hi all, as you may have noticed I've been playing around with the rootcheck module, e.g for the CIS checks. what i've noticed is that the CIS (audit) checks are not really updated unless I do a complete restart of ossec (ossec-control restart).
neither a syscheck_update -u local nor a agent_control -r -u 000 or a rootcheck_control -u 000 is going to update the CIS benchmark how I noticed that? well, rootcheck_control says the latest outstanding event is e.g this: 2015 Aug 10 11:42:06 (first time detected: 2015 Aug 10 11:42:06) System Audit: System Audit: CIS - RHEL6 1.4.2 - SELinux not set to enforcing . File: /etc/selinux/config. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 . this means the last time the check was updated was over 5 hours ago. But my rootcheck is running on an hourly basis, and according to the ossec.log it just ran a couple of minutes ago 2015/08/10 17:56:36 ossec-rootcheck: INFO: Starting rootcheck scan. 2015/08/10 18:01:12 ossec-rootcheck: INFO: Ending rootcheck scan. so this kinda doesn't match. btw, i can prove that the above mentioned CIS check should be marked as resolved because according to "sestatus" i have selinux set to enforcing. SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted then I had a quick look at my own system logs (messages.log) and found this Aug 10 18:45:23 tron kernel: rootcheck_contr[20641]: segfault at 8 ip 00007f851fe8b925 sp 00007ffdc8c73240 error 4 in libc-2.12.so[7f851fde8000+18a000] this is the result when I run *rootcheck_control -L -i 000* I bet when I restart ossec completely this above mentioned CIS check will vanish (it will not be marked as resolved) as somehow the database is cleared. anyone ran into this problem as well? i'm running the latest ossec version 2.8.2 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
