Hi Dan Thanks for your reply. on the ossec manual it says the value specified in the frequency tag is in seconds, so i assumed 120 should be about 2 minutes. from my logs, it shows that it takes less than a minute for it to run,
2011/08/11 12:33:57 ossec-agent: INFO: Starting rootcheck scan. 2011/08/11 12:34:04 ossec-agent: INFO: Ending rootcheck scan. 2011/08/11 12:39:05 ossec-agent: INFO: Starting rootcheck scan. 2011/08/11 12:39:10 ossec-agent: INFO: Ending rootcheck scan. 2011/08/11 12:44:13 ossec-agent: INFO: Starting rootcheck scan. 2011/08/11 12:44:35 ossec-agent: INFO: Ending rootcheck scan. As shown even at <frequency>120</frequency> it runs every 5 minutes. How does ossec calculate the frequency cycle, can i possibly alter that file to decrease the frequency cycle OR How else can i make ossec monitor an alert on prohibited windows application running in real time? Thanks in advance On Aug 16, 10:28 pm, "dan (ddp)" <[email protected]> wrote: > The <frequency> tells ossec to wait at least that long. It's not an exact > time. > Also I haven't looked very much at rootcheck, but it's possible it > takes longer than 2 minutes for it to complete a run. > > On Tue, Aug 16, 2011 at 6:21 AM, Demmy Adeyemo > > > > > > > > <[email protected]> wrote: > > Hi All. > > > in a server -agent configuration, I am trying to get rootcheck to run > > every 1 minute or so, in order to detect prohibited application with > > the win_application_rcl.txt file and ultimately shut this applications > > down with a cmd script killing the processes via active-response. > > > I have achieved this with the exception of the rootcheck runtime. My > > current rootcheck config is as below > > > server > > <rootcheck> > > <frequency>120</frequency> > > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</ > > rootkit_files> > > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</ > > rootkit_trojans> > > <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</ > > system_audit> > > <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</ > > system_audit> > > <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</ > > system_audit> > > <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</ > > system_audit> > > </rootcheck> > > > client > > > <rootcheck> > > <frequency>120</frequency> > > <windows_audit>./shared/win_audit_rcl.txt</windows_audit> > > > > <windows_apps>./shared/win_applications_rcl.txt</windows_apps> > > > > <windows_malware>./shared/win_malware_rcl.txt</windows_malware> > > </rootcheck> > > > with this frequency time set instead of running every 2minutes it runs > > every 5mins. If i take the time lower than that it still runs every > > 5mins > > > My question is how do i make rootcheck run every minute. Please i need > > you help ASAP.
