On Mon, Jan 26, 2015 at 12:08 PM, <[email protected]> wrote: > <!-- s --> > > <rootcheck> > > <rootkit_files>/usr/local/ossec-hids/etc/shared/rootkit_files.txt</rootkit_files> > > <rootkit_trojans>/usr/local/ossec-hids/etc/shared/rootkit_trojans.txt</rootkit_trojans> > </rootcheck> > > <!-- /s --> > > Those files are the defaults listed, though I had to edit the directory to > match FreeBSD 10.1. > > There's a system_audit_rcl.txt file in that directory also. Is that supposed > to be listed under <rootcheck> too? >
You don't have any <system_audit> files listed. system_audit_rcl might work with freebsd, but I haven't tested it. I'm not aware of any freebsd specific files. > > -- > fini > > > > > On 2015-01-26 10:58, dan (ddp) wrote: >> >> On Mon, Jan 26, 2015 at 11:54 AM, <[email protected]> wrote: >>> >>> Hi, >>> >>> Still testing OSSEC 2.8.1 on FreBSD 10.1. Making good progress, but I >>> have a >>> line in the log file that I've not been able to find an answer for, and >>> googling hasn't helped. >>> >>> The line is "ossec-rootcheck: System audit file not configured". I have >>> debug enabled, have run rootcheck_control -u all" and restarted, but that >>> line still shows up in the log file >>> >>> <!--/s --> >>> ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml' >>> 2015/01/26 11:35:58 ossec-rootcheck: System audit file not configured. >>> 2015/01/26 11:35:58 ossec-analysisd: INFO: Reading rules file: >>> 'named_rules.xml' >>> <!-- /s --> >>> >>> Any clues? >>> >> >> What does your <rootcheck> configuration look like? >> >> >>> >>> -- >>> fini >>> >> > > -- > > --- You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
