Hello all, I'm trying to debug rootcheck rules, let's take a look at the following simple test alert:
Received From: (agent) any->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): File '/tmp/test' is owned by root and has written permissions to anyone. How do I test my local rules against this event? I tried to feed the reported "Portion of the log(s):" to ossec-logtest but it doesn't trigger. My current solution is to trigger a rootchek but I'm not liking it very much, any other ideas? Ciao, Marco -- Marco Bonetti Tor research and other stuff: http://sid77.slackware.it/ Slackintosh Linux Project Developer: http://workaround.ch/ Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/ My GnuPG key id: 0x0B60BC5F
