Interesting... that should be the only config that you need to update in order to disable the root check. I tried it in my lab and disabled it properly as well.
On Sunday, April 17, 2016 at 4:56:15 AM UTC-4, eyal gershon wrote: > > I checked again the logs - > > 2016/04/16 18:37:27 ossec-rootcheck: INFO: Starting rootcheck scan. > 2016/04/16 18:37:27 ossec-rootcheck: No rootcheck_files file configured. > 2016/04/16 18:37:27 ossec-rootcheck: No rootcheck_trojans file configured. > 2016/04/16 18:45:52 ossec-rootcheck: INFO: Ending rootcheck scan. > > The log says the check did run, > Is there another configuration file I might be missing? > > On Friday, April 15, 2016 at 3:08:23 PM UTC+3, Pedro S wrote: >> >> I have reproduced your configuration on my labs, rootcheck is not >> starting again. Could you re-verify that agent.conf file is right on your >> agent? >> >> On Thursday, April 14, 2016 at 2:38:47 PM UTC+2, eyal gershon wrote: >>> >>> 2016/04/14 06:03:17 ossec-rootcheck: INFO: Started (pid: 30101). >>> 2016/04/14 06:06:05 ossec-rootcheck: INFO: Starting rootcheck scan. >>> 2016/04/14 06:06:05 ossec-rootcheck: No rootcheck_files file configured. >>> 2016/04/14 06:06:05 ossec-rootcheck: No rootcheck_trojans file >>> configured. >>> 2016/04/14 06:17:38 ossec-rootcheck: INFO: Ending rootcheck scan. >>> >>> The start of the scan is right after the restart of the ossed-hids >>> restart from the original post >>> >>> On Thursday, April 14, 2016 at 2:57:36 PM UTC+3, dan (ddpbsd) wrote: >>>> >>>> On Thu, Apr 14, 2016 at 6:27 AM, eyal gershon <[email protected]> >>>> wrote: >>>> > Hey, >>>> > >>>> > I tried to disabled the rootcheck on one of the servers. >>>> > I have added the following line to the agent.conf file - >>>> > >>>> > <rootcheck> >>>> > <disabled>yes</disabled> >>>> > </rootcheck> >>>> > >>>> > and after I am restarting the service I get the following output - >>>> > Starting ossec-hids: 2016/04/14 06:16:27 ossec-rootcheck: Rootcheck >>>> > disabled. Exiting. >>>> > ossec-syscheckd: WARN: Rootcheck module disabled. >>>> > >>>> > and a few min later I see in the logs that the rootcheck is running >>>> again. >>>> > any one have an idea why did I miss? >>>> > >>>> >>>> Which log messages are you seeing specifically? >>>> >>>> > -- >>>> > >>>> > --- >>>> > You received this message because you are subscribed to the Google >>>> Groups >>>> > "ossec-list" group. >>>> > To unsubscribe from this group and stop receiving emails from it, >>>> send an >>>> > email to [email protected]. >>>> > For more options, visit https://groups.google.com/d/optout. >>>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
