On Thu, Jun 20, 2013 at 11:41 AM, David Blanton <[email protected]> wrote: > Could you remind me the command to check permissions/owner/group? >
`ls -l` > Also I just noticed ossec.conf file; agent side. I noticed that the > agent.conf file's updates are not being applied here - is this normal? What > is the purpose of the ossec.conf file; agent side? > The ossec.conf is the main configuration file. How long did you wait before checking on the agent.conf? It doesn't update immediately. You could restart the server/agent processes to try and "force" an update. > > On Thursday, June 20, 2013 11:14:30 AM UTC-4, dan (ddpbsd) wrote: >> >> On Thu, Jun 20, 2013 at 10:53 AM, David Blanton >> <[email protected]> wrote: >> > The rootcheck files? Yes, they are. # pwd shows that all of them exist >> > in >> > the /shared >> > >> >> I feel like I've seen those errors before, but I can't remember if >> there was a solution. I was not able to recreate the errors using a >> smaller version of your agent.conf. >> >> What does the <rootcheck> section of the agent's ossec.conf consist of? >> What are the permissions/owner/group of the rootcheck files? Mine >> appear to be 0400 root:ossec. >> >> >> > The # /var/adm do not - those are geared torwards Solaris Sun boxes and >> > the >> > agent I am testing it on is RHEL5. >> > >> > Not sure what the rootkit messages are. >> > >> > >> > On Wednesday, June 19, 2013 5:08:22 PM UTC-4, David Blanton wrote: >> >> >> >> If I have a <directories >> >> check_all="yes">/usr/local/bin,/sbin</directories> >> >> >> >> and <ignore>/opt/lampp</ignore> within my ossec.conf file (for >> >> example), >> >> does that mean that my agents will >> >> >> >> not abide by these rules? Are they only local rules for my OSSEC >> >> Server? >> >> >> >> Do these have to be specifically addressed for each agent, with their >> >> OS, >> >> name, ect. within agent.conf in order >> >> >> >> for agents to either ignore certain directories or check certain files >> >> and >> >> directories? >> >> >> >> >> >> The OSSEC 2.7 documentation and book does not specifically make any of >> >> these things clear. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
