Hi Ioannis, It just means that OSSEC is not doing some of the system auditing checks that were added on the latest versions. If you want to add it, just add the system_audit files to your rootcheck config:
<rootcheck> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> </rootcheck> As far as rootcheck_control, it is just a tool to manage the rootcheck database (seeing the alerts, etc). Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Mon, Oct 27, 2008 at 6:33 AM, Ioannis Angelopoulos <[EMAIL PROTECTED]> wrote: > Greetings to all, > > I am new to this list and if any of my questions seems silly please bare > with me... > I have just updated ossec to version 1.6.1. As in the previous version I get > this message in the log file: > ossec-rootcheck: System audit file not configured. > ... > ossec-rootcheck: INFO: Started (pid: 15191). > Can anyone help me what the "System audit file not configured" message means > and how to fix it ? > > Also can anyone please explain the current architecture of rootcheck ? > For example there seems to be a new binary : "rootcheck_control" in this > version. What is its function ? Also there is an (independent ?) > rootcheck-1.5.tar.gz binary that you can compile and run. Is this included > in the ossec.tar archive or someone has to download it independently and > (somehow) combine it with the ossec installation ? > > I thank you all very much for your help > > Best Regards > John > >
