Hi Stephen, Thanks for the ideas. I just fixed the documentation and english problems (1-4) you mentioned. Regarding the syscheck values, they need to be attributes of the "directory" element. For example:
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> or <directories check_owner="yes" check_perm="yes">/var/log</directories> To just check the owner and permissions of the /var/log directory. Regarding the rootkit signatures, they do not change too often, but generally between releases I update them. Next version will have a lot of rootkit detection improvements (specially related to kernel level rootkits) and I will try to keep them updated more often too. I will send instructions later on how to keep them up to date (including log analysis rules). Btw, if you installed version 0.8, you should try the 0.8-6: http://www.ossec.net/files/ossec-hids-0.8-6.tar.gz Hope it helps.. -- Daniel B. Cid dcid ( at ) ossec.net On 7/11/06, Stephen Bunn <[EMAIL PROTECTED]> wrote: > > I have recently setup ossec 0.8 on my Ubuntu machine and would like to > make the following comments for improvement. > > 1. The installation documentation refers to this address > http://www.ossec.net/files/ossec-hids-latest_sum.txt for the MD5 and > SHA1 checksums, however this document does not exist. I found only the > ossec-hids-0.8-latest_sum.txt existing. This is fine, however the > documentation needs to be updated. > > 2. Just a minor note, on both my Gentoo and Ubuntu boxes the commands > for md5 and sha1 are called md5sum and sha1sum. The installation > documentation might want to make a Note: about this, however its not > that important. If you are installing a HIDS then you should probably > know how to calculate a MD5 sum on your box. > > 3. tar -zxvf ossec-hids-* doesn't work because of the MD5/SHA1 text > file is there. The documentation has you download the checksums making > the untar command ambiguous. > > 4. During the last part of installation the world "below" is misspelled > (as pointed out below). > > "Press ENTER to finish (maybe more information bellow)" > > > 5. none of the syscheck check_xxx values seem to work as described in > the documentation. For example the documentation says check_sum should > take a yes or no value, however > <check_sum>yes</check_sum> is listed as an invalid value upon startup. > This applies to all the check_xxx values listed in the documentation. I > couldn't get any of them to work. > > > 6. The one question that I can't find an answer to is; Where can you get > updated txt files for the rootcheck program? Several points in the > documentation point out a "the signature files are here" but I could not > find a link to the actual signatures anywhere. I'm assuming that ossec > is not going to update the signatures by it's self. So how do I go > about making sure that rootcheck's signature files are up to date? > > Overall I'm very impressed, and find the installation very easy. > > Thanks. > > -- > Stephen Bunn > http://sbunn.roguesoftware.net > > > > > --~--~---------~--~----~------------~-------~--~----~ -~----------~----~----~----~------~----~------~--~---
