Hi, rootcheck is running properly? I mean, you see the logs "Starting rootcheck..." and "Ending rootcheck..."?. Maybe it is a syntax error.
If you are using ossec-wazuh <https://github.com/wazuh/ossec-wazuh>, you will see that each control has a tag with the CIS and PCI reference (*{CIS: 4.13 Debian Linux} {PCI_DSS: 2.2.2}*). That is like use "group" in rules. [CIS - Debian Linux - 4.13 - Disable standard boot services - Web server Enabled *{CIS: 4.13 Debian Linux} {PCI_DSS: 2.2.2}*] [any] [http://www.ossec.net/wiki/index.php/CIS_DebianLinux] f:/etc/init.d/apache; f:/etc/init.d/apache2; Example in alerts.json: { "rule": { "level": 3, "comment": "System Audit event.", "sidid": 516, "firedtimes": 5, "groups": [ "ossec", "rootcheck" ], *"CIS": [ "4.13 Debian Linux" ], "PCI_DSS": [ "2.2.2" ]* }, "full_log": "System Audit: CIS - Debian Linux - 4.13 - Disable standard boot services - Web server Enabled {CIS: 4.13 Debian Linux} {PCI_DSS: 2.2.2}. File: /etc/init.d/apache2. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .", "decoder": { "name": "rootcheck" }, "hostname": "LinMV", "timestamp": "2016 Feb 26 10:48:36", "location": "rootcheck" } Regards. Jesus Linares. On Friday, February 26, 2016 at 8:06:56 AM UTC+1, Barry Kaplan wrote: > > I am trying to harden up our instances, but I find that after applying > these controls the agent can longer contact the agent via UDP. > > I'm still trying to figure out exactly which bit is to blame. Has anybody > else used the CIS controls on the same instance as OSSEC? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.