On Thu, Jun 20, 2013 at 10:53 AM, David Blanton <[email protected]> wrote: > The rootcheck files? Yes, they are. # pwd shows that all of them exist in > the /shared >
I feel like I've seen those errors before, but I can't remember if there was a solution. I was not able to recreate the errors using a smaller version of your agent.conf. What does the <rootcheck> section of the agent's ossec.conf consist of? What are the permissions/owner/group of the rootcheck files? Mine appear to be 0400 root:ossec. > The # /var/adm do not - those are geared torwards Solaris Sun boxes and the > agent I am testing it on is RHEL5. > > Not sure what the rootkit messages are. > > > On Wednesday, June 19, 2013 5:08:22 PM UTC-4, David Blanton wrote: >> >> If I have a <directories >> check_all="yes">/usr/local/bin,/sbin</directories> >> >> and <ignore>/opt/lampp</ignore> within my ossec.conf file (for example), >> does that mean that my agents will >> >> not abide by these rules? Are they only local rules for my OSSEC Server? >> >> Do these have to be specifically addressed for each agent, with their OS, >> name, ect. within agent.conf in order >> >> for agents to either ignore certain directories or check certain files and >> directories? >> >> >> The OSSEC 2.7 documentation and book does not specifically make any of >> these things clear. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
