Hello! (1) First of all, many thanks to the developers for this great tool!!!
(2) Please excuse me, if this question already was posted and answered. I did not find a definite answer here or on the web. If so, please direct me to the appropriate location. Thanks! (3) I am an ossec newcomer. I run the server on a security onion system (ubuntu) and monitor alerts with sguil. I run several agents on different flavours (debian, ubuntu, OSX). (4) One agent from a ubuntu 12.04 LTS gives the following alert in sguil: <<<< Anomaly detected in file '/var/lib/lightdm/.gvfs'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit. >>>> On the ossec server, I get <<<< sudo /var/ossec/bin/rootcheck_control -i 002 -L [...] System Audit: Anomaly detected in file '/var/lib/lightdm/.gvfs'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit. System Audit: Files hidden inside directory '/var/lib/lightdm'. Link count does not match number of files (9,10). [...] >>>> (5) I have found threads on ubuntu-related forums that because of permission issues, .gvfs sometimes causes problems. (6) Anybody out there with experience on similiar systems or with any guidance, whether this alert should raise my hairs or is probably a false positive? Thanks! Markus -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
