Hi Meir, The purpose of the rootkit engine is not only to detect known rootkits, but also to find kernel-level and user-level anomalies. So, a file owned by root with full written access to everyone is a user-level anomaly (or a problem). It does not indicate a rootkit, but may be a problem. There is no way to disable specific directories on rootcheck right now, but I can sure add an option for that in the future. However, you will only see these alerts once, since ossec does not send repeated alerts for rootcheck.
*btw, very nice report script you sent. Do you mind If I add it to ossec (in the official package) under contrib? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 7/3/06, Meir Michanie <[EMAIL PROTECTED]> wrote: > Hi list. > in my config I have ignore tag inside the syscheck > There is no option to use the same tag under rootkit > the rootkit search engine searchs for files owned by root and worldwide > writable ( I know is a security risk) > 1. I do not see how a file owned by root and o+w is a rootkit alarm. (it may > be a hardening issue) > 2. I tried using <scanall>no</scanall> and still got the rootkit engine > alarming of files under /usr/local/myfiles/ > > Did I say that ossec rocks? > > > > --~--~---------~--~----~------------~-------~--~----~ -~----------~----~----~----~------~----~------~--~---
