Howdy. I've been trying to use Rootcheck as a "generic signature scanner" to be able to find things we don't want to exist on our systems. Not malicious stuff, necessarily, but things like SSH keys for forbidden users or files with PII data in them.
I based my prototype on this article: http://www.immutablesecurity.com/index.php/2010/01/13/detecting-sensitive-info-with-ossec/ Now, I'm having severe performance issues when implementing Rootcheck scans across a system. In order for my Rootcheck signatures to be useful, I have to scan basically the entire box. When I do this, CPU % utilization goes through the roof. >95% CPU utilization for ages, many tens of minutes. I've noticed that none of the pre-packaged signature databases are as broad as "check the whole system". They are always much more specific in the directories they check. Even the example from that article I linked, above, only checks a handful of dirs: (This is the example): $web_dirs=/var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/ apache2,/usr/local/www; # Detect possible SSNs [Possible Unencrypted Social Security Number Detected] [any] [] d:$web_dirs -> r:^\. -> r:\d\d\d-\d\d-\d\d\d\d; In this example, $web_dirs is set to "$web_dirs=/var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www;". But even this many dirs is misleading -- any given Linux distro, only one or maybe two of those dirs defined there is actually going to exist. i.e. Even this example is really only running on a single directory. But that doesn't make any sense to me as far as the utility of this signature file goes. Or any of the rootkit sigs, come to think of it. Wouldn't we want to scan every directory and every file for rootkits? Basically, I'm looking for a way to scan all my files to make sure nothing has prohibited data in it. Maybe rootcheck is not the tool for that. Any opinions on this matter? Is there a Better Way to do what I want? Can Rootcheck be tuned so as to not consume so much CPU? Thanks, JDS -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
