Re: [ossec-list] Question about rootcheck for 'local' install

[Michiel van Es]

Op donderdag 27 september 2012 16:07:24 UTC+2 schreef dan (ddpbsd) het 
volgende:
>
> On Thu, Sep 27, 2012 at 9:49 AM, Michiel van Es 
> <vanesm...@gmail.com<javascript:>> 
> wrote: 
> > Hello, 
> > 
> > I have installed OSSEC 2.6 on a CentOS 6 64 bit machine via the tar.gz + 
> > ./install.sh 
> > I choose the local install since it has to run on 1 server ( a VPS). 
> > I have noticed after 3 days that 
> > <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> 
> has 
> > never run when syscheck and rootcheck has run. 
> > I see a lot of : 
> > ######### 
> > 2012/09/26 17:28:02 ossec-rootcheck: DEBUG: Starting ... 
> > 2012/09/26 17:28:15 ossec-rootcheck: DEBUG: Starting ... 
> > 2012/09/26 17:28:52 ossec-syscheckd: INFO: Starting syscheck scan 
> > (forwarding database). 
> > 2012/09/26 17:28:52 ossec-syscheckd: INFO: Starting syscheck database 
> > (pre-scan). 
> > 2012/09/26 17:33:55 ossec-syscheckd: INFO: Finished creating syscheck 
> > database (pre-scan completed). 
> > 2012/09/26 17:34:07 ossec-syscheckd: INFO: Ending syscheck scan 
> (forwarding 
> > database). 
> > 2012/09/26 17:34:27 ossec-rootcheck: INFO: Starting rootcheck scan. 
> > 2012/09/26 17:40:58 ossec-rootcheck: INFO: Ending rootcheck scan. 
> > 2012/09/26 19:04:15 ossec-rootcheck: INFO: Starting rootcheck scan. 
> > 2012/09/26 19:10:16 ossec-rootcheck: INFO: Ending rootcheck scan. 
> > ######### 
> > 
> > and never received one alert for the PHP checks (expose_php = On). 
> > Also via the ossec-wui I can not find anything about this. 
> > It seems it does not check the policies. 
> > 
> > How can I trigger the syscheck/rootcheck to check the system for 
> policies? 
> > 
> > Michiel 
>
> >>I think if you run everything in debug mode it provides more 
> >>information on what is being checked.


Ok will check, can I force a root/syscheck so I can check the 
/var/ossec/log/ossec.log log file ?