Hello all,
I am preparing implementation of Ossec 2.0 into our infrastructure.
While trying to setup policy autiting of OS configuration, I want to
run rootcheck everytime when I change configuration file with audit
pollicy definitions.
In documents at web pages is mentioned, that for immediate
execution of syscheck and rootcheck is possible to run /var/ossec/bin/
agent_control -r -u <agent_id> command. But when I execute
agent_control command it takes quite a long time before check is
started on agent.
Are there any requirements to control agents with agent_control?
Can anyone intimate me into agent_control logic?
Next question is related to alerts generating. I created policy rule
that checks if file exists.
When first rootcheck is started and file does not exists, alert is
generated.
When second rootcheck is passed and this file still does not exists,
no further alert is generated.
Is it possible to setup configuration to generate alert everytime when
rootcheck is started and policy rules are violated?
My last questionn is related to output of rootcheck_control command.
When /var/ossec/bin/rootcheck_control -i <agent_id> is executed,
Policy and auditing events for agent with list of Resolved events a
Outstanding events is displayed.
Can anyone explain, what this output means?
I thought, that in Outstanding events list are events that violate
defined policy rules and in Resolved events are events, that mean
resolved policy violations.
But when I create file which is required by my policy rule and restart
rootcheck, the list of Outstanding events still contains previous
plicy violation event and Resolved events list is empty.
Thank for any reply
Jakub
