On Thu, Sep 27, 2012 at 11:36 AM, dan (ddp) <[email protected]> wrote: > On Thu, Sep 27, 2012 at 11:24 AM, Michiel van Es <[email protected]> > wrote: >> >> >> 2012/9/27 Michiel van Es <[email protected]> >>> >>> >>> >>> 2012/9/27 dan (ddp) <[email protected]> >>> >>>> On Thu, Sep 27, 2012 at 10:12 AM, Michiel van Es <[email protected]> >>>> wrote: >>>> > >>>> > >>>> > Op donderdag 27 september 2012 16:07:24 UTC+2 schreef dan (ddpbsd) het >>>> > volgende: >>>> >> >>>> >> On Thu, Sep 27, 2012 at 9:49 AM, Michiel van Es <[email protected]> >>>> >> wrote: >>>> >> > Hello, >>>> >> > >>>> >> > I have installed OSSEC 2.6 on a CentOS 6 64 bit machine via the >>>> >> > tar.gz + >>>> >> > ./install.sh >>>> >> > I choose the local install since it has to run on 1 server ( a VPS). >>>> >> > I have noticed after 3 days that >>>> >> > >>>> >> > <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> >>>> >> > has >>>> >> > never run when syscheck and rootcheck has run. >>>> >> > I see a lot of : >>>> >> > ######### >>>> >> > 2012/09/26 17:28:02 ossec-rootcheck: DEBUG: Starting ... >>>> >> > 2012/09/26 17:28:15 ossec-rootcheck: DEBUG: Starting ... >>>> >> > 2012/09/26 17:28:52 ossec-syscheckd: INFO: Starting syscheck scan >>>> >> > (forwarding database). >>>> >> > 2012/09/26 17:28:52 ossec-syscheckd: INFO: Starting syscheck >>>> >> > database >>>> >> > (pre-scan). >>>> >> > 2012/09/26 17:33:55 ossec-syscheckd: INFO: Finished creating >>>> >> > syscheck >>>> >> > database (pre-scan completed). >>>> >> > 2012/09/26 17:34:07 ossec-syscheckd: INFO: Ending syscheck scan >>>> >> > (forwarding >>>> >> > database). >>>> >> > 2012/09/26 17:34:27 ossec-rootcheck: INFO: Starting rootcheck scan. >>>> >> > 2012/09/26 17:40:58 ossec-rootcheck: INFO: Ending rootcheck scan. >>>> >> > 2012/09/26 19:04:15 ossec-rootcheck: INFO: Starting rootcheck scan. >>>> >> > 2012/09/26 19:10:16 ossec-rootcheck: INFO: Ending rootcheck scan. >>>> >> > ######### >>>> >> > >>>> >> > and never received one alert for the PHP checks (expose_php = On). >>>> >> > Also via the ossec-wui I can not find anything about this. >>>> >> > It seems it does not check the policies. >>>> >> > >>>> >> > How can I trigger the syscheck/rootcheck to check the system for >>>> >> > policies? >>>> >> > >>>> >> > Michiel >>>> >> >>>> >> >>I think if you run everything in debug mode it provides more >>>> >> >>information on what is being checked. >>>> > >>>> > >>>> > Ok will check, can I force a root/syscheck so I can check the >>>> > /var/ossec/log/ossec.log log file ? >>>> >>>> >>Restart OSSEC? Restart ossec-syscheckd? >>> >>> >>Ok, I do see some entries when I run /var/ossec/bin/rootcheck_control -i >>> >> local, but it is never emailed to me. >>> >>I will see if I can let it alert when it runs. >>> >>> >>Thx. >> >> Stupid question but /var/ossec/bin/rootcheck_control -i local shows System >> Audit entries but these entries are never in alert.log and are never >> emailed. >> >> On a setup with a manager and agents this works perfectly and emails just >> fine but on a local (1 box) install I never receive alerts. >> Am I overlooking things? > > No idea, I don't use rootcheck. Hopefully someone with rootcheck > experience can chime in. > > Have you compared the configurations between the local system and the > server/agent install?
It looks like the expose php thing should trigger rule 516, but that's only a level 3. Are you logging level 3 alerts? Are you emailing level 3 alerts? Also, 510 has fts (first time seen) set, so if it's alerted once, it shouldn't alert again (at least for a while, I don't know how that works).
