec rootcheck is doing what it is supposed to do. id rather not deliberately install a well dodgy rootkit just to test that ossec does what it says it does. Or is this just a leap of faith? cheers ian On Tuesday, 16 May 2017 17:36:36 UTC+1, ian diddams wrote: > > Apologies in advance if this is a FAQ - Ive googled a bit but can;t see > anything obvious returned. > > Ive been asked to find out of OSSEC HIDS (which we use already for other > monitoring) can be used on linux variations (Centos mainly) to spot "rogue > software". Now there's a ambiguous description top start with and I'm > trying to ascertain exactly what "rogue software" really means form those > that asked me to investigate this! > > In its widest description I suppose it could be something like taking a > baseline of running processes, and reflecting that against future process > lists, and alerting for anything running that isn;t in the baseline. Does > OSSEC HIDS provide any such or similar facility? > > cheers > > ian > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.