Hello, Will it be possible to do an agent custom rootkit check in addition to the default rootkit check (based on the system's ossec.conf)?
For example, I created an agent.conf with the following entries: <agent_config os="Linux|OpenBSD"> # Do another rootcheck <rootcheck> <rootkit_files>/var/ossec/etc/shared/custom_rootkit.txt</rootkit_files> </rootcheck> </agent_config> And then I created a file called custom_rootkit.txt. Eventually, I see the content in custom_rootkit.txt included in merged.mg. But I'm not sure if the rootcheck on the agent.conf will be in addition to the rootcheck in ossec.conf or will it supersede the one in ossec.conf? If someone can clarify, it'll be great. As an aside, does the rootkit_files file entry capable of handling regex (it seems that it only supports */myfile to support checking of all locations for the existence of myfile)? Thanks. Regards, Neil Quiogue
