Hello, I think that I've found a false positive on my Open Solaris box. Are there any Solaris gurus on this list (definitely not me) who can verify that this truly isn't a valid rootcheck?
OSSEC HIDS Notification. 2009 Jul 26 10:36:15 Received From: (apoc) 192.168.0.11->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Files hidden inside directory '/dev/pts'. Link count does not match number of files (2,4). --END OF NOTIFICATION I've also seen several more, similar alerts (Rule 510) when pluggin/ unplugging a USB device in the following dirs: /dev/dsk /dev/hotpluggable/dsk /dev/hotpluggable/rdsk /dev/rdsk/ /dev/removable-media/dsk /dev/removable-media/rdsk /dev/usb/781.7422/0 /dev/usb /dev Any input is appreciated. Thanks, Michael
