Hi All.
in a server -agent configuration, I am trying to get rootcheck to run
every 1 minute or so, in order to detect prohibited application with
the win_application_rcl.txt file and ultimately shut this applications
down with a cmd script killing the processes via active-response.
I have achieved this with the exception of the rootcheck runtime. My
current rootcheck config is as below
server
<rootcheck>
<frequency>120</frequency>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</
rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</
rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</
system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</
system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</
system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</
system_audit>
</rootcheck>
client
<rootcheck>
<frequency>120</frequency>
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
with this frequency time set instead of running every 2minutes it runs
every 5mins. If i take the time lower than that it still runs every
5mins
My question is how do i make rootcheck run every minute. Please i need
you help ASAP.
