I think what you're seeing is what is described in CVE-2014-5284 - http://www.ossec.net/?p=1135
Basically, they were in /tmp, and then a vulnerability was disclosed... so those files were moved from /tmp to /var/ossec in 2.8.1 On Tuesday, December 16, 2014 1:19:15 PM UTC-8, finid wrote: > > On 2014-12-16 14:59, [email protected] <javascript:> wrote: > > Hi, > > > > I see a bunch of files in /var/ossec with names of the form > > ossec-hosts.*. what are they and how can I stop the system from > > creating them? > > > > Here are a few examples. > > > > ossec-hosts.1i6uugNQB3 > > ossec-hosts.BFHjPh9dwg > > ossec-hosts.i4EvjkDXUh > > ossec-hosts.U3thtpzm6b > > ossec-hosts.1MeJfr9MGt > > > > > > So those files appear to be temporary files. Shouldn't they be in /tmp, > instead of /var/ossec? > > > -- > finid > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
